TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Center for Internet Security (CIS): A Guide for Businesses
Legal Compliance

Center for Internet Security (CIS): A Guide for Businesses

Learn what the Center for Internet Security (CIS) does, how CIS Controls and Benchmarks work, and why they matter for website compliance.

TermsBox Team|April 3, 202613 min read

The Center for Internet Security, commonly known as CIS, is one of the most referenced organizations in cybersecurity. If you operate a website or manage infrastructure that handles personal data, CIS resources provide a practical framework for securing your systems and meeting regulatory expectations.

This guide covers what the Center for Internet Security does, how its Controls and Benchmarks work, and how website operators can apply CIS guidance to strengthen security and support compliance. This is educational content, not legal advice or a substitute for professional cybersecurity assessment. Consult qualified professionals for guidance specific to your environment.

What Is the Center for Internet Security?

The Center for Internet Security (CIS) is a nonprofit organization founded in 2000, headquartered in East Greenbush, New York. Its mission is to make the connected world a safer place by developing, validating, and promoting best practice solutions for cybersecurity.

CIS produces two primary resources that are widely adopted across industries:

  • CIS Controls: a prioritized set of 18 cybersecurity safeguards that organizations can implement to defend against the most common attack vectors
  • CIS Benchmarks: detailed, consensus-based configuration guidelines for over 100 technology products, from operating systems and cloud platforms to web browsers and databases

Beyond publishing guidance, CIS operates several programs that directly support internet security:

  • Multi-State Information Sharing and Analysis Center (MS-ISAC): provides cybersecurity resources and incident response to U.S. state, local, tribal, and territorial (SLTT) government organizations
  • Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC): focuses specifically on securing election infrastructure
  • CIS Hardened Images: pre-configured virtual machine images available on major cloud platforms, built to CIS Benchmark specifications

The organization functions through community consensus. Thousands of cybersecurity professionals from government, academia, and the private sector contribute to developing and reviewing CIS resources. This collaborative approach gives CIS publications a level of credibility that individual vendor recommendations typically lack.

Understanding CIS Controls

CIS Controls (currently Version 8, released in 2021) are the organization's most influential product. They represent a prioritized, prescriptive set of actions that collectively form a defense-in-depth approach to cybersecurity.

The 18 CIS Controls

The Controls are organized into 18 categories, each addressing a specific area of security:

  1. Inventory and Control of Enterprise Assets: know what hardware and software is on your network
  2. Inventory and Control of Software Assets: track authorized and unauthorized software
  3. Data Protection: classify and protect sensitive data
  4. Secure Configuration of Enterprise Assets and Software: establish secure baselines
  5. Account Management: manage credentials and access rights
  6. Access Control Management: enforce least privilege
  7. Continuous Vulnerability Management: identify and remediate vulnerabilities
  8. Audit Log Management: collect and review logs
  9. Email and Web Browser Protections: harden common attack surfaces
  10. Malware Defenses: prevent and detect malicious code
  11. Data Recovery: maintain and test backups
  12. Network Infrastructure Management: secure network devices
  13. Network Monitoring and Defense: detect and respond to network threats
  14. Security Awareness and Skills Training: educate staff
  15. Service Provider Management: assess and manage third-party risk
  16. Application Software Security: secure custom and commercial applications
  17. Incident Response Management: plan for and execute incident response
  18. Penetration Testing: validate defenses through testing

Implementation Groups

Not every organization needs to implement every sub-control immediately. CIS addresses this through three Implementation Groups (IGs):

  • IG1 (Essential Cyber Hygiene): the minimum standard for all organizations. Contains 56 safeguards focused on basic security practices. Small businesses and websites with limited IT resources should start here.
  • IG2 (Expanded): adds 74 safeguards for organizations with moderate IT infrastructure and some dedicated security staff. Appropriate for mid-size businesses handling sensitive customer data.
  • IG3 (Comprehensive): includes all 153 safeguards across the 18 Controls. Designed for organizations with mature security programs facing sophisticated threats, such as financial institutions and healthcare providers.

This tiered approach makes the Center for Internet Security framework accessible to organizations of all sizes, from a small business running a single website to an enterprise managing thousands of systems.

CIS Benchmarks: Configuration Hardening in Detail

While CIS Controls tell you what to protect, CIS Benchmarks tell you exactly how to configure specific technologies securely. Benchmarks are available for a wide range of products, organized into categories:

  • Operating systems: Windows 10/11, Windows Server, Ubuntu, Red Hat Enterprise Linux, macOS, Debian, CentOS
  • Cloud platforms: AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud, Alibaba Cloud
  • Databases: MySQL, PostgreSQL, MongoDB, Microsoft SQL Server, Oracle
  • Web servers: Apache HTTP Server, Nginx, Microsoft IIS
  • Browsers: Google Chrome, Mozilla Firefox, Microsoft Edge
  • Containers: Docker, Kubernetes
  • Network devices: Cisco, Juniper, Palo Alto Networks

Each Benchmark document provides step-by-step instructions for configuring a specific product securely. Recommendations are classified into two levels:

  • Level 1: settings that improve security without significantly affecting functionality or performance. Suitable for most environments.
  • Level 2: settings that provide deeper security but may reduce functionality or require additional testing. Intended for high-security environments.

