If you're responsible for managing IT systems, you've probably heard the term CIS before — but what exactly is it?
CIS stands for the Center for Internet Security, a globally recognised non-profit that develops cybersecurity best practices used by businesses, governments, and security professionals around the world. Its guidance underpins many of the security frameworks, audit checklists and cyber insurance questionnaires that South African organisations are increasingly being asked to comply with.
Watch: What is CIS?
What are CIS Benchmarks?
CIS Benchmarks are consensus-developed, prescriptive security configuration guides for specific technologies. They translate the higher-level CIS Controls into concrete "set this setting to this value" recommendations for the platforms your business actually runs, including:
- Microsoft 365 and Azure Active Directory
- Windows Server and Windows 10/11
- Active Directory Domain Services
- SQL Server
- FortiGate and Sophos firewalls
- Linux distributions and common web servers
Think of them as a blueprint for secure configuration that maps back to the 18 CIS Controls. Instead of relying on guesswork or vendor defaults, organisations can compare their systems against proven industry standards to identify weaknesses and reduce risk in a measurable way.
What are the CIS Controls?
The CIS Controls are a prioritised set of 18 cybersecurity safeguards designed to defend against the most common real-world attacks. They give you an actionable roadmap — start at the top and work down — rather than a vague "be more secure" mandate.
The 18 CIS Controls are:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
The Controls are organised into three Implementation Groups (IG1, IG2, IG3) so small businesses can start with the essentials and mature over time. Most South African SMEs should be aiming for at least IG1 as a baseline.
Why CIS Benchmarks Matter for Cyber Insurance in South Africa
Cyber insurance in South Africa has hardened significantly over the last two years. Insurers and their underwriters are no longer satisfied with a checkbox that says "we have antivirus and a firewall". Increasingly, applications and renewals require evidence of:
- MFA enforcement across all users (including admins and service accounts)
- Privileged access management and limits on Domain Admin accounts
- Endpoint detection and response (EDR) on servers and workstations
- Tested, offline or immutable backups
- A documented security baseline — which is exactly what CIS Benchmarks provide
Being able to hand your broker a CIS Benchmark Assessment report — showing which controls pass, which fail, and your remediation plan — materially improves your chances of getting cover, getting better pricing, and having a claim paid out if the worst happens.
What Does a CIS Assessment Answer?
A CIS assessment helps answer one important question:
"Is our environment configured according to recognised security best practices?"
Many organisations invest in security products — firewalls, endpoint protection, Microsoft 365 licences — but never verify whether those products are actually configured correctly. A CIS assessment closes that gap with objective, evidence-based findings.
Why Configuration Matters as Much as the Product
Cybersecurity isn't just about having security products. It's about ensuring they're configured according to recognised industry standards. A misconfigured firewall, an Active Directory environment with weak password policies, or a Microsoft 365 tenant that still allows legacy authentication all create risk regardless of what security software is installed.
Attackers don't break in — they log in. And they log in through misconfigurations, not through the products themselves.
How ROI Technologies Conducts CIS Assessments
At ROI Technologies, we use CIS-CAT Pro — the official CIS auditing tool — to assess environments against the CIS Benchmarks. Our process produces a detailed pass/fail report for every security control and identifies gaps across your Microsoft 365 environment, Active Directory, Windows Server infrastructure, and network firewalls.
You get:
- A benchmark-aligned findings report
- A prioritised remediation roadmap (highest risk first)
- Documentation you can hand to your cyber insurance broker or auditor
- A retest option to prove the gaps have been closed
Ready to Find Out How Your Environment Measures Up?
A CIS Assessment gives you a clear, evidence-based picture of your security configuration — no guesswork, no assumptions, and something concrete to show your insurer, your board, or your auditors.
Contact ROI Technologies to book your CIS Assessment today.
Need IT or Cybersecurity help in South Africa?
Talk to ROI Technologies — Johannesburg-based, certified, vendor-agnostic.
Contact Us