A security baseline is the minimum set of security controls every system must meet before deployment — the floor, not the ceiling. It defines what secure enough to connect means for a given organization or system type.
Baselines are drawn from frameworks like CIS Benchmarks, NIST SP 800-53, or DISA STIGs. Systems that fall below baseline are remediated before deployment or accepted as exceptions with documented risk acknowledgment.
CISSP Relevance
Security baselines are core to Domain 3 (Security Architecture and Engineering) and Domain 6 (Security Assessment and Testing). CISSP candidates must understand how baselines are established, maintained, and verified through configuration audits.
External reference: CIS Benchmarks Center for Internet Security
Related terms: Configuration Management, Security Policy