Back to Blog
Cybersecurity28 June 2026

What Happens During a CIS Assessment?

Wondering what a CIS Assessment actually involves? We walk you through the ROI Technologies process — from configuration collection to findings report and prioritised remediation roadmap.

One of the most common questions we get is: "What actually happens during a CIS Assessment?"

The process is simpler than many people think.

Watch: What Happens During a CIS Assessment?

Step 1 — Configuration Collection

First, we collect configuration information from the systems being assessed.

This may include:

  • Microsoft 365
  • Active Directory
  • Windows Servers
  • SQL Servers
  • Firewalls (FortiGate, Sophos, and other supported technologies)

The scope of the assessment depends on your environment. We start with a conversation to understand what platforms you have in place and agree on what will be assessed.

Step 2 — Benchmark Comparison

Next, we compare those configurations against the CIS Benchmarks.

These internationally recognised security standards help identify where your environment aligns with best practices — and where improvements can be made.

This is not a manual checklist process. We use professional CIS auditing tools to evaluate hundreds of configuration controls across each platform automatically, producing an evidence-based view of your current security posture.

Step 3 — The Findings Report

The findings are compiled into a detailed assessment report showing which controls passed, which failed, and the severity of each finding.

Findings are categorised by risk level — critical, high, medium, and low — so you have a clear picture of where your environment stands against recognised industry standards.

But the report is only part of the process.

Step 4 — Prioritised Remediation Guidance

The real value comes from understanding which findings matter most.

Not every finding carries the same level of risk, and not every recommendation needs to be implemented immediately. That's why we help organisations prioritise remediation based on:

  • Business impact — what effect would exploitation of this gap have on your operations?
  • Security risk — how likely is this gap to be exploited, and what is the potential damage?
  • Operational requirements — what can realistically be implemented without disrupting your business?

The end result is a practical roadmap that helps improve your security posture over time — not a list of hundreds of items with no clear direction.

What a CIS Assessment Is Really About

A CIS Assessment isn't about finding fault.

It's about understanding your environment, reducing risk, and making informed security decisions based on recognised industry standards.

Many organisations are surprised by what they find — not because their environment is poorly managed, but because CIS Benchmarks are detailed and specific. Even well-managed environments typically have findings that can be addressed to meaningfully reduce risk.

Better Security Starts With Better Visibility

If you'd like to know how your environment compares against CIS Benchmarks, ROI Technologies can help.

Our CIS Assessment covers Microsoft 365, Active Directory, Windows Server, SQL Server, and firewall infrastructure — giving you a clear, evidence-based picture of your security posture across your entire environment.

Contact ROI Technologies to book your CIS Assessment today.

Need IT or Cybersecurity help in South Africa?

Talk to ROI Technologies — Johannesburg-based, certified, vendor-agnostic.

Contact Us