When people think about cyber security checks, they often think about vulnerability scans, penetration testing, antivirus, firewalls and patching.
Those are all important, but they do not answer one of the most practical security questions:
Are your systems configured securely in the first place?
That is where CIS Benchmarking comes in.
The CIS Benchmarks are secure configuration guidance documents produced by the Center for Internet Security. They provide practical recommendations for hardening systems, platforms, applications and cloud services against common security risks.
In simple terms, they help answer: “Is this set up properly?”
More than just servers and laptops
Many people have heard of CIS Benchmarks for Windows, Linux or servers. What is less well known is how broad the benchmark library has become.
CIS Benchmarks exist for far more than traditional operating systems. They cover a wide range of modern business technology, including cloud platforms, Microsoft 365, Google Workspace, browsers, mobile devices, print devices, network equipment, databases, web servers, containers and DevSecOps tools.
That matters because most organisations are no longer built around one server room and a few office PCs. Modern businesses use a mix of cloud services, SaaS platforms, remote devices, mobile apps, managed networks and third-party tools.
Each of those platforms has settings. Some settings improve security. Some create risk. Some are enabled by default because they make a product easier to use, not necessarily because they make it more secure.
CIS Benchmarking helps bring structure to that problem.
The benchmarks you may not know existed
Some of the more familiar CIS Benchmarks include Microsoft Windows Desktop, Microsoft Windows Server, Ubuntu Linux, Red Hat Enterprise Linux, Microsoft Azure and Amazon Web Services.
But the list goes much further.
There are CIS Benchmarks for Microsoft 365, Google Workspace, Microsoft Intune for Windows, Google Chrome, Mozilla Firefox, Safari, Zoom, Microsoft Office, Microsoft Exchange Server and Microsoft SharePoint.
There are benchmarks for network technologies such as Cisco, Fortinet, Juniper, Palo Alto Networks, pfSense, Sophos and F5.
There are benchmarks for cloud and infrastructure services, including AWS Foundations, AWS Storage Services, AWS Compute Services, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure and IBM Cloud Foundations.
There are benchmarks for databases such as Microsoft SQL Server, PostgreSQL, MongoDB, MariaDB, Oracle MySQL, Oracle Database and IBM Db2.
There are also benchmarks for Docker, Kubernetes, VMware, Apache HTTP Server, Apache Tomcat, NGINX and Microsoft IIS.
There are even benchmarks for mobile devices and multi-function print devices.
That last point is worth pausing on. Many businesses still treat printers, browsers, SaaS platforms and admin portals as background IT. Attackers do not. Anything that can store data, process credentials, expose services or provide access into an environment deserves proper configuration.
Why configuration matters
A fully patched system can still be insecure if it is configured badly.
For example, a cloud service may have weak administrative settings. A browser may allow risky behaviour. A Microsoft 365 tenant may have legacy options still enabled. A server may expose services that are not needed. A firewall may have rules that made sense five years ago but no longer reflect the way the business operates.
None of these issues are necessarily “vulnerabilities” in the classic sense. They may not show up as missing patches or CVEs. They are configuration weaknesses.
That makes them easy to miss.
CIS Benchmarking gives businesses a way to identify these weaknesses against a recognised standard. It moves the conversation away from opinion and towards evidence.
Level 1 and Level 2: proportionate hardening
CIS Benchmarks usually include different profile levels.
Level 1 is intended as a practical baseline. It is designed to reduce risk while keeping systems usable for normal business operation.
Level 2 goes further. It is intended for environments where security is more critical and where tighter controls can be justified. Level 2 recommendations can have a greater operational impact, so they need to be considered carefully before implementation.
That distinction is important.
Good security is not about blindly applying every setting. It is about understanding the environment, applying sensible controls and documenting any exceptions where a recommendation is not suitable.
A benchmark review should help a business make better decisions, not break systems in the name of compliance.
Why SMEs should care
CIS Benchmarking is not just for large enterprises.
SMEs often rely heavily on cloud platforms, Microsoft 365, remote working, managed devices and third-party systems. Those services can be secure, but only if they are configured properly.
For smaller organisations, configuration issues can build up over time. A setting is changed to solve a short-term problem. An admin account is created and never reviewed. A legacy protocol remains enabled. A new SaaS product is adopted without a full security review. A browser or endpoint policy is left at default.
Individually, these may look minor. Collectively, they increase risk.
A CIS Benchmarking review gives SMEs a practical way to understand where they are, what needs attention and which changes should be prioritised.
How CIS Benchmarking supports other cyber work
CIS Benchmarking complements other cyber security activities.
Cyber Essentials helps establish important baseline controls. Vulnerability scanning identifies known technical weaknesses. Penetration testing examines how systems may be exploited. Policies define expected behaviour and governance.
CIS Benchmarking sits alongside these by focusing on secure configuration.
It can support Cyber Essentials preparation, strengthen cloud security, improve endpoint hardening, provide evidence for governance reviews and help demonstrate that systems are being managed in a structured way.
It is particularly useful where a business wants to move from “we think this is secure” to “we have assessed this against a recognised configuration standard”.
What a CIS Benchmarking review should provide
A useful CIS Benchmarking review should be practical, not just technical.
It should identify which benchmarks apply to your environment, assess the current configuration, highlight areas of non-conformance, explain the business impact, and prioritise remediation.
The output should help answer four questions:
What is configured well?
What needs attention?
What should be fixed first?
Where is there a valid business reason for accepting or documenting an exception?
That final point matters. Some benchmark recommendations may not be suitable for every organisation. The value is in understanding the gap, making an informed decision and documenting the rationale.
The hidden value: better conversations
One of the biggest benefits of CIS Benchmarking is that it creates better internal conversations.
Instead of vague discussions about whether a system is “secure enough”, the business can review specific controls, specific settings and specific risks.
That makes it easier for technical teams, managers, suppliers and decision-makers to agree what should happen next.
It also helps avoid two common problems: doing nothing because the topic feels too broad, or making changes without understanding the operational impact.
Secure configuration is not a one-off exercise
Technology changes. Cloud services change. Business needs change. Suppliers change. Microsoft, Google, AWS and other platforms release new features and retire old settings.
That means secure configuration should not be treated as a one-time task.
A benchmark review provides a point-in-time view, but the best value comes from using it as part of an ongoing improvement cycle. Review, remediate, document, monitor and revisit.
For many businesses, starting with one high-value area is the best approach. That might be Microsoft 365, Azure, AWS, Windows endpoints, servers, browsers or network devices.
The important thing is to start where the risk and business value are highest.
Final thought
CIS Benchmarks are more extensive than many people realise.
They are not just for servers. They are not just for enterprise infrastructure. They cover many of the platforms modern businesses rely on every day.
If your organisation uses Microsoft 365, cloud services, browsers, mobile devices, network equipment, databases, web servers, containers or managed endpoints, there may be a CIS Benchmark that can help you check whether those systems are configured securely.
That makes CIS Benchmarking a practical and valuable step for organisations that want to improve their cyber security in a structured, evidence-based way.
Clockwork Cyber supports organisations with CIS Benchmarking reviews, helping identify applicable benchmarks, assess current configuration, prioritise improvements and provide clear, practical reporting.
If you would like to understand whether CIS Benchmarking is suitable for your organisation, visit:
