I strongly believe that good IT operational practices drive a reduction in cybersecurity-related risk and that the CIS Controls help drive those operational practices. I wanted to help develop the CIS Controls and use my quarter of a century experience in this sector to make them even more effective.
Tony Krzyzewski
Director, SAM for Compliance Ltd.


It’s been a good experience working with the community in the Controls update process. I’ve made many connections and had many discussions on Controls, especially for small businesses.
Alan Watkins


Falling into the CIS Controls framework was absolutely fantastic for us. I smiled ear to ear when I realized that there is a way to build a standard to measure against.
CEO of a Small Consulting and Development Services Organization located in Upstate NY

What the CIS Controls have done is formatted a way for people to begin their cyber journey and for larger organizations, I have found that the Top 20 actually helps them organize.
Michael A Echols

CEO, IACI (International Association of Certified IASOs)


When dealing with critical infrastructure, such as election system security, CIS provides an incredible resource [CIS Controls] to help prioritize security controls. With numerous support guides [CIS RAM, A Handbook for Election Infrastructure Security, etc.] focused on risk assessment, system hardening, and metrics, the sting of compliance work has been removed, allowing us to speed up the implementation of our security program.
SAIC - Security Architect for the Colorado Secretary of State's Office


The [CIS Controls] are a baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defense.
Centre for the Protection of National Infrastructure
United Kingdom


The [CIS Controls] identify a minimum level of information security that all organizations that collect or maintain personal information should meet.
Kamala D. Harris, Attorney General
California Department of Justice
California Data Breach Report
California, USA

The CIS Controls take the background and knowledge of cybersecurity experts literally around the world and help focus efforts on things that are of most value. Directly impacting the adversaries and challenges we face today on our networks.
Harley Parkes, Director
IACD (Integrated Adaptive Cyber Defense)


I see CIS Controls as being an extremely important tool in assisting organizations to protect their information assets. The [CIS] Controls provide a pragmatic and achievable set of requirements that are shown to reduce the level of information security-related risk.
Tony Krzyzewski, Director
SAM for Compliance Ltd
New Zealand


The CIS Controls definitely fills a gap where other leading frameworks gloss over and that is where we reference them.
Tom Cornelius, Senior Partner
Compliance Forge
Oregon, USA


The CIS Controls have been tremendously successful in that they give a company an education about the behavior of the bad guy, how they attack an organization; and where you can manage not only your business risk, which is really important but your technical and IT risk within a company.
Geoff Hancock
Chief Cybersecurity Executive, Advanced Cybersecurity Group


In 2015, I came across the CIS Controls and fell in love with the CIS Controls spreadsheet. We adopted the CIS Controls as our framework going forward.
John Nord, Manager of IT and Business Systems
Corden Pharma


The CIS Controls helped us set a vision for the state and gave us a framework for the implementation.
Thomas Olmstead, CISO
State of Iowa
Iowa, USA


I’m a huge fan of the [CIS] Controls…CIS Controls provide a strong story and framework.
Christophe Demoor, CISM

The CIS Controls are the best signpost out there to do something that will have an actual, concrete, and immediate effect.
Phil Reitinger
President and CEO, Global Cyber Alliance

This is where the [CIS Controls] are almost perfect for establishing a security baseline for smaller organizations.
James Jacobs, CEE
Crysis Averted
Virginia, USA

Start by taking care of the basics: build a solid cybersecurity foundation by implementing the [CIS Controls], especially application white-listing, standard secure configurations, reduction of administrative privileges, and a quick patching process.
Zurich Insurance Group
Risk Nexus: Overcome by cyber risks?
Economic benefits and costs of alternate cyber futures




The content comes from a diverse set of contributors and considers realistic threats. The CIS Benchmarks content is then presented as a series of recommendations, with rationales, that should be considered by the implementer and selected as appropriate to their use case.
Information Security Consultant
Seattle, WA


CIS Benchmarks are very useful to apply security best practices on our platform and for the secure configuration of our system.
Information System Directorate
Financial Institution
South Africa


We needed to reach a security compliance for one of our clients and using CIS we were able to generate reports to prove our process
Director of Information Technology
Spring Design Partners, Inc.
New York, USA


Thank you for your efforts to better secure the overall cyber environment.
Security Technical Architect
Asset Management & Business Processing Solution Company
Delaware, USA


CIS’ collaborative correlation between standards facilitates the time to market our supplied assets covered by the CIS Benchmarks.
Cyber Information Assurance Specialist
Defense Technology Company
Virginia, USA



CIS SecureSuite Logo


We work with sensitive information on a daily basis. The CIS Controls along with CIS-CAT Pro, a proven and indispensable tool, helps us to evaluate and maintain a security baseline for our IT infrastructure.
Sasawat Malaivongs, Business Director


Being SOC 2 compliant, adopting a hardening standard is required and we have found that CIS fits that requirement. The support of multiple operating systems is key in our environments and CIS provides that. For all of our systems, we are standardizing our hardening standards on CIS.
VP of IT
Small U.S. Business


Thank you for the services you provide, they are very valuable and appreciated.
Keith Guest, PMP, Computer Specialist
Information Services Division, Enterprise Services Center
A division of the Federal Aviation Administration
Washington D.C., USA


The CIS SecureSuite membership is the most important membership for the compliance reviews of information security available in the market today. It reduces labor cost to develop standards by comparing control effectiveness against CIS Benchmarks.
Senior Manager Information Security & Compliance: Internal IT
International Public Service Information & Communications Technology Agency
South Africa


We’re very happy with CIS and the work that you guys are doing to help businesses like ours develop and validate our security posture.
Information Security Officer
Payment Solution Company




Allgress currently uses the CIS Hardened Images in our deployments to eliminate almost all of the manual work when it comes to locking down our servers. It reduces time, cost and risk by not having to manually configure our servers from scratch.
Jeff Kushner, Chief Marketing Officer


Based on the value, time and costs saving, I would not consider spinning up a AWS server without adding the CIS security to it for any production-level instance.
V.P. Application Lifecycle Management
CorTechs, Inc.


CIS images are continuously maintained by CIS to ensure configuration changes and patches are current and available so it saves us time and money.
Khaja Syed, President/CEO


Using an industry standard offers time savings which is a huge benefit of using the CIS hardened images. We don’t have to build an image from scratch and then apply additional controls.
Waqasul Haq, Chief Security Architect


The CIS images are cost effective and cover various operating systems which align well with our customers.
Jordan Thomas, VP Software and Services



Contact us