CIS Benchmarks
The Center for Internet Security consensus hardening guides, with explicit Level 1 and Level 2 profiles depending on how far you need to go.
Security audit services
Security audit services
A security audit is a structured review of your systems against a recognized benchmark that documents every gap, assigns it an owner, and gives it a remediation estimate, so you know exactly where you stand and what to fix first.
CloudKey security audit services measure your production systems against CIS Benchmarks, review identity and access, and check cloud configuration. You get a prioritized remediation plan, not a 200-page PDF nobody reads.
- CIS Benchmarks
- Identity and access review
- Prioritized remediation
- Re-audit scheduled
3/7
Controls passing
- Disk encryption enforced on all endpoints Pass
- MFA required for every privileged account Fail
- SSH root login disabled on production hosts Pass
- Password policy meets benchmark length Partial
Illustrative checklist, not a live system. Your audit reports your own controls against the CIS Benchmark profile in scope.
Audit scope
What the benchmark covers
Overview
Know where you stand against a benchmark, not a hunch
A security audit answers a simple question that is surprisingly hard to answer from the inside: how does our actual configuration compare to a known-good standard? CloudKey audits your production systems against CIS Benchmarks, the consensus hardening baselines used across the industry, then reviews how identity, access and cloud configuration hold up around them.
The output is a posture assessment your team can act on. Every gap is documented with the evidence behind it, ranked by risk, assigned to an owner, and given a realistic remediation estimate. We close the loop with a scheduled re-audit so you can prove the gaps were actually fixed, not just logged.
A security audit is a verification activity. It tells you whether your defenses are configured the way you think they are. It pairs naturally with offensive testing, which proves whether those defenses hold under attack.
What we audit
What does a CloudKey security audit cover?
We focus the audit on the areas where misconfiguration turns into incidents.
System hardening against CIS Benchmarks
Servers, endpoints and key services measured against the relevant CIS Benchmark level, with each deviation documented and rated.
- Operating systems and key services compared setting by setting
- Level 1 and Level 2 profiles depending on how far you need to go
- Every deviation documented with the evidence behind it
- Firewall default-deny inbound Pass
- Legacy TLS 1.0 still enabled Fail
- Automatic security updates on Partial
- Service accounts least-privilege Pass
Illustrative. Settings are checked against the CIS Benchmark profile in scope.
Identity and access
Privileged accounts, access reviews, MFA coverage and joiner-mover-leaver hygiene, the controls attackers abuse most often.
- Privileged accounts inventoried and right-sized
- MFA coverage checked across every entry point
- Joiner-mover-leaver hygiene and stale access flagged
12 Privileged accounts
3 Missing MFA
5 Stale logins
- Domain admin without MFA Fail
- Shared service account, no owner Fail
- Contractor access past end date Partial
- Quarterly access review completed Pass
Illustrative. Real reviews map each account to a named owner.
Cloud configuration and remediation plan
Misconfigured storage, over-broad roles and exposed services across AWS, Azure and GCP, each one landing in a prioritized remediation plan. The plan maps your current state to the control set you are working toward, so the audit feeds straight into SOC 2 or ISO 27001 readiness. For a deeper cloud-native engagement, see our cloud security services.
- Misconfigured storage and over-broad roles surfaced
- Exposed services across AWS, Azure and GCP
- Findings ranked by risk and effort, with owners and estimates
- Enforce MFA on privileged accounts Critical - week 1
- Make storage buckets private Critical - week 1
- Retire legacy TLS 1.0 Medium - this quarter
- Close stale contractor access Medium - this quarter
Illustrative. Each item ships with an owner and an effort estimate.
Standards
Measured against standards your auditors recognize
We audit against published benchmarks, so the findings are objective and the report is defensible.
NIST CSF
Findings can be framed against the NIST Cybersecurity Framework functions so leadership sees coverage across identify, protect, detect, respond and recover.
Your control set
If you are working toward SOC 2 or ISO 27001, we map findings to those controls so the audit doubles as readiness evidence.
How it works
How does a security audit work?
A focused engagement, scoped to your environment.
- 01
Scope
We agree which systems, accounts and cloud accounts are in scope, and which CIS Benchmark profiles apply.
- 02
Evidence collection
We gather configuration evidence from the systems in scope, read-only wherever possible, with access agreed in advance.
- 03
Assessment
We compare the evidence against the benchmark, confirm findings by hand, and rate each gap by risk and effort.
- 04
Remediation plan
You receive a prioritized plan: every gap, an owner, an effort estimate, and the order to fix them in.
- 05
Re-audit
After remediation we re-check the gaps and confirm what is closed, so you can show progress over time.
What you get
A plan your team can act on this quarter
Documented, prioritized, owned. Built to be fixed, not filed.
Documented findings
Each gap with the evidence behind it and the benchmark control it maps to, so there is no argument about whether it is real.
Prioritized remediation roadmap
Ranked by risk and effort, with owners and estimates, so the team knows what to fix first and what can wait.
Re-audit attestation
Confirmation of what was closed after remediation, useful evidence for leadership, auditors and customers.
FAQ
Security audits, answered
A security audit is a structured review of your systems against a recognized standard, such as the CIS Benchmarks. It documents where your configuration deviates from the benchmark, rates each gap by risk, and gives you a prioritized plan to close them.
An audit measures you against a defined standard and produces pass or fail evidence per control. An assessment is broader and more advisory, evaluating overall risk and maturity. CloudKey audits against CIS Benchmarks and frames the results as a posture assessment.
CIS Benchmarks are detailed, system-specific hardening settings you can check against directly. NIST frameworks such as the CSF are higher-level and describe what your program should achieve. We audit against CIS and can map the results to NIST for leadership reporting.
Cost depends on the number of systems and cloud accounts in scope and which CIS Benchmark profiles apply. We scope each engagement and quote a fixed price before any work begins.
At least annually, and after any significant change to your infrastructure or cloud environment. Many teams run a lighter quarterly check between full audits to catch configuration drift early.
Yes. We review configuration across AWS, Azure and GCP as part of a security audit. For a deeper, cloud-native engagement covering posture management and cloud-specific controls, see our cloud security services.
Next step
Find out where you stand
Tell us what you run and which standard you are working toward. We scope the audit, agree read-only access, and come back with a prioritized plan and a fixed quote.