For website operators, the most directly relevant Benchmarks are those for your web server (Nginx, Apache), your database (PostgreSQL, MySQL), your hosting platform (AWS, Azure, GCP), and any content management systems you use.

How Center for Internet Security Resources Support Compliance

CIS Controls and Benchmarks are not laws themselves, but they have become a recognized standard for demonstrating "reasonable security" under numerous legal and regulatory frameworks. This matters because many privacy and security laws require organizations to implement "reasonable" or "appropriate" security measures without specifying exactly what that means.

Alignment with Regulatory Frameworks

CIS resources map to several major compliance requirements:

  • GDPR (Article 32): requires "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. Implementing CIS Controls provides documented evidence of appropriate measures.
  • CCPA/CPRA: California law allows consumers to sue for data breaches resulting from a business's failure to maintain "reasonable security procedures." CIS Controls serve as a recognized baseline for what qualifies as reasonable.
  • HIPAA: the Security Rule requires covered entities to implement administrative, physical, and technical safeguards. CIS Controls map directly to many HIPAA requirements.
  • PCI DSS: the Payment Card Industry Data Security Standard shares significant overlap with CIS Controls, particularly around access control, vulnerability management, and network security.
  • NIST Cybersecurity Framework: CIS Controls are formally mapped to the NIST CSF, and many organizations use CIS Controls as a practical implementation path for NIST compliance.
  • SOC 2: CIS Benchmarks and Controls support the Trust Services Criteria used in SOC 2 audits, particularly the security and availability criteria.

The "Reasonable Security" Standard

Several U.S. state attorneys general and the Federal Trade Commission (FTC) have taken enforcement action against businesses for failing to maintain reasonable security. While no enforcement action has specified CIS Controls by name as the required standard, courts and regulators have accepted them as evidence of due diligence.

California's Civil Code Section 1798.81.5 requires businesses to implement "reasonable security procedures and practices." The 2016 California Data Breach Report from the state Attorney General's office explicitly recommended that organizations adopt the CIS Controls as a minimum standard.

Applying CIS Guidance to Your Website

Website operators can apply Center for Internet Security resources at multiple levels, from server configuration to organizational practices.

Server and Infrastructure Hardening

Start with the CIS Benchmarks for your specific technology stack. If you host your website on Nginx running on Ubuntu, apply the CIS Benchmarks for both Nginx and Ubuntu. Key areas to address include:

  • Disabling unnecessary services and ports
  • Configuring TLS correctly (minimum TLS 1.2, strong cipher suites)
  • Setting appropriate file permissions
  • Enabling and monitoring access logs
  • Removing default accounts and credentials
  • Applying security headers (Content-Security-Policy, X-Frame-Options, Strict-Transport-Security)

Access Control

CIS Control 5 (Account Management) and Control 6 (Access Control Management) are directly relevant to website administration. Implement:

  • Multi-factor authentication for all admin accounts
  • Unique accounts for each administrator (no shared credentials)
  • Least privilege access: each account should have only the permissions it needs
  • Regular review of access rights, revoking accounts that are no longer needed
  • Strong password policies or, preferably, passkey or certificate-based authentication

Vulnerability Management

CIS Control 7 (Continuous Vulnerability Management) addresses the need to identify and fix security weaknesses before attackers exploit them. For websites, this means:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Keeping all software updated: CMS, plugins, frameworks, server software, and dependencies
  • Running regular vulnerability scans
  • Monitoring for security advisories affecting your technology stack
  • Establishing a patch management process with defined timelines (critical patches within 48 hours, high within one week)

Data Protection

CIS Control 3 (Data Protection) aligns directly with privacy law requirements. Identify what personal data your website collects, classify it by sensitivity, and apply appropriate protections. This includes encrypting data in transit and at rest, minimizing data collection to what is necessary, and establishing retention policies.

Your privacy policy should document these practices transparently for your users, covering what data you collect, how you protect it, and how long you retain it.

Center for Internet Security Resources for Small Businesses

CIS recognizes that small businesses face the same threats as large enterprises but often lack dedicated security staff. Several CIS resources are specifically designed for smaller organizations.

CIS Controls IG1

Implementation Group 1 is explicitly designed as essential cyber hygiene that every organization, regardless of size, should implement. The 56 safeguards in IG1 focus on foundational practices:

  • Maintaining an inventory of your hardware and software assets
  • Ensuring only authorized software runs on your systems
  • Applying secure configurations using CIS Benchmarks
  • Controlling administrative access
  • Maintaining audit logs
  • Protecting email accounts and web browsers
  • Running malware defenses
  • Performing regular backups
  • Training staff on security awareness

Free Resources

Many CIS resources are available at no cost:

  • CIS Controls: the full document is free to download after registration
  • CIS Benchmarks: PDF versions are free for non-commercial use
  • CIS-CAT Lite: a free assessment tool that evaluates your systems against CIS Benchmarks and generates a compliance report
  • CIS Hardened Images: pre-configured virtual machine images are available on AWS Marketplace, Azure Marketplace, and Google Cloud Marketplace (cloud compute charges apply)

For website operators who want to complement their security posture with compliance documentation, tools like a privacy policy generator or a terms of service generator can help ensure that your legal documents match your security practices.

