Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-1-3 – The cybersecurity strategy must be reviewed periodically according to planned intervals or upon changes to related laws and regulations.
Understanding the Requirement
This control requires organizations to maintain a documented, approved review plan that ensures the cybersecurity strategy is revisited on a regular schedule and any time relevant laws, regulations, or material aspects of the organization change. For an SMB that means defining who is responsible, setting review intervals that fit the business risk profile, and committing to re-evaluate the strategy immediately when regulatory requirements or the organisation’s structure, services, or risk exposure change.
Technical Implementation
-
Appoint a cybersecurity strategy owner and approval authority — typically the IT manager or a designated security representative for SMBs — who is responsible for maintaining the review plan, scheduling reviews, and obtaining documented approval from senior management or the business owner.
-
Document a Review Plan with clear intervals and triggers. Define at least one recurring interval (for example, annual review as a minimum; quarterly or semi‑annual if you face higher risk) and explicit triggers: changes to laws/regulations, major organizational changes (mergers, new product lines, major cloud migrations), or significant incidents.
-
Integrate regulatory and legal monitoring. Assign responsibility for tracking relevant legal or regulatory updates (e.g., data protection, sector-specific cybersecurity rules). Use simple feeds or email alerts from regulators, trade associations, or a legal adviser and record alerts in a change log to trigger an out-of-cycle strategy review when needed.
-
Use simple tools for version control and approval evidence. Keep strategy documents in a controlled repository (shared drive with versioning, A cloud document management system with audit logs, or a lightweight ticketing system). Each review should create a new version, record review notes, and include sign-off from the designated approver.
-
Map review activities to risk and operations. Each review should re-evaluate risk assessments, critical assets, supplier changes, and control effectiveness. Include a short checklist to validate whether existing controls still meet business needs and regulatory obligations, and a prioritized action plan for updates.
-
Automate scheduling and reminders and maintain evidence of action. Put recurring calendar events, task assignments, and reminders into your team’s workflow tool. Retain minutes, decision records, and approved changes as evidence for audits or vendor/customer inquiries.
Example in a Small or Medium Business
AcmeTech, a 65‑person managed services provider, designated their IT operations manager as the cybersecurity strategy owner and drafted a simple documented review plan. The plan required an annual full review every October and immediate reviews when laws/regulations changed or the company added a new service. The owner subscribed to the national regulator’s email updates and set a rule to flag messages containing “cybersecurity” or “data protection.” When a new sector-specific notification arrived, the owner opened a change ticket, ran a one-week rapid review with the CTO and compliance lead, updated the strategy to reflect the new requirements, and logged the changes in the document repository. The updated strategy was circulated to the CEO for approval and stored with version metadata and sign-off screenshots. Following the review, AcmeTech updated staff training materials and a couple of operational procedures; these updates were tracked as part of the same change record so evidence could be provided to customers and during supplier assessments.
Summary
By creating a documented review plan, assigning a responsible owner, defining periodic intervals and regulatory triggers, and keeping versioned evidence and approvals, SMBs can ensure their cybersecurity strategy remains current and defensible. Practical technical measures such as automated reminders, legal monitoring, checklists tied to risk, and a controlled document repository make the reviews repeatable and auditable — meeting the control’s requirement to review the cybersecurity strategy periodically and whenever laws, regulations, or the organization change.
