Select regional store:

20 Critical Controls & Consensus Audit Guidelines (CAG)

The 20 critical security controls for cyber security: consensus audit guidelines

The 20 Critical Security Controls were developed, in the US, by a consortium led by the Center for Strategic and International Studies (CSI) and are also know as the Consensus Audit Guidelines (CAG). 

The history of the Security Controls describes how they have been widely adopted across the US Federal Government as well as by the UK’s CPNI (Centre for Protection of the National Infrastructure). The US State Department claims to have achieved a 94% reduction in "measured" risk through the rigorous adoption of these controls.

The 20 Critical Controls are specifically technical controls; there are a number of additional areas that should also be addressed as part of a robust security posture, including information security policy, physical security, staff training and awareness, organizational structure, documented policies and procedures, and so on.

The current 20 critical security controls

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • Critical Control 2: Inventory of Authorized and Unauthorized Software
  • Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Critical Control 4: Continuous Vulnerability Assessment and Remediation
  • Critical Control 5: Malware Defenses
  • Critical Control 6: Application Software Security
  • Critical Control 7: Wireless Device Control
  • Critical Control 8: Data Recovery Capability
  • Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
  • Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
  • Critical Control 12: Controlled Use of Administrative Privileges
  • Critical Control 13: Boundary Defense
  • Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
  • Critical Control 15: Controlled Access Based on the Need to Know
  • Critical Control 16: Account Monitoring and Control
  • Critical Control 17: Data Loss Prevention
  • Critical Control 18: Incident Response and Management
  • Critical Control 19: Secure Network Engineering
  • Critical Control 20: Penetration Tests and Red Team Exercises

ISO 27001 and the 20 Critical Security Controls

 ISO 27001 is the best practice international standard for an Information Security Management System that enables organizations to comprehensively secure information—and provide independent assurance that this has been done.

Each of the 20 listed critical controls (all of which can be cross-mapped to controls in Annex A of ISO 27001 and thus seamlessly integrated into any ISO 27001 ISMS) is supported by detailed implementation, automation, measurement, and test/audit guidance, which reflects a consensus of multiple security experts on the most effective ways to mitigate the specific attacks that these controls are designed to deal with.

Learn more about implementating ISO 27001 >>

THE OWASP Top Ten Project

The OWASP Top Ten Project continues to identify and list the Top 10 Web Application vulnerabilities, and organizations that operate websites should also ensure that their web applications are, as a minimum, secure against these publicly identified vulnerabilities.

A growing range of software solutions and professional services are available to help organizations implement and audit these controls.

The Twenty Critical Security Controls are themselves published by the CSI and are maintained on the SANS website. 

This website uses cookies. View our cookie policy