Center for Internet Security (CIS): A Guide for Businesses
Learn what the Center for Internet Security (CIS) does, how CIS Controls and Benchmarks work, and why they matter for website compliance.
The Center for Internet Security, commonly known as CIS, is one of the most referenced organizations in cybersecurity. If you operate a website or manage infrastructure that handles personal data, CIS resources provide a practical framework for securing your systems and meeting regulatory expectations.
This guide covers what the Center for Internet Security does, how its Controls and Benchmarks work, and how website operators can apply CIS guidance to strengthen security and support compliance. This is educational content, not legal advice or a substitute for professional cybersecurity assessment. Consult qualified professionals for guidance specific to your environment.
What Is the Center for Internet Security?
The Center for Internet Security (CIS) is a nonprofit organization founded in 2000, headquartered in East Greenbush, New York. Its mission is to make the connected world a safer place by developing, validating, and promoting best practice solutions for cybersecurity.
CIS produces two primary resources that are widely adopted across industries:
- CIS Controls: a prioritized set of 18 cybersecurity safeguards that organizations can implement to defend against the most common attack vectors
- CIS Benchmarks: detailed, consensus-based configuration guidelines for over 100 technology products, from operating systems and cloud platforms to web browsers and databases
Beyond publishing guidance, CIS operates several programs that directly support internet security:
- Multi-State Information Sharing and Analysis Center (MS-ISAC): provides cybersecurity resources and incident response to U.S. state, local, tribal, and territorial (SLTT) government organizations
- Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC): focuses specifically on securing election infrastructure
- CIS Hardened Images: pre-configured virtual machine images available on major cloud platforms, built to CIS Benchmark specifications
The organization functions through community consensus. Thousands of cybersecurity professionals from government, academia, and the private sector contribute to developing and reviewing CIS resources. This collaborative approach gives CIS publications a level of credibility that individual vendor recommendations typically lack.
Understanding CIS Controls
CIS Controls (currently Version 8, released in 2021) are the organization's most influential product. They represent a prioritized, prescriptive set of actions that collectively form a defense-in-depth approach to cybersecurity.
The 18 CIS Controls
The Controls are organized into 18 categories, each addressing a specific area of security:
- Inventory and Control of Enterprise Assets: know what hardware and software is on your network
- Inventory and Control of Software Assets: track authorized and unauthorized software
- Data Protection: classify and protect sensitive data
- Secure Configuration of Enterprise Assets and Software: establish secure baselines
- Account Management: manage credentials and access rights
- Access Control Management: enforce least privilege
- Continuous Vulnerability Management: identify and remediate vulnerabilities
- Audit Log Management: collect and review logs
- Email and Web Browser Protections: harden common attack surfaces
- Malware Defenses: prevent and detect malicious code
- Data Recovery: maintain and test backups
- Network Infrastructure Management: secure network devices
- Network Monitoring and Defense: detect and respond to network threats
- Security Awareness and Skills Training: educate staff
- Service Provider Management: assess and manage third-party risk
- Application Software Security: secure custom and commercial applications
- Incident Response Management: plan for and execute incident response
- Penetration Testing: validate defenses through testing
Implementation Groups
Not every organization needs to implement every sub-control immediately. CIS addresses this through three Implementation Groups (IGs):
- IG1 (Essential Cyber Hygiene): the minimum standard for all organizations. Contains 56 safeguards focused on basic security practices. Small businesses and websites with limited IT resources should start here.
- IG2 (Expanded): adds 74 safeguards for organizations with moderate IT infrastructure and some dedicated security staff. Appropriate for mid-size businesses handling sensitive customer data.
- IG3 (Comprehensive): includes all 153 safeguards across the 18 Controls. Designed for organizations with mature security programs facing sophisticated threats, such as financial institutions and healthcare providers.
This tiered approach makes the Center for Internet Security framework accessible to organizations of all sizes, from a small business running a single website to an enterprise managing thousands of systems.
CIS Benchmarks: Configuration Hardening in Detail
While CIS Controls tell you what to protect, CIS Benchmarks tell you exactly how to configure specific technologies securely. Benchmarks are available for a wide range of products, organized into categories:
- Operating systems: Windows 10/11, Windows Server, Ubuntu, Red Hat Enterprise Linux, macOS, Debian, CentOS
- Cloud platforms: AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud, Alibaba Cloud
- Databases: MySQL, PostgreSQL, MongoDB, Microsoft SQL Server, Oracle
- Web servers: Apache HTTP Server, Nginx, Microsoft IIS
- Browsers: Google Chrome, Mozilla Firefox, Microsoft Edge
- Containers: Docker, Kubernetes
- Network devices: Cisco, Juniper, Palo Alto Networks
Each Benchmark document provides step-by-step instructions for configuring a specific product securely. Recommendations are classified into two levels:
- Level 1: settings that improve security without significantly affecting functionality or performance. Suitable for most environments.
