The 20 critical security controls for cyber security: consensus audit guidelines
The 20 Critical Security Controls were developed, in the US, by a consortium led by the Center for Strategic and International Studies (CSI) and are also know as the Consensus Audit Guidelines (CAG).
The history of the Security Controls describes how they have been widely adopted across the US Federal Government as well as by the UK’s CPNI (Centre for Protection of the National Infrastructure). The US State Department claims to have achieved a 94% reduction in "measured" risk through the rigorous adoption of these controls.
The 20 Critical Controls are specifically technical controls; there are a number of additional areas that should also be addressed as part of a robust security posture, including information security policy, physical security, staff training and awareness, organizational structure, documented policies and procedures, and so on.
ISO 27001 and the 20 Critical Security Controls
ISO 27001 is the best practice international standard for an Information Security Management System that enables organizations to comprehensively secure information—and provide independent assurance that this has been done.
Each of the 20 listed critical controls (all of which can be cross-mapped to controls in Annex A of ISO 27001 and thus seamlessly integrated into any ISO 27001 ISMS) is supported by detailed implementation, automation, measurement, and test/audit guidance, which reflects a consensus of multiple security experts on the most effective ways to mitigate the specific attacks that these controls are designed to deal with.
Learn more about implementating ISO 27001 >>
THE OWASP Top Ten Project
The OWASP Top Ten Project continues to identify and list the Top 10 Web Application vulnerabilities, and organizations that operate websites should also ensure that their web applications are, as a minimum, secure against these publicly identified vulnerabilities.
A growing range of software solutions and professional services are available to help organizations implement and audit these controls.
The Twenty Critical Security Controls are themselves published by the CSI and are maintained on the SANS website.