Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-3-1 – Cybersecurity policies and procedures must be defined and documented by the cybersecurity function, approved by the Authorizing Official, and disseminated to relevant parties inside and outside the organization.
Understanding the Requirement
This control requires a clear, documented set of cybersecurity policies and procedures created by the organization’s cybersecurity function, formally approved by the designated Authorizing Official per the organization’s authority matrix, and actively communicated to all relevant internal teams and external stakeholders. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the focus is practical: define who owns a policy, what it requires, how it will be enforced, and make sure people who need to know actually receive and acknowledge it. For SMBs that means simple, authoritative documents plus an explicit approval and distribution process so the policies are enforceable and auditable.
Technical Implementation
- Create a small, modular policy set and templates. Start with core policies (Acceptable Use, Access Control, Incident Response, Data Handling, Remote Work) and use a consistent template that includes scope, responsibilities, approval authority, review cadence, and effective date. Keep each policy short (1–3 pages) and link to more detailed procedures or checklists for technical teams.
- Define roles and the approval workflow using your authority matrix. Document who is the Authorizing Official for each policy (e.g., COO for business policies, CIO for IT policies). Build an approval step in your simple workflow (draft → cybersecurity review → legal review if required → Authorizing Official sign-off → publish) and store approvals as records (signed PDFs or ticket comments).
- Publish and distribute via approved channels. Use your intranet, company-wide email, and an accessible policy repository (shared drive or simple governance portal). For external stakeholders (vendors, major customers), include policy summaries or relevant clauses in vendor onboarding packets and contracts. Record distribution dates and recipients.
- Track acknowledgment and training. Require employees to acknowledge key policies during onboarding and at annual refreshes using your HR system or a lightweight learning-management tool. Keep logs of acknowledgments and tie policy awareness to role-specific training (e.g., phishing training after Acceptable Use updates).
- Implement version control and scheduled reviews. Use a versioned document repository and include a review date in each policy. Assign owners responsible for annual or event-driven updates (post-incident, regulatory change). Maintain a changelog and archive superseded versions for auditability.
- Integrate technical controls with documented procedures. Link policies to concrete technical procedures—e.g., the Access Control policy references how account provisioning is done in Active Directory, which systems enforce MFA, and who approves elevated privileges—so that auditors can follow policy → procedure → technical evidence.
Example in a Small or Medium Business
A 60-person regional accounting firm appoints the head of IT as the cybersecurity function and the COO as the Authorizing Official per their authority matrix. The IT lead drafts a concise set of policies: Acceptable Use, Access Control, Data Classification, and Incident Response. Each policy uses the firm's template with clearly named owners, approval blocks, and a one-page summary for non-technical staff. The COO reviews and signs the policies, and the IT lead publishes them on the company intranet, emails summaries to all employees, and uploads signed copies to the HR folder for retention. New hires must complete a short policy acknowledgment during onboarding; current staff receive an annual email requiring e-acknowledgment. The firm also provides role-based guidance to staff handling client data and sends a policy summary to their top three managed-client accounts to demonstrate controls. After a phishing incident, the policy owners update the Incident Response procedure and record the change, demonstrating the approval and dissemination steps have been followed and logged.
Summary
For SMBs, meeting Control 1-3-1 means producing clear, concise policies owned by the cybersecurity function, obtaining formal approval from the designated Authorizing Official, and ensuring those policies reach the right people both inside and outside the organization. Combining simple governance (authority matrix and approval workflow), practical publishing and acknowledgment mechanisms, and links from policy to concrete technical procedures creates an auditable, maintainable program that both enforces and demonstrates compliance with the control.
