Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-4-2 – The cybersecurity roles and responsibilities must be reviewed periodically according to planned intervals or upon changes to related laws and regulations.
Understanding the Requirement
This control requires organizations to keep their cybersecurity role definitions and assigned responsibilities current by performing scheduled reviews (for example, annually) and by re-assessing them whenever relevant laws, regulations, or external obligations change. The intent is to ensure that role descriptions, decision authority, reporting lines, and required competencies reflect the organization’s legal obligations and operational reality so accountability and compliance are maintained.
Technical Implementation
- Create a documented review plan: Define and approve a review schedule (e.g., annual or biannual) that names an owner (security lead, HR partner, or compliance officer) and specifies artifacts to review—job descriptions, access matrices, approval authorities, and contact lists. Keep the plan under version control.
- Use trigger-based reviews for legal or regulatory change: Assign a regulatory-watch owner (legal or compliance) to monitor for new laws or guidance. Define a workflow so that when a change is identified, an expedited review is initiated and completed within a defined timeframe (e.g., 30–60 days).
- Maintain a single source of truth for roles and responsibilities: Store role descriptions, responsibility matrices (RACI), and approval records in a