Skip to main content


What are the top 20 Security Controls?

When you need to quickly secure your IT infrastructure you can’t afford to spend time patching up low criticality vulnerabilities, wading through a sea of false positives, or implementing redundant practices. You need to prioritize what you can tackle today to make big steps in your cyber defense. With this in mind a consortium of hundreds of security experts from across the public and private sectors including CPNI, SANS, and Tripwire have united to make a prioritized strategy for addressing cyber security.

The top 20 critical security controls are a set of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defense with a focus on actionable measures with high-payoff results. Studies conducted by SANS found that 73% of those surveyed have adopted the Controls or plan to implement them.

This list of controls and sub controls helps organizations prioritize their efforts to effectively defend against the current, most common and damaging computer and network threats of today as well as those expected in the near future. The order of these controls as well as the recommendations of their sub-controls are updated regularly to reflect changing technology and methods of attack. An abbreviated copy of version 5.0 of the controls can be found at the bottom of this page.

Everything You Need to Know About Application Security Policies

Here's how you can adopt a best-practice framework.

Learn More

History of the top 20 controls

As IT security threats developed alongside technological advances, so too did frameworks for protecting networks and confidential data. Although often effective, such frameworks were disjointed and tended to be non-prioritized. In 2008 the Office of the Secretary of Defense (OSD) asked the National Security Agency (NSA) to help prioritize the many controls available. That same year the Center for Strategic and International Studies (CSIS) published the Top 20 Controls for the first time.

One of the earliest adopters of these controls was the U.S. Department of State, which achieved an 88% reduction in vulnerability-based risks across 85,000 systems.

CPNI top 20 critical security controls

In December of 2011, the United Kingdom’s Centre for the Protection of National Infrastructure (CPNI) announced that the government would be adopting the 20 Critical Security Controls to help secure the country’s critical infrastructure. CPNI is a government agency of the UK that focusses on protecting national security through the provision of security advice on physical, personal and cyber/information topics.

In 2013 CPNI and Tripwire founded the Council on Cybersecurity. This non-profit organization aims to “create a world in which best practice becomes common practice,” primarily through the promotion of the promotion and coordination of the top 20 controls.


The top 20 controls support organizations at all levels of information security capabilities by establishing a security baseline and then providing steps to improve beyond that baseline. To do so the recommended sub controls have been grouped into four categories dependent on criticality and effort to fix; quick wins, improved visibility and attribution, configuration and improved information security hygiene and advanced.

  • Quick wins. These sub controls include fundamental aspects of information security that are relatively simple to implement and can help an organization rapidly improve its security stance. Such changes generally don’t require major procedural, architectural, or technical changes to an organization’s environment. The intent of identifying quick wins is to highlight West security can be improved rapidly.
  • Improved visibility and attribution. These sub controls focus on improving the process architecture and technical capabilities of an organization so that they can monitor their networks and computer systems and better visualize their own IT operations.
  • Configuration and improved information security hygiene. These sub controls focus on protecting against poor security practices by system administrators and end-users that may leave an organization vulnerable to attack. A well-managed network is typically a much harder target for computer attackers to exploit.
  • Advanced sub controls. These sub controls go beyond the other three categories to further improve an organization’s security.

Control metrics

Each control includes a metric section that provides information regarding the specific timing and objectives associated with vital aspects of that control. Each control includes a test section with information on how organizations can evaluate their implementation of the control metric. These tests support automation wherever possible to promote reliable, scalable, and continuous measurements of adherence to the controls and related metrics.

Implementing the top 20 controls


To implement these controls you should begin by comparing all twenty control areas against your cyber security status and create a plan to integrate the controls as part of your overall security program. Many of these controls can be implemented and measured using existing tools already available at your organization. For other controls, such as CSC 4 (Continuous Vulnerability Assessment and Remediation) and CSC 6 (Application Software Security), you will need an automated method to quickly and effectively comply.

If your organization is like most large enterprises, the first step to assessing your security posture and securing your applications will be to inventory all of the applications you have. At Veracode we offer a powerful service to do so quickly and effectively with Web Application Perimeter Monitoring. Once discovered these applications must be scanned for vulnerabilities. Using our Static Analysis and Dynamic Analysis technologies CISO’s are saving their organizations time and money over MPT strategies while greatly increasing the number of applications that they are able to test.

Top 20 Controls

Below are the CPNI Top 20 Security controls from version 5.0 of the controls which can be found at Included are the risks as well as the sub controls. All sub controls are grouped into their respective categories.

Everything You Need to Know About Maturing an AppSec Program

Learn best practices from the pros at Veracode.

Get the Handbook