Compliance & CIS Benchmark Terms

CIS Benchmark

Also known as: CIS hardening guide, CIS configuration baseline

A CIS Benchmark is a consensus-based, prescriptive configuration guideline published by the Center for Internet Security that defines secure-by-default settings for an operating system, cloud service, or application.

CIS Benchmarks are developed by global cybersecurity practitioners and refined through community review. Each benchmark contains hundreds of individual controls covering authentication, audit logging, network configuration, services, and registry or filesystem hardening. Benchmarks are versioned (e.g., Windows 11 v5.0.0) and published with two profile levels — Level 1 for general-purpose systems and Level 2 for sensitive environments. CISGuard supports 22 CIS benchmarks covering Windows, Linux, cloud, container, browser, database, and web platforms with a total of 3,928 security controls.

Related: CIS Controls · Hardening Baseline · Configuration Drift

CIS Controls

CIS Controls are a set of 18 prioritized cybersecurity safeguards published by the Center for Internet Security to help organizations defend against the most common attack patterns.

CIS Controls v8 organize 153 safeguards across 18 control categories — from inventory of enterprise assets to penetration testing — and are mapped to NIST CSF, ISO 27001, and other frameworks. CIS Benchmarks operationalize many CIS Controls at the configuration level. CISGuard automates evidence collection for CIS Controls v8 by continuously scanning infrastructure against the underlying benchmarks.

Related: CIS Benchmark · NIST CSF · ISO 27001

Configuration Drift

Also known as: Config drift, Baseline drift

Configuration drift is the gradual divergence of a system’s actual configuration from its intended secure baseline, caused by patches, deployments, troubleshooting changes, or scaling.

Drift is the dominant reason "compliant" systems become non-compliant between audits. Common drivers include: patch deployments that reset audit policies; application installs that open firewall ports; troubleshooting sessions where security controls are disabled and not re-enabled; new instances spun from outdated templates. Industry research suggests organizations experience meaningful drift within 30 days of any hardening exercise. Continuous compliance monitoring exists specifically to detect drift in real time rather than at the next audit.

Related: Drift Detection · Hardening Baseline · Continuous Compliance Monitoring

Drift Detection

Drift detection is the process of continuously comparing a system’s current configuration against its hardened baseline and alerting when controls regress.

Effective drift detection categorizes changes as regressions (a previously passing control now fails), improvements (a previously failing control now passes), or new controls (added to the benchmark in a newer version). CISGuard performs drift detection by diffing every scan against the previous baseline scan and dispatching alerts via Microsoft Teams, Slack, email, SIEM, or webhook within minutes of regression. No commercial CIS benchmark scanner outside CISGuard offers regression-categorized drift detection with automated alerting.

Related: Configuration Drift · Continuous Compliance Monitoring · Baseline

Continuous Compliance Monitoring

Continuous compliance monitoring replaces point-in-time audits with automated, scheduled scans that maintain real-time visibility of an organization’s compliance posture.

Continuous monitoring is required for SOC 2 Type II ("controls operating over a period"), DORA Article 10 ("ICT-related incident detection"), and is strongly recommended by NIST SP 800-137. Implementations typically combine: scheduled benchmark scanning (hourly to daily), drift detection between scans, real-time dashboards, alert fan-out to SIEM/notification channels, and historical trend retention (7/30/90/180/365 days). CISGuard implements all four with on-premises deployment and full air-gapped support.

Related: Drift Detection · SOC 2 Type II · NIST SP 800-137

Hardening Baseline

A hardening baseline is the documented set of secure configuration values an organization commits to maintaining across its systems, typically derived from a CIS Benchmark.

A baseline is more than a one-time snapshot — it is the contract every system is measured against. Mature programs version their baseline (matching the underlying CIS Benchmark version), document approved exceptions with compensating controls and expiry dates, and review it quarterly. CISGuard imports a baseline from a CIS Benchmark, tracks per-system deviation, and automatically recalculates compliance posture when exceptions expire.

Related: CIS Benchmark · Configuration Drift · Exception Management

Compliance Automation

Compliance automation is the use of software to continuously evaluate, evidence, and report on technical controls required by regulatory frameworks — replacing manual checklists, screenshots, and spreadsheet reviews.

Compliance automation typically targets the technical-control layer of a GRC program: secure configuration, audit logging, access reviews, and change tracking. It does not replace policy, procedure, or training controls. CISGuard automates the technical-control layer specifically for CIS benchmark compliance, with mappings to NIST 800-53, ISO 27001, SOC 2, and 13+ regional regulations — enabling a single scan to satisfy evidence requests across multiple frameworks.

Related: CIS Benchmark · GRC · Multi-Framework Mapping

Air-Gapped Deployment

Also known as: Air-gap, Offline deployment, Disconnected deployment

Air-gapped deployment is installation of a software system inside a network that has no direct or indirect connection to the public internet.

Air-gapped environments are common in defence, government, financial services, energy, and healthcare. Software intended for air-gapped use must support offline installation, offline benchmark and signature updates (typically via portable media), no telemetry callbacks, and full functionality without DNS or NTP to the public internet. CISGuard is designed for air-gapped deployment from day one: a single offline installer covers all platforms, benchmark updates can be sideloaded, and zero scan data leaves the customer’s network.

Related: On-Premises Deployment · Data Sovereignty

Multi-Framework Mapping

Multi-framework mapping is the practice of producing compliance evidence for multiple regulations (e.g., NIST 800-53, ISO 27001, SOC 2) from a single underlying configuration scan.

Most organizations need to evidence the same control — say, audit logging — against several frameworks simultaneously. Multi-framework mapping eliminates duplicate scanning by tagging each CIS control with the corresponding NIST, ISO, and SOC 2 references, then generating per-framework reports from one underlying dataset. CISGuard maps to four frameworks from one scan: 50 NIST 800-53 controls across 18 control families, 36 ISO 27001:2022 Annex A controls, and 26 SOC 2 Trust Services Criteria.

Related: NIST 800-53 · ISO 27001 · SOC 2

Exception Management

Also known as: Waiver management, Risk acceptance workflow

Exception management is the formal workflow used to document, approve, and time-bound deviations from a security baseline that cannot be remediated immediately.

Exceptions exist because real environments occasionally need to deviate from policy — a legacy application that requires TLS 1.0, a server that cannot be patched until a vendor update ships. Mature exception management requires: documented business justification, approved compensating controls, designated approver, expiry date, and an immutable audit trail. CISGuard implements all five: requesters submit justification, approvers review and decision, exceptions auto-expire on a set date, compliance score recalculates automatically, and every action is logged with user, IP, and timestamp.

Related: Hardening Baseline · Audit Trail