Consensus Audit Guidelines (CAG) applies the old 80%/20% rule to cybersecurity best practices by focusing on 20 high priority security controls. CAG may not be as comprehensive as other security models and it is certainly no panacea, but given its focus, it is a great way for overwhelmed CISOs to rationalize their security efforts and concentrate on high priority risks. In the future, the list of 20 CAG controls will grow to accommodate new threats thus keeping CAG up to date.”]
Source: https://www.csoonline.com/article/2231386/consider-the-consensus-audit-guidelines–cag-.html