20 Critical Controls/Consensus Audit Guidelines (CAG)
The Twenty Critical Security Controls for Cyber Security: Consensus Audit Guidelines
The 20 Critical Security Controls were developed, in the USA, by a consortium led by the Center for Strategic and International Studies (CSI). The history of the Security Controls describes how they have been widely adopted across the US Federal Government as well as by the UK’s CPNI (Centre for Protection of the National Infrastructure). The US State Department claims to have achieved a 94% reduction in ‘measured’ risk through the rigorous adoption of these controls.
The 20 Critical Controls are specifically technical controls; there are a number of additional areas that should also be addressed as part of a robust security posture, including information security policy, physical security, staff training and awareness, organisational structure, documented policies and procedures, and so on. ISO27001 is the best practice international standard for an Information Security Management System that enables organisations to comprehensively secure information – and provide independent assurance that this has been done.
Each of the 20 listed critical controls (all of which can be cross-mapped to controls in Annex A of ISO27001, and thus seamlessly integrated into any ISO27001 ISMS) is supported by detailed implementation, automation, measurement and test/audit guidance which reflects a consensus of multiple security experts on the most effective ways to mitigate the specific attacks which these controls are designed to deal with.
The OWASP Top Ten Project continues to identify and list the Top 10 Web Application vulnerabilities and organisations that operate websites should also ensure that their web applications are, as a minimum, secure against these publicly identified vulnerabilities.
A growing range of software solutions and professional services are available to help organisations implement and audit these controls.
The Twenty Critical Security Controls themselves are published by the CSI and are maintained on the SANS website. Here is the most current version of the 20 Critical Cyber Security Controls.