Understanding CIS Controls and Benchmarks: Key Examples

Blog updated for relevancy on 2-19-2025

When discussing cybersecurity or cyber defense, the terms CIS and security controls often come up as essential best practices for protecting systems and data. Understanding their significance is key to building a strong security posture. However, without some additional context, these can feel like just another set of TLAs (Three-Letter Acronyms).

The Center for Internet Security, Inc. (CIS®) is an independent, non-profit organization that curates consensus-based security guides using a volunteer community of security practitioners and cyber experts. CIS is often used as shorthand for their well-known CIS Controls® and CIS Benchmarks™, which they define as:

• CIS Controls – A prescriptive, prioritized, and simplified set of cybersecurity best practices.
• CIS Benchmarks – Consensus-developed secure configuration guidelines for system hardening.

Together, they take the most pervasive and dangerous cyber threats and pair them with specific, actionable strategies to stop or mitigate cyberattacks—offering a structured, prescriptive approach that differentiates them from broader security frameworks like NIST or ISO 27001.

CIS Controls and CIS Benchmarks Examples

CIS Controls

CIS Controls are a foundational cybersecurity element, often mapped to regulatory and compliance frameworks, allowing them to serve as a common reference point. CIS Mapping and Compliance tools include PCI DSS, NIST Cybersecurity Framework (CSF), HIPAA, and ISO 27001.

Example: A privileged or “admin” level user account should be protected beyond just a password. This is commonly addressed using multi-factor authentication (MFA). In the CIS Controls V7.1 document, this scenario falls under CIS Control 4: Controlled Use of Administrative Privileges. Specifically, Sub-Control 4.5 mandates using MFA for all administrative access.

Related Resource: Monitor CIS Benchmarks & Controls with Opscompass

CIS Benchmarks

There are more than 140 CIS Benchmarks covering different technologies. These recommendations typically map to relevant CIS Controls and provide specific security guidance.

CIS Controls and CIS Benchmarks in Cloud Security

Each major cloud provider has CIS Benchmarks tailored to their environment.

• CIS Microsoft Azure Foundations Benchmark v1.1.0 – Includes 1.1 Ensure multi-factor authentication is enabled for all privileged users, aligning with Sub-Control 4.5.
• CIS Amazon Web Services Foundations v1.2.0 – Includes 1.13 Ensure MFA is enabled for the “root” account, aligning with Sub-Control 4.5.
• CIS Google Cloud Platform Foundation Benchmark v1.1.0 – Includes 1.3 Ensure Security Key Enforcement is enabled for all admin accounts, which maps to CIS Control 16.
• CIS Microsoft 365 Foundations Benchmark v1.1.0 – Requires 1.1.1 Ensure MFA is enabled for all administrative roles, mapping to Sub-Control 16.3.

Learn More: Opscompass Cloud Compliance & Security

Why CIS Controls and CIS Benchmarks Matter for Hybrid Cloud Security

CIS Controls and CIS Benchmarks go beyond compliance—they harden configurations, prevent security misconfigurations, and reduce risk. For example, a misconfigured storage bucket in a cloud environment left open to the public could expose sensitive data, leading to a security breach. Applying CIS Controls and CIS Benchmarks ensures such vulnerabilities are detected and remediated before they can be exploited.

Opscompass’s Role in CIS Benchmark Compliance

• Automated Compliance Monitoring: Opscompass continuously scans multi-cloud environments to ensure real-time compliance.
• Configuration Drift Detection: Opscompass alerts teams of misconfigurations, ensuring continuous security adherence.
• Multi-Cloud Security Posture Management: Provides visibility across AWS, Azure, Google Cloud, and on-prem environments.

Best Practices for Implementing CIS Controls and CIS Benchmarks

Automate Compliance & Monitoring

• Use Opscompass’s automation tools to track CIS Benchmark adherence across hybrid environments. Unlike generic compliance solutions, OpsCompass provides real-time drift detection, proactive remediation recommendations, and an intuitive dashboard that simplifies compliance management across multi-cloud environments.
• Set up real-time alerts for security misconfigurations before they become vulnerabilities.

Align with CIS Controls for a Holistic Security Strategy

• Map CIS Controls and CIS Benchmarks to CIS Controls for comprehensive security coverage.
• Use OpsCompass’s integrated dashboard to monitor compliance across cloud and on-prem systems.

Cybersecurity Tools

The CIS Cybersecurity Tools page categorizes CIS Controls and CIS Benchmarks under ‘Do It Yourself’ security solutions. But for organizations managing multi-cloud security and compliance, the sheer number of benchmarks can be overwhelming.

Don’t want to go it alone? Opscompass can help. Opscompass continuously monitors each cloud resource against compliance frameworks and configuration drift, providing a normalized security score and a unified dashboard across Microsoft Azure, AWS, Microsoft 365, and Google Cloud Platform.