What are CIS benchmarks?
Explore IBM's CIS benchmarks solution Subscribe to Security Topic Updates
Black and blue gradient background
What are CIS benchmarks?

Developed by a global community of cybersecurity professionals, CIS Benchmarks are best practices for securely configuring IT systems, software, networks and cloud infrastructure.

CIS Benchmarks are published by the Center for Internet Security (CIS). At the time of this writing, there are more than 140 CIS Benchmarks in total, spanning seven core technology categories. CIS Benchmarks are developed through a unique consensus-based process involving communities of cybersecurity professionals and subject matter experts around the world. These experts continuously identify, refine and validate security best practices within their areas of focus.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

About the Center for Internet Security (CIS)

CIS (link resides outside ibm.com) is a nonprofit organization established in October 2000. CIS is driven by a global IT community with the common goal of identifying, developing, validating, promoting and sustaining best practice solutions for cyberdefense. Over the years, CIS has produced and distributed several free tools and solutions for enterprises of all sizes, designed to strengthen their cybersecurity readiness.

CIS is most commonly known for its release of CIS Controls (link resides outside ibm.com), a comprehensive guide of 20 safeguards and countermeasures for effective cyberdefense. CIS Controls provide a prioritized checklist that organizations can implement to reduce their cyberattack surface significantly. CIS Benchmarks reference these controls when building recommendations for better-secured system configurations.

How are CIS Benchmarks organized?

Each CIS Benchmark includes multiple configuration recommendations based on one of two profile levels. Level 1 benchmark profiles cover base-level configurations that are easier to implement and have minimal impact on business functionality. Level 2 benchmark profiles are intended for high-security environments and require more coordination and planning to implement with minimal business disruption.

There are seven (7) core categories of CIS Benchmarks:

  1. Operating systems benchmarks cover security configurations of core operating systems, such as Microsoft Windows, Linux® and Apple OSX. These include best-practice guidelines for local and remote access restrictions, user profiles, driver installation protocols and internet browser configurations.

  2. Server software benchmarks cover security configurations of widely used server software, including Microsoft Windows Server, SQL Server, VMware®, Docker and Kubernetes. These benchmarks include recommendations for configuring Kubernetes PKI certificates, API server settings, server admin controls, vNetwork policies and storage restrictions.

  3. Cloud provider benchmarks address security configurations for Amazon Web Services (AWS), Microsoft® Azure, Google, IBM® and other popular public clouds. They include guidelines for configuring identity and access management (IAM), system logging protocols, network configurations and regulatory compliance safeguards.

  4. Mobile device benchmarks address mobile operating systems, including iOS and Android, and focus on areas such as developer options and settings, OS privacy configurations, browser settings and app permissions.

  5. Network device benchmarks offer general and vendor-specific security configuration guidelines for network devices and applicable hardware from Cisco, Palo Alto Networks, Juniper and others.

  6. Desktop software benchmarks cover security configurations for some of the most commonly used desktop software applications, including Microsoft Office and Exchange Server, Google Chrome, Mozilla Firefox and Safari Browser. These benchmarks focus on email privacy and server settings, mobile device management, default browser settings and third-party software blocking.

  7. Multi-function print device benchmarks outline security best practices for configuring multi-function printers in office settings and cover such topics as firmware updating, TCP/IP configurations, wireless access configuration, user management and file sharing.
CIS Hardened Images

CIS also offers pre-configured Hardened Images that enable enterprises to perform computing operations cost-effectively without needing to invest in additional hardware or software. Hardened images are much more secure than standard virtual images, and they significantly limit the security vulnerabilities that can lead to a cyberattack.

CIS Hardened Images (link resides outside ibm.com) are designed and configured in compliance with CIS Benchmarks and Controls and are recognized to be fully compliant with various regulatory compliance organizations. CIS Hardened Images are available for use in nearly all major cloud computing platforms and are easy to deploy and manage.

CIS Benchmarks and regulatory compliance

CIS Benchmarks align closely with–or 'map to'—security and data privacy regulatory frameworks including the NIST (National Institute of Standards and Technology) Cybersecurity Framework, the PCI DSS (Payment Card Industry Data Security Standard) (PCI DSS), HIPAA (Health Insurance Portability and Accountability Act), and ISO/EIC 2700. As a result, any organization operating in an industry governed by these types of regulations can make significant progress toward compliance by adhering to CIS Benchmarks. In addition, CIS Controls and CIS Hardened Images can help support an organization's compliance with GDPR (the EU's General Data Protection Regulation).

Benefits of CIS Benchmarks

While enterprises are always free to make their own choices around security configurations, CIS Benchmarks offer:

  • The collected expertise of a global community of IT and cybersecurity professionals

  • Regularly updated, step-by-step guidance for securing every area of the IT infrastructure

  • Compliance management consistency

  • A flexible template for securely adopting new cloud services and for executing digital transformation strategies

  • Easy-to-deploy configurations for improved operational efficiency and sustainability.
Related solutions
Cloud security solutions

Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey. Safeguard and monitor your data, applications and environments with IBM Security® services.

Explore cloud security solutions
IBM Cloud® Security and Compliance Center

Govern cloud resource configurations and centrally manage your compliance to organization and regulatory guidelines.

Explore security and compliance
IBM Concert

Simplify and optimize your application management and technology operations with generative AI-driven insights.

Explore Concert
Resources What is cybersecurity?

Cybersecurity technology and best practices protect critical systems and sensitive information from an ever-growing volume of continually evolving threats.

What is Kubernetes?

Kubernetes is an open source container orchestration platform that automates deployment, management and scaling of containerized applications.

Take the next step

Learn how the IBM Security Guardium family of products can help your organization meet the changing threat landscape with advanced analytics, real-time alerts, streamlined compliance, automated data discovery classification and posture management.

Explore Guardium Book a live demo