Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-1-1 – A cybersecurity strategy must be defined, documented and approved. It must be supported by the head of the organization or his/her delegate (referred to in this document as Authorizing Official). The strategy goals must be in-line with related laws and regulations.
Understanding the Requirement
This control, from Essential Cybersecurity Controls (ECC – 2 : 2024), requires an organization to create a formal cybersecurity strategy that is documented and approved by the organization's leader or an authorized delegate. The strategy must align with the organization’s strategic objectives and with applicable laws and regulations. The aim is to convert high-level business priorities into a clear cybersecurity vision, mission, strategic objectives and an implementation plan that is owned and accepted by senior management.
Technical Implementation
-
Assign an Authorizing Official and form a small steering group: Identify the head of the organization or a delegated executive as the Authorizing Official, then create a cross-functional steering group (IT, operations, HR, legal/compliance, and a business owner). This group will run workshops, approve scope and sign off the final strategy.
-
Run a focused strategy workshop and map to business objectives: Hold a half- to full-day workshop with the steering group to map business objectives, critical assets, regulatory obligations and risk appetite. Produce a short, prioritized list of strategic cybersecurity objectives (for example: protect customer data, ensure operational continuity, meet regulatory reporting timelines).
-
Draft the strategy document with practical components: Create a concise document that includes Vision, Mission, Strategic Objectives, an Implementation Plan (milestones, owners, timelines), and a prioritized list of Projects/Initiatives. Keep it actionable — each objective should have measurable success criteria and a designated owner.
-
Ensure legal and regulatory alignment: Perform a compliance mapping exercise against applicable laws and standards (privacy, sector-specific regulations) and embed required controls and reporting obligations into the strategy. Document any gaps and include remediation projects in the implementation plan.
-
Use the authority matrix to obtain formal approval and budget sign-off: Follow your organization’s authority matrix when seeking approval — present the strategy to the Authorizing Official with a one-page executive summary, risk/benefit analysis and the requested budget. Record formal approval (signed document or approved meeting minutes).
-
Publish, communicate and schedule reviews: Publish the approved strategy to key stakeholders, integrate it into annual planning, and schedule periodic reviews (quarterly or biannual). Track progress via simple KPI dashboards (project status, risk reduction metrics) and update the strategy when business or regulatory requirements change.
Example in a Small or Medium Business
GreenField Manufacturing is a 75-employee SME that produces specialty components. The CEO appoints the IT manager as the Authorizing Official and convenes a steering group including operations, HR and the compliance officer. They run a half-day workshop to identify that their top priorities are protecting customer designs, minimizing production downtime, and meeting national data-protection rules. The IT manager drafts a short cybersecurity strategy including a vision statement, three strategic objectives, an implementation plan with six-month milestones, and three priority projects (backup & recovery, endpoint protection, and staff awareness training). The steering group maps each objective to applicable regulations and documents a small budget request. Using the authority matrix, the CEO formally approves the strategy in writing and allocates funding. Over the next quarter the company launches the prioritized projects, tracks progress in a one-page dashboard, and schedules a formal review at six months to adjust the plan based on results and any regulatory updates.
Summary
Defining, documenting and approving a cybersecurity strategy ensures accountability and alignment between business goals and legal requirements. For SMBs, using a short, practical strategy document (vision, mission, objectives, implementation plan and prioritized projects), a designated Authorizing Official, and a clear approval path based on the authority matrix makes the control achievable. Combined with compliance mapping, measurable milestones and scheduled reviews, these policy and technical measures provide a repeatable way to manage cybersecurity risk and demonstrate senior-management support.
