The Consensus Security Audit Guidelines

Under the leadership of John Gilligan who had by then retired from the Air Force CIO role, the CIO Institute convened experts from the NSA, DHS, AF-OSI, FBI, U.S. Nuclear Weapons Labs and other organizations with deep knowledge of attack techniques.

The group reached consensus on 20 most critical controls that auditors should test in every security audit. Those controls later became the SANS Top 20 Critical Security Controls and now have been updated and are the CIS Critical Security Controls which most organizations are using as the core guidelines on how to prioritize spending in cybersecurity.