- Level 2: settings that provide deeper security but may reduce functionality or require additional testing. Intended for high-security environments.
For website operators, the most directly relevant Benchmarks are those for your web server (Nginx, Apache), your database (PostgreSQL, MySQL), your hosting platform (AWS, Azure, GCP), and any content management systems you use.
How Center for Internet Security Resources Support Compliance
CIS Controls and Benchmarks are not laws themselves, but they have become a recognized standard for demonstrating "reasonable security" under numerous legal and regulatory frameworks. This matters because many privacy and security laws require organizations to implement "reasonable" or "appropriate" security measures without specifying exactly what that means.
Alignment with Regulatory Frameworks
CIS resources map to several major compliance requirements:
- GDPR (Article 32): requires "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. Implementing CIS Controls provides documented evidence of appropriate measures.
- CCPA/CPRA: California law allows consumers to sue for data breaches resulting from a business's failure to maintain "reasonable security procedures." CIS Controls serve as a recognized baseline for what qualifies as reasonable.
- HIPAA: the Security Rule requires covered entities to implement administrative, physical, and technical safeguards. CIS Controls map directly to many HIPAA requirements.
- PCI DSS: the Payment Card Industry Data Security Standard shares significant overlap with CIS Controls, particularly around access control, vulnerability management, and network security.
- NIST Cybersecurity Framework: CIS Controls are formally mapped to the NIST CSF, and many organizations use CIS Controls as a practical implementation path for NIST compliance.
- SOC 2: CIS Benchmarks and Controls support the Trust Services Criteria used in SOC 2 audits, particularly the security and availability criteria.
The "Reasonable Security" Standard
Several U.S. state attorneys general and the Federal Trade Commission (FTC) have taken enforcement action against businesses for failing to maintain reasonable security. While no enforcement action has specified CIS Controls by name as the required standard, courts and regulators have accepted them as evidence of due diligence.
California's Civil Code Section 1798.81.5 requires businesses to implement "reasonable security procedures and practices." The 2016 California Data Breach Report from the state Attorney General's office explicitly recommended that organizations adopt the CIS Controls as a minimum standard.
Applying CIS Guidance to Your Website
Website operators can apply Center for Internet Security resources at multiple levels, from server configuration to organizational practices.
Server and Infrastructure Hardening
Start with the CIS Benchmarks for your specific technology stack. If you host your website on Nginx running on Ubuntu, apply the CIS Benchmarks for both Nginx and Ubuntu. Key areas to address include:
- Disabling unnecessary services and ports
- Configuring TLS correctly (minimum TLS 1.2, strong cipher suites)
- Setting appropriate file permissions
- Enabling and monitoring access logs
- Removing default accounts and credentials
- Applying security headers (Content-Security-Policy, X-Frame-Options, Strict-Transport-Security)
Access Control
CIS Control 5 (Account Management) and Control 6 (Access Control Management) are directly relevant to website administration. Implement:
- Multi-factor authentication for all admin accounts
- Unique accounts for each administrator (no shared credentials)
- Least privilege access: each account should have only the permissions it needs
- Regular review of access rights, revoking accounts that are no longer needed
- Strong password policies or, preferably, passkey or certificate-based authentication
Vulnerability Management
CIS Control 7 (Continuous Vulnerability Management) addresses the need to identify and fix security weaknesses before attackers exploit them. For websites, this means:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Keeping all software updated: CMS, plugins, frameworks, server software, and dependencies
- Running regular vulnerability scans
- Monitoring for security advisories affecting your technology stack
- Establishing a patch management process with defined timelines (critical patches within 48 hours, high within one week)
Data Protection
CIS Control 3 (Data Protection) aligns directly with privacy law requirements. Identify what personal data your website collects, classify it by sensitivity, and apply appropriate protections. This includes encrypting data in transit and at rest, minimizing data collection to what is necessary, and establishing retention policies.
Your privacy policy should document these practices transparently for your users, covering what data you collect, how you protect it, and how long you retain it.
Center for Internet Security Resources for Small Businesses
CIS recognizes that small businesses face the same threats as large enterprises but often lack dedicated security staff. Several CIS resources are specifically designed for smaller organizations.
