2016 Ranking from SANS: Top 20 Critical Security Controls

Critical controls, and the best providers for improving how you use them

The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop known attacks?”

The controls transform best-in-class threat data into prioritized and actionable ways to protect your organization from today’s most common attack patterns.

Download the 2016 Top Critical Security Controls to see the framework and find out how Rapid7 ranks against other security providers in monitoring and improving your implementation of these controls.

Learn more about the Top 20 Critical Security Controls

In 2008, NSA's Information Assurance Directorate led a security community-driven effort to develop the original version of the Controls, then known as the “Consensus Audit Guidelines.” Over the years the SANS Institute, a research and education organization for security professionals, developed the Top 20 Critical Security Controls to address the need for a risk-based approach to security. Prior to this, security standards and requirements frameworks were predominantly compliance-based, with little relevance to the real-world threats they are intended to address. The controls are prioritized to help organizations focus security efforts to have the greatest impact in improving their risk posture. The Critical Security Controls are now managed by the Center for Internet Security (CIS) with continuing involvement by the security community.

SANS surveyed industry vendors in March 2016, using the Center for Internet Security (CIS) document “A Measurement Companion to the CIS Critical Security Controls (Version 6)” dated October 2015 as a baseline.

7 Steps to Successfully Implement the Top 20 Controls in Your Organization