Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-10-5 – The implementation of the cybersecurity awareness program must be reviewed periodically.
Understanding the Requirement
This control requires that your cybersecurity awareness and training program is not a one-time activity but is subject to regular, documented reviews. The organization should establish a plan that sets review intervals (for example, quarterly), identifies who is responsible (the Cybersecurity function in cooperation with relevant departments such as Awareness and Training), and defines how reviews are performed—either through manual channels like email or automated channels such as a compliance management system. The goal is to confirm that training content, delivery, participation rates, and outcomes remain effective and aligned with current risks and business needs. This guidance is drawn from the Essential Cybersecurity Controls (ECC – 2 : 2024).
Technical Implementation
- Create a documented review plan: Define cadence (quarterly, semi‑annual), scope (mandatory training, phishing simulations, role-based modules), acceptance criteria, and reporting lines. Store the plan where the cybersecurity team and HR/training teams can access it.
- Assign roles and responsibilities: Designate an owner (e.g., IT security lead or compliance officer) and coordinators in HR and department heads. Make responsibilities explicit: who runs simulations, who collects completion data, who signs off on corrective actions.
- Collect measurable evidence: Track completion rates, assessment scores, phishing simulation click rates, incident reports tied to user behavior, and feedback surveys. Use a standard evidence package each review: roster of attendees, logs of automated reminders, and simulation results.
- Use simple automation where possible: If a full compliance management system is not available, use a combination of your LMS, email automation, and a shared spreadsheet or lightweight ticketing tool to schedule reviews, send reminders, and collect results. For SMBs, low-cost GRC or training platforms can automate reporting and send alerts when metrics fall below thresholds.
- Perform the review and document findings: At each interval, compare evidence against the acceptance criteria, identify gaps (low completion, outdated content, repeat phishing mistakes), and record findings in a review report that includes prioritized remediation actions and owners.
- Close the loop with remediation and revalidation: Implement changes (update content, add role-based modules, increase enforcement), then re-assess affected controls or run follow-up simulations to validate improvement before the next scheduled review.
Example in a Small or Medium Business
A 45-person consulting firm assigns the IT manager as the cybersecurity awareness owner and works with HR to produce a quarterly review plan. Every quarter, the IT manager runs a phishing simulation and pushes mandatory refresher modules through the company's LMS. Completion rates, quiz scores, and simulation click rates are exported and stored in a shared compliance spreadsheet. The IT manager reviews results against agreed thresholds (90% completion, less than 5% click rate on simulated phishing) and documents any shortfalls in a standard review report. If a department falls below thresholds, the department head is assigned remediation tasks—extra training sessions and one-on-one coaching. The review report is emailed to the COO and saved to the internal compliance folder; corrective actions are tracked in the ticketing system until closed. Over two quarters, the firm sees phishing click rates fall and documents the improvements in subsequent reviews, demonstrating the effectiveness of the process and providing audit-ready evidence if required.
Summary
Periodic review of the cybersecurity awareness program combines clear policy (a documented review plan and assigned owners) with technical measures (measurable training delivery, automated tracking, and evidence collection). For SMBs, a lightweight combination of an LMS, simple automation, and a standard review checklist delivers strong results: regular assessment identifies gaps, remediation closes them, and documented evidence demonstrates ongoing effectiveness and management oversight required by the control.
