To most, the Center for Internet Security (CIS) are a provider of benchmarks and standards that one might wish to follow to increase the security of their IT environment. It’s a great framework to start from if you’re not sure where to start – consider the Microsoft Zero Trust Workshop too!

In this post, I’ll offer some guidance around how to navigate CIS benchmarks.

“We need to adhere to CIS”

This is the assumed phrase which is rarely questioned. What does adherence to CIS mean?

There are many tools and services that offer to implement CIS, or monitor your compliance with a CIS benchmark, including Microsoft’s own add-on for vulnerability management.

You are CIS compliant if you choose to reject every single one of the recommendations within the benchmark.

So by their own definition, in a similar vein to ISO 27001, if you’ve considered the controls you are compliant!

Who can implement CIS?

Another thing I see quite often are companies who claim to bring your company up to the CIS level 1 or level 2 standard by way of professional services, or in some cases they make it sound as easy as buying a product and switching it on.

You can’t align with CIS by simply turning a product on.

CIS Fees

  1. CIS is free to use for your company, in your own environment, using your own people and resources
  2. CIS is not free to use if you claim to implement it for another company as part of your services – you need a Services and Consulting Membership

Official clarification:

I’m confused, how do I use CIS now?

Assuming you’re using it internally, you can keep using it the same way you did before, but you now learned the option of saying “We can’t implement CIS L2 control X, because that would make a core revenue-generating function extremely difficult for little gain, so we will skip it”. – You are still CIS “compliant”.

And if you’ve contracted someone else to implement CIS for you, ask them if they have a consulting membership because that is a requirement.