CIS Controls IG1
Implementation Group 1 is explicitly designed as essential cyber hygiene that every organization, regardless of size, should implement. The 56 safeguards in IG1 focus on foundational practices:
- Maintaining an inventory of your hardware and software assets
- Ensuring only authorized software runs on your systems
- Applying secure configurations using CIS Benchmarks
- Controlling administrative access
- Maintaining audit logs
- Protecting email accounts and web browsers
- Running malware defenses
- Performing regular backups
- Training staff on security awareness
Free Resources
Many CIS resources are available at no cost:
- CIS Controls: the full document is free to download after registration
- CIS Benchmarks: PDF versions are free for non-commercial use
- CIS-CAT Lite: a free assessment tool that evaluates your systems against CIS Benchmarks and generates a compliance report
- CIS Hardened Images: pre-configured virtual machine images are available on AWS Marketplace, Azure Marketplace, and Google Cloud Marketplace (cloud compute charges apply)
For website operators who want to complement their security posture with compliance documentation, tools like a privacy policy generator or a terms of service generator can help ensure that your legal documents match your security practices.
CIS Controls and Incident Response
CIS Control 17 (Incident Response Management) addresses a critical requirement that overlaps with privacy law obligations. Under Article 33 of the GDPR, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach. The CCPA grants consumers a private right of action for breaches resulting from a business's failure to maintain reasonable security.
An effective incident response plan, aligned with CIS Control 17, should include:
- Designated response team: identify who is responsible for leading the response, including technical, legal, and communications roles
- Detection and classification procedures: define how incidents are identified and how severity is assessed
- Containment steps: procedures to limit the scope of a breach once detected
- Evidence preservation: guidelines for preserving logs and forensic data for investigation and potential legal proceedings
- Notification procedures: templates and workflows for notifying regulators, affected individuals, and law enforcement within required timeframes
- Recovery plan: steps to restore systems and data to normal operation
- Post-incident review: process for analyzing what happened, what worked, and what needs to change
Regular testing of the incident response plan through tabletop exercises is as important as having the plan itself. CIS recommends conducting these exercises at least annually, with more frequent testing for organizations handling sensitive data.
How CIS Relates to Privacy and Data Protection
The connection between the Center for Internet Security and data privacy is direct. Security is a prerequisite for privacy. You cannot protect personal data if your systems are not secure. Every major privacy law includes security requirements, and CIS resources provide the specific technical guidance needed to meet those requirements.
For website operators, the intersection of CIS guidance and privacy law shows up in several practical areas:
- Encryption: CIS Benchmarks specify TLS configurations that satisfy GDPR Article 32 requirements for encryption in transit
- Access controls: CIS Controls 5 and 6 address the GDPR's requirement to ensure that personal data is accessible only to authorized personnel
- Logging and monitoring: CIS Control 8 supports the ability to detect and investigate data breaches, meeting notification obligations under GDPR Article 33 and various U.S. state breach notification laws
- Third-party management: CIS Control 15 aligns with GDPR Article 28's requirements for processor agreements and ongoing vendor assessment
By implementing CIS Controls appropriate to your Implementation Group and applying CIS Benchmarks to your technology stack, you build the security foundation that privacy compliance requires. Paired with clear legal documentation, such as a comprehensive privacy policy and a cookie policy that describes your data practices, your organization can demonstrate both technical and organizational commitment to protecting personal data.
Frequently Asked Questions
What is the Center for Internet Security?
The Center for Internet Security (CIS) is a nonprofit organization founded in 2000 that develops globally recognized security best practices. It produces the CIS Controls, a prioritized set of cybersecurity safeguards, and CIS Benchmarks, which are detailed configuration guidelines for over 100 technology products. CIS also operates the Multi-State Information Sharing and Analysis Center (MS-ISAC) for U.S. state, local, tribal, and territorial government cybersecurity.
What are CIS Controls?
CIS Controls are a prioritized set of 18 cybersecurity safeguards organized into three Implementation Groups (IGs) based on organizational size and risk profile. They cover areas including asset inventory, data protection, access control, vulnerability management, and incident response. The Controls are developed through community consensus by cybersecurity professionals worldwide and are updated regularly, with Version 8 being the current release.
Are CIS Controls required by law?
CIS Controls are not mandated by any single law, but they are widely recognized as a reasonable baseline for cybersecurity due diligence. Several U.S. state laws reference reasonable security measures without specifying a framework, and courts have accepted CIS Controls as evidence of meeting that standard. Regulatory bodies including NIST, HIPAA auditors, and PCI DSS assessors recognize CIS Controls as aligned with their requirements.
How do CIS Benchmarks differ from CIS Controls?
CIS Controls define what security measures an organization should implement at a strategic level, such as maintaining an asset inventory or managing access credentials. CIS Benchmarks define how to configure specific technology products to meet those security goals, providing step-by-step hardening instructions for systems like Windows Server, Linux distributions, AWS, Azure, and web browsers.