Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-3-3 – The cybersecurity policies and procedures must be supported by technical security standards (e.g., operating systems, databases and firewall technical security standards).
Understanding the Requirement
This control, part of the Essential Cybersecurity Controls (ECC – 2 : 2024), requires that high-level policies and procedures are backed up by concrete, measurable technical standards. In practice that means writing and maintaining baseline configurations, hardening guides, and technical rules for the specific technologies you use (servers, endpoints, databases, firewalls, BYOD, and development platforms). These standards give IT staff a clear set of actions to implement policy goals and provide a repeatable way to enforce security across the environment.
Technical Implementation
-
Inventory and classify assets, then map standards to asset types. Start with a compact inventory (servers, workstations, network devices, databases, cloud services, developer systems, and BYOD). For each asset category create a corresponding technical standard (e.g., Windows Server hardening, Linux server baseline, MySQL/Postgres hardening, firewall rule template, mobile OS configuration). Keep the first iteration focused on the assets that process sensitive data.
-
Create concise, approved technical standards and ownership. Use templates that include purpose, scope, required settings, allowed exceptions, implementation steps, and rollback instructions. Ensure each standard is approved by the IT manager and a business owner so it has clear accountability and is formally part of the change control process.
-
Use established baselines and community resources to reduce effort. Adopt or adapt vetted hardening guides (for example, CIS Benchmarks, vendor hardening guides) and translate them into your standards with only the controls you need. This saves time and ensures alignment with industry best practices.
-
Operationalize standards with automation and tooling. Apply standards through configuration management (Ansible, Puppet, PowerShell DSC), patch-management systems, firewall templates, or cloud IaC modules. For SMBs with limited staff, use lightweight automation (scripts, standardized golden images, managed endpoint tools) to enforce baselines and reduce manual drift.
-
Communicate, train, and monitor. Publish standards to the IT team, include the key requirements in onboarding and runbooks, and require sign-off for exceptions. Implement periodic technical checks: configuration scans, vulnerability scans, firewall rule reviews, and scheduled audits to confirm standards are applied.
-
Measure and iterate: maintain a simple compliance register showing which assets comply, which have approved exceptions, and remediation status. Use this register in monthly reviews and when planning budget/patch cycles to keep standards current.
Example in a Small or Medium Business
A 30-person financial advisory firm starts by listing all IT assets and identifies that Windows workstations, two Linux application servers, a managed firewall, and a cloud-hosted PostgreSQL database are in scope. The IT lead drafts short technical standards: a Windows endpoint baseline (password policy, disk encryption, AV, firewall), a Linux server hardening checklist (SSH configuration, package updates, minimal services), a firewall rule template, and a database access and encryption standard. Each standard is reviewed and approved by the operations manager and a compliance owner. The team creates one golden VM image for endpoints and Ansible playbooks to apply server settings; the managed firewall is configured using the rule template and documented in change control. They communicate the standards to the whole staff, require BYOD devices to meet the mobile OS standard before connecting, and schedule monthly scans to detect configuration drift. When a developer requests an exception for a test server, the IT lead documents the exception with an expiration date and compensating controls. Over the next quarter the firm uses scan reports and the compliance register to close gaps and refine the standards based on real-world operational needs.
Summary
Translating policy into technical standards gives SMBs a repeatable, enforceable way to secure systems: asset mapping, concise baselines, approved ownership, automation to apply controls, and periodic checks closes the gap between intent and practice. Together, the documented standards plus operational controls (automation, monitoring, and exception management) demonstrate that policies are actively implemented and maintained—fulfilling the requirement to support policies and procedures with technical security standards.
