20 Critical Controls/Consensus Audit Guidelines (CAG)
The Twenty Critical Security Controls for Cyber Security: Consensus Audit Guidelines
The 20 Critical Security Controls were developed, in the USA, by a consortium led by the Center for Strategic and International Studies (CSI). The history of the Security Controls describes how they have been widely adopted across the US Federal Government as well as by the UK’s CPNI (Centre for Protection of the National Infrastructure). The US State Department claims to have achieved a 94% reduction in ‘measured’ risk through the rigorous adoption of these controls.
The 20 Critical Controls are specifically technical controls; there are a number of additional areas that should also be addressed as part of a robust security posture, including information security policy, physical security, staff training and awareness, organisational structure, documented policies and procedures, and so on. ISO27001 is the best practice international standard for an Information Security Management System that enables organisations to comprehensively secure information – and provide independent assurance that this has been done.
Each of the 20 listed critical controls (all of which can be cross-mapped to controls in Annex A of ISO27001, and thus seamlessly integrated into any ISO27001 ISMS) is supported by detailed implementation, automation, measurement and test/audit guidance which reflects a consensus of multiple security experts on the most effective ways to mitigate the specific attacks which these controls are designed to deal with.
The OWASP Top Ten Project continues to identify and list the Top 10 Web Application vulnerabilities and organisations that operate websites should also ensure that their web applications are, as a minimum, secure against these publicly identified vulnerabilities.
A growing range of software solutions and professional services are available to help organisations implement and audit these controls.
The Twenty Critical Security Controls themselves are published by the CSI and are maintained on the SANS website. Here is the most current version of the 20 Critical Cyber Security Controls.
Review your cyber security posture
Assess your cyber risk exposure with our consultancy services, designed to audit your organisation and provide you with detailed recommendations for improvements.
Cyber Security Audit
One day on-site consultancy, providing a high-level review of your cyber security posture – the ideal starting point for your journey to cyber security best practice and compliance.
Find out more >>
Cyber Health Check
Establish your cyber risk exposure via a combination of on-site consultancy and audit, vulnerability assessments and staff interviews.
Includes a report providing expert recommendations and an action plan to help you mitigate your risks effectively.
Find out more >>