GRCWatch
Sign inStart free trial

CIS Control 12.4: Establish and Maintain Architecture Diagram(s)

Network architecture documentation is foundational to understanding your systems, identifying vulnerabilities, and demonstrating compliance. CIS Control 12.4 requires you to create and maintain current diagrams and documentation—and review them annually or when changes occur. Without this visibility, you cannot effectively manage your security posture.

What this means

This control requires organizations to develop comprehensive architecture diagrams and supporting network system documentation that accurately represent their IT infrastructure. Documentation must include system components, data flows, network topology, and connections between systems. The documentation must be reviewed and updated at least annually, or immediately when significant changes occur—such as new systems, network redesigns, cloud migrations, or organizational restructuring. The goal is to maintain an accurate, single source of truth about your infrastructure that enables security teams, IT operations, and leadership to understand your risk landscape.

How to comply

  1. 1.Create detailed architecture diagrams covering your entire network topology, including on-premise systems, cloud environments, and hybrid deployments
  2. 2.Document all critical systems, databases, applications, and data flows with clear labeling and version control
  3. 3.Include security controls, firewalls, access points, and data classification in your documentation
  4. 4.Establish a documented process for capturing significant changes (new systems, removals, modifications) and trigger points for updates
  5. 5.Schedule annual reviews with IT operations and security teams to validate accuracy and identify gaps
  6. 6.Update diagrams within 30 days of any significant enterprise changes that could impact infrastructure or security
  7. 7.Store documentation in a centralized, version-controlled location with appropriate access controls
  8. 8.Communicate updated architecture to relevant stakeholders including security, compliance, and risk teams

Evidence auditors look for

  • Current network architecture diagrams dated and version-controlled, reviewed within the last 12 months
  • System inventory documentation listing all hardware, software, and cloud services with interconnection details
  • Data flow diagrams showing how information moves between systems and external parties
  • Change log showing when diagrams were last updated and what changes triggered updates
  • Meeting minutes from annual architecture review sessions with IT and security teams
  • Comparison of current architecture documentation to actual deployed infrastructure with reconciliation notes
  • Documented change management process that includes architecture diagram updates as part of post-implementation activities

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your IT infrastructure, detects architecture changes in real-time, and maintains version-controlled diagrams—eliminating manual documentation work and ensuring your CIS 12.4 evidence is always current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 12.1 - Network SegmentationCIS Control 12.2 - Ensure Network Infrastructure is Physically IsolatedCIS Control 12.3 - Manage Network InfrastructureCIS Control 2.1 - Establish and Maintain Detailed Asset Inventory