CIS Controls and Incident Response

CIS Control 17 (Incident Response Management) addresses a critical requirement that overlaps with privacy law obligations. Under Article 33 of the GDPR, organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach. The CCPA grants consumers a private right of action for breaches resulting from a business's failure to maintain reasonable security.

An effective incident response plan, aligned with CIS Control 17, should include:

  1. Designated response team: identify who is responsible for leading the response, including technical, legal, and communications roles
  2. Detection and classification procedures: define how incidents are identified and how severity is assessed
  3. Containment steps: procedures to limit the scope of a breach once detected
  4. Evidence preservation: guidelines for preserving logs and forensic data for investigation and potential legal proceedings
  5. Notification procedures: templates and workflows for notifying regulators, affected individuals, and law enforcement within required timeframes
  6. Recovery plan: steps to restore systems and data to normal operation
  7. Post-incident review: process for analyzing what happened, what worked, and what needs to change

Regular testing of the incident response plan through tabletop exercises is as important as having the plan itself. CIS recommends conducting these exercises at least annually, with more frequent testing for organizations handling sensitive data.

How CIS Relates to Privacy and Data Protection

The connection between the Center for Internet Security and data privacy is direct. Security is a prerequisite for privacy. You cannot protect personal data if your systems are not secure. Every major privacy law includes security requirements, and CIS resources provide the specific technical guidance needed to meet those requirements.

For website operators, the intersection of CIS guidance and privacy law shows up in several practical areas:

  • Encryption: CIS Benchmarks specify TLS configurations that satisfy GDPR Article 32 requirements for encryption in transit
  • Access controls: CIS Controls 5 and 6 address the GDPR's requirement to ensure that personal data is accessible only to authorized personnel
  • Logging and monitoring: CIS Control 8 supports the ability to detect and investigate data breaches, meeting notification obligations under GDPR Article 33 and various U.S. state breach notification laws
  • Third-party management: CIS Control 15 aligns with GDPR Article 28's requirements for processor agreements and ongoing vendor assessment

By implementing CIS Controls appropriate to your Implementation Group and applying CIS Benchmarks to your technology stack, you build the security foundation that privacy compliance requires. Paired with clear legal documentation, such as a comprehensive privacy policy and a cookie policy that describes your data practices, your organization can demonstrate both technical and organizational commitment to protecting personal data.

Frequently Asked Questions

What is the Center for Internet Security?

The Center for Internet Security (CIS) is a nonprofit organization founded in 2000 that develops globally recognized security best practices. It produces the CIS Controls, a prioritized set of cybersecurity safeguards, and CIS Benchmarks, which are detailed configuration guidelines for over 100 technology products. CIS also operates the Multi-State Information Sharing and Analysis Center (MS-ISAC) for U.S. state, local, tribal, and territorial government cybersecurity.

What are CIS Controls?

CIS Controls are a prioritized set of 18 cybersecurity safeguards organized into three Implementation Groups (IGs) based on organizational size and risk profile. They cover areas including asset inventory, data protection, access control, vulnerability management, and incident response. The Controls are developed through community consensus by cybersecurity professionals worldwide and are updated regularly, with Version 8 being the current release.

Are CIS Controls required by law?

CIS Controls are not mandated by any single law, but they are widely recognized as a reasonable baseline for cybersecurity due diligence. Several U.S. state laws reference reasonable security measures without specifying a framework, and courts have accepted CIS Controls as evidence of meeting that standard. Regulatory bodies including NIST, HIPAA auditors, and PCI DSS assessors recognize CIS Controls as aligned with their requirements.

How do CIS Benchmarks differ from CIS Controls?

CIS Controls define what security measures an organization should implement at a strategic level, such as maintaining an asset inventory or managing access credentials. CIS Benchmarks define how to configure specific technology products to meet those security goals, providing step-by-step hardening instructions for systems like Windows Server, Linux distributions, AWS, Azure, and web browsers.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the Center for Internet Security?
  • Understanding CIS Controls
  • The 18 CIS Controls
  • Implementation Groups
  • CIS Benchmarks: Configuration Hardening in Detail
  • How Center for Internet Security Resources Support Compliance
  • Alignment with Regulatory Frameworks
  • The "Reasonable Security" Standard
  • Applying CIS Guidance to Your Website
  • Server and Infrastructure Hardening
  • Access Control
  • Vulnerability Management
  • Data Protection
  • Center for Internet Security Resources for Small Businesses
  • CIS Controls IG1
  • Free Resources
  • CIS Controls and Incident Response
  • How CIS Relates to Privacy and Data Protection
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.