Introduced in 2008 in response to extreme data losses in the US, the 20 Critical Security Controls prioritizes a list of measures that are effective in improving risk posture against real-world threats.
The project was initially developed by SANS, but in 2013 the management of the Controls was transferred to the Council on CyberSecurity (the Council) and then in 2015 to the Center for Internet Security (CIS).
Derived from the most common attack patterns and vetted across government and industry bodies, the 20 Critical Controls focus on a small number of actionable controls with immediate benefits, aiming for a "must do first" philosophy. The CIS Critical Security Controls are an example of the principle of Pareto's Law whereby 80 percent of the impact comes from 20% of the effort
Controlled use of administrative privileges was increased in priority from Control 12 to Control 5 in recognition of the number of attacks exploiting overprivileged accounts.
A new control (7) was introduced for email and web browser protections in response.