CIS Controls Tools Privacy Policy

Current version v2.0 published date: 8/11/21

Privacy policy version history.

CIS knows that you care how information about you is used and shared, and we appreciate your trust that we will do so carefully and sensibly. This notice describes our privacy policy, including what data we collect, how we use it and for what purpose. Given the importance we place on privacy it is important that you read this policy carefully.

This policy applies to the use of the CIS Controls Tools, which are comprised of the following:

Controls Self-Assessment Tool or CSAT, the CIS-hosted web-based tool available at https://csat.cisecurity.org that allows you to assess and document the status of your organization's cybersecurity posture against the CIS Controls.

CIS CSAT Ransomware Business Impact Analysis tool or BIA tool, a web-based analytical tool allowing you to self-assess the business impact of a cyber loss from the breach of an asset due to ransomware.

The mission of CIS is to improve and enhance cybersecurity, so we are sensitive to the privacy issues on the Internet and recognize that visitors to this website and those who use the CIS Controls Tools are concerned about the type of information we collect and how we use it. CIS is committed to preserving your privacy and this policy discusses our practices.

Information we collect

(1) personal information, which is information that can be identified to a particular individual because of a name, number, symbol, mark or other indicator; and (2) non-personal information that does not identify a particular individual.

CIS receives and stores certain types of information whenever you interact with us. Any personal information you provide is gathered by initiating an online, registration to establish a login for access and use of a CIS Controls Tool.

If you do not wish to have identifying information disclosed, we honor all requests to omit individual or organization names from website listings. If such a request is made, identifying information will not be disclosed by CIS unless we are legally required to do so.


Cookies are text files stored by your web browser in order to record information about you or your activities on a website. Using cookies for this purpose is a common, generally accepted practice on the Internet. We may use temporary cookies to enhance, customize, or enable your visit to this website. Temporary cookies do not contain personal information that can be used to identify you, do not compromise your privacy or security, and are erased when you close your browser.

Certain features on this website may require you to fill in a registration form used to personalize your user experience. Such features may store a persistent cookie on your computer's hard drive that is not deleted when you close your browser. A persistent cookie allows us to recognize you on your next visit and tailor your user experience to your needs and interests.

If the program you use to access this site is set to refuse new cookies or delete existing cookies, your ability to use some of the features on this website may be limited.

Types of cookies used by CIS:
Category What do they do?
Necessary These cookies are essential to make the CIS website functional and work. The enablement of these cookies is to enable specific features, without which the user experience would be null.
Analytics/Performance Cookies are used to determine performance; we use these cookies to understand and improve our products and services.
Targeting/Marketing CIS may use these cookies to show you relevant advertising and targeted ads. We may also use them to learn about ad utilization and the action taken with a specific marketing cookie, e.g. to visit and download a benchmark, join a webcast or download a whitepaper. Similarly, partners may use the same process to determine ad performance, and the use of ads both on and off the CIS website.
Preferences/Functional These cookies define your preferred setting and communication preferences.

In order to utilize the functionality and provide the required information CIS needs to process and manage CIS Controls Tool functions, some cookies are deemed Strictly Necessary. If your preference is to not accept these cookies, your actions and access to specific functional services will be severely limited, and in some cases restricted.

The specific cookies used by CIS are listed here

Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.

Managing cookies in your browser, opt out options for cookies.

Depending on personal preference, you may want to limit or delete cookies. This preference can be implemented within your web browsers and gives you the ability to manage cookies to suit your requirements. Depending on the browser it may limit or delete cookies, so you may want to review your cookie settings and advertisement or marketing settings. In some browsers you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your opt-out needs. This means is that you can disallow cookies from all sites based on your privacy preference.

Information obtained by Google Analytics

This website uses the Google Analytics web analysis service and enters into an agreement with Google as the data processor. Google Analytics stores a persistent cookie on your hard drive. The information in this cookie (including your IP address) is transmitted to Google and stored on Google servers. Google uses this information to anonymously analyze your use of the website, compile reports on your website activity for site operators, and provide other services related to your website activity and Internet usage. Google may transfer this information to third parties where required to do so by law or where those third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

By using this website, you consent to Google's processing of data about you. For a review of Google Privacy Policy please see https://policies.google.com/privacy

Who has access to this information?

If you provide personal information to CIS, our employees who have access based upon specific roles defined by procedural role-based access controls, use this information following appropriate procedures in handling and disclosing your information. In addition, CIS has implemented procedures to safeguard the integrity of its information technology assets, including but not limited to authentication, monitoring and auditing. These security measures have been integrated into the design, implementation and day-to-day operations of this website as part of our continuing commitment to the security and privacy of electronic content as well as the electronic transmission of information.

How we use the information collected

We do not sell or distribute email addresses or other personal information to others for their commercial use. We use personal information collected for the following purposes:

  • Providing you with the access to the CIS Controls Tools.
  • Managing a comparative analysis via anonymously correlating scores across controls based on specific industry parameters and industry information provided during registration.
  • Publish testimonials of CIS products and service on our website provided by individuals, which would include name, title and affiliate organization
  • Gain a better understanding how our services and products are being used so we can improve them and engage with users
  • Diagnosing problems
  • Sending you business messages and marketing related to payments or expiration of subscriptions
  • Sending you information about CIS products, services, opportunities, updates, advisories, special offers, and similar information
  • Conducting market research about our customers, and the effectiveness of our marketing campaigns

We also collect some information that is not considered to be personal information. When utilizing a CIS Controls Tool, the following non-personal information about your visit is automatically collected and stored:

  • The type of browser and operating system you use when you visit this site;
  • The date and time when you visit this site;
  • The webpage and services you access at this site;
  • Additionally, non-personal information such as a company or governmental entity name and address. IP address may be provided when registering or signing up for CIS products or services.

We use non-personal information internally to find out how people use the CIS Controls Tools, to help us improve the service content, to assess system performance and to identify problem areas. We do not sell or distribute this information to others for their commercial use.

The utilization of this information is strictly for legitimate business purposes and is retained for only as long as necessary to carry out the specific requirements of providing CIS products, services, opportunities, updates, advisories, special offers, and similar information.

Access to your personal information

As a service provider we aim to provide you the necessary access to update the personal information that is within our records. If that information is incorrect we give you ways to update it quickly.

If your request to delete the data that is present within our systems, we will do so with a validated request, unless we have to keep that information for legitimate business or legal purposes. The maintenance of service is required to protect all information from accidental or malicious destruction. If your request to delete is completed we may not immediately delete this data from residual copies and we may not remove it from archived or backed up systems.

Other Websites

This website may provide links to websites maintained by other organizations. A link to another website does not constitute an endorsement of the content, viewpoint, accuracy, opinions, policies, products or services of that other website. Once you navigate from this website to another site, you are subject to the terms and conditions of that site, including the provisions of its privacy policy.

The information provided in this privacy policy cannot be interpreted as business, legal or other advice, or as warranting fail-proof security for information provided through this website. Information provided on this website is intended to allow the public access to information related to CIS. While all attempts are made to provide accurate, current and reliable information, there is possibility of human and/or mechanical error. If your personal data is in error your ability to rectify this information is controlled by using the manage account function within CIS products or services. This privacy policy is not intended to and does not create any contractual or other legal rights for or on behalf of any party.

Who can I contact with questions or concerns?

For any issues, omissions, or questions please contact privacy@cisecurity.org