These 20 critical security controls were agreed upon by knowledgeable individuals from the groups listed above. The list includes 15 controls that can be validated at least in part in an automated manner and five that must be validated manually. It is important to note that the 20 control categories are not presented in order of priority. The process of gathering these specific controls and subcontrols focused on identifying the highest priority defenses and represent a subset of controls found in other audit guidelines and documents. Each of the 20 categories is important and offers high-priority techniques for thwarting real-world attacks.