Skip to main content
← All controls
CIS-4.1 / CIS-4.2 / NIST SP 800-53 CM-6 CIS Controls v8

Do you measure against a recognised baseline (CIS Benchmarks, AWS Foundational Security, Azure Security Benchmark)?

Demonstrate that the organization actively measures system and application configurations against at least one recognized security baseline and uses measurement results to identify and remediate deviations.

Description

What this control does

This control ensures that an organization measures its infrastructure and application configurations against recognized, industry-standard security baselines such as CIS Benchmarks, AWS Foundational Security Best Practices, Azure Security Benchmark, or equivalent. These baselines provide prescriptive hardening guidance for operating systems, cloud platforms, databases, and applications, with scored configuration checks that enable consistent, repeatable security posture measurement. By adopting and measuring against these standards, organizations reduce configuration drift, establish a defensible security posture, and benefit from community-vetted hardening practices.

Control objective

What auditing this proves

Demonstrate that the organization actively measures system and application configurations against at least one recognized security baseline and uses measurement results to identify and remediate deviations.

Associated risks

Risks this control addresses

  • Attackers exploit default or insecure configurations (open ports, weak protocols, permissive access controls) that hardening baselines would have identified and remediated
  • Configuration drift over time introduces security weaknesses that go undetected without systematic baseline comparison
  • Inconsistent hardening practices across environments (development, staging, production) create exploitable gaps between security postures
  • Compliance failures during regulatory audits due to inability to demonstrate adherence to security best practices or industry standards
  • Privilege escalation or lateral movement enabled by overly permissive service accounts, weak authentication settings, or unnecessary services that baselines explicitly address
  • Delayed incident detection and response because logging, auditing, and monitoring configurations do not meet baseline requirements
  • Cloud-specific misconfigurations (public S3 buckets, overly broad IAM roles, unencrypted storage) remain unidentified without platform-specific baseline scanning

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's documented policy or standard identifying which security baselines (e.g., CIS Benchmarks Level 1/2, AWS Foundational Security, Azure Security Benchmark) apply to each technology platform in scope.
  2. Identify the tooling and processes used to perform baseline measurement (e.g., CIS-CAT Pro, AWS Security Hub, Azure Security Center/Defender, OpenSCAP, Prowler, ScoutSuite, Chef InSpec profiles).
  3. Review configuration management or security operations documentation describing baseline scan frequency, scope (which systems/accounts/subscriptions), and responsible parties.
  4. Request and examine recent baseline scan reports or dashboards covering representative systems from each environment (production, non-production) and technology stack (Linux, Windows, AWS, Azure, databases).
  5. Select a sample of systems (minimum 5-10 representing different OS types and cloud services) and verify that baseline scans have been executed within the documented frequency (typically monthly or more frequent).
  6. Analyze scan results for the sampled systems to confirm scoring or compliance percentages are calculated and that specific failed checks are documented with remediation status or accepted risk justifications.
  7. Interview the security or infrastructure team to validate the process for reviewing scan results, triaging findings, assigning remediation tasks, and tracking closure through ticketing or workflow systems.
  8. Cross-reference baseline findings with vulnerability management or change control records to verify that identified configuration weaknesses are addressed through documented remediation activities or formal risk acceptance.
Evidence required Baseline scanning reports or dashboard screenshots showing compliance scores, failed checks, and scan dates for sampled systems across multiple platforms (OS, cloud, database). Configuration management runbooks, security policies, or SOPs defining baseline selection, scan schedules, and remediation workflows. Ticketing system exports or risk registers documenting remediation actions or risk acceptance decisions for baseline findings, correlated with specific scan results.
Pass criteria The organization measures configurations against at least one recognized security baseline for each technology platform in scope, performs scans at defined intervals with evidence of recent execution, and demonstrates a documented process for reviewing results and remediating or accepting identified deviations.