Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-3-4 – The cybersecurity policies and procedures must be reviewed periodically according to planned intervals or upon changes to related laws and regulations. Changes and reviews must be approved and documented.
Understanding the Requirement
This control—part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework—requires that an organization keeps its cybersecurity policies and procedures up to date by running regular, planned reviews and by updating them whenever relevant laws or regulations change. Reviews and any subsequent changes must be captured in documented evidence and formally approved by an authorized leader. For an SMB, this means establishing a repeatable schedule, defining triggers for out‑of‑cycle reviews (for example, new regulation or major incident), recording what changed and why, and obtaining sign‑off so there is a clear, auditable trail of governance.
Technical Implementation
- Establish a documented review schedule: Define review intervals (e.g., annually for policies, semi‑annually for critical procedures) in a single master policy document. Include responsible owners, review start/end dates, and required outputs (e.g., updated text, impact assessment, training needs).
- Assign clear owners and approvers: Appoint a Policy Owner (usually IT manager or compliance lead) and an Approver (CEO, COO, or designated deputy). Record these roles in the policy header and in a policy register so responsibilities are unambiguous during reviews.
- Implement a change trigger process: Create a short checklist that triggers an out‑of‑cycle review: law/regulation change, audit finding, security incident, new technology deployment, or third‑party risk change. Log triggers in a central tracker (spreadsheet, ticketing system, or lightweight GRC tool).
- Use version control and a change log: Keep each policy/procedure in a document repository with version numbering, change summary, author, reviewer, date, and link to approval evidence (signed PDF or archived approval email). This provides an auditable trail without heavy tooling.
- Formalize approvals and documentation: Require documented approval for each revision—email approval from the head of the organization or deputy, a signed PDF, or an approval recorded in the ticketing/GRC system. Store approvals with the policy file and update the policy register.
- Communicate and train on changes: After approval, notify affected staff and run targeted training or briefings for changed procedures. Maintain a distribution list and a short acknowledgement record from staff for critical changes.
Example in a Small or Medium Business
Acme Tech Services (a 60‑employee MSP) uses a simple but documented approach to meet this control. The CTO is the Policy Owner and the COO is the Approver; both names and contact details are in the policy register. The company schedules an annual full review each January and sets a semi‑annual check for high‑risk procedures. When the national cybersecurity regulator issued a new notification affecting incident reporting timelines, the Compliance Lead opened a “policy review” ticket and applied the change trigger checklist. The team updated the incident response procedure and added a short impact note describing why the change was required and which regulatory paragraph applied. The COO reviewed the changes, approved them by email, and the approval email was archived with the updated document. The Compliance Lead updated the version number, recorded the change in the central policy register, and sent a two‑page summary and a 30‑minute team briefing to operations and support staff; staff confirmed receipt via an electronic acknowledgement. Six months later during an internal audit, Acme produced the policy file, change log, and the COO’s approval email as evidence that the review and approval steps were followed.
Summary
For SMBs, meeting Control 1-3-4 is practical: set a predictable review schedule, assign owners and approvers, define triggers for out‑of‑cycle updates, and keep simple but complete documentation of revisions and approvals. Combined with basic version control and targeted communication or training, these policy and technical measures create a clear, auditable trail that demonstrates policies are current, law‑aligned, and formally approved—exactly what the control requires.
