This website uses cookies. View our cookie policy
Select regional store:

20 Critical Controls/Consensus Audit Guidelines (CAG)

The Twenty Critical Security Controls for Cybersecurity: Consensus Audit Guidelines

The 20 Critical Security Controls were developed, in the US, by a consortium led by the Center for Strategic and International Studies (CSI). The history of the Security Controls describes how they have been widely adopted across the US Federal Government as well as by the UK’s CPNI (Centre for Protection of the National Infrastructure). The US State Department claims to have achieved a 94% reduction in "measured" risk through the rigorous adoption of these controls.

The 20 Critical Controls are specifically technical controls; there are a number of additional areas that should also be addressed as part of a robust security posture, including information security policy, physical security, staff training and awareness, organizational structure, documented policies and procedures, and so on. ISO27001 is the best practice international standard for an Information Security Management System that enables organizations to comprehensively secure information—and provide independent assurance that this has been done.

Each of the 20 listed critical controls (all of which can be cross-mapped to controls in Annex A of ISO27001 and thus seamlessly integrated into any ISO27001 ISMS) is supported by detailed implementation, automation, measurement, and test/audit guidance, which reflects a consensus of multiple security experts on the most effective ways to mitigate the specific attacks that these controls are designed to deal with.

The OWASP Top Ten Project continues to identify and list the Top 10 Web Application vulnerabilities, and organizations that operate websites should also ensure that their web applications are, as a minimum, secure against these publicly identified vulnerabilities.

A growing range of software solutions and professional services are available to help organizations implement and audit these controls.

The Twenty Critical Security Controls are themselves published by the CSI and are maintained on the SANS website. Here is the most current version of the 20 Critical Cyber Security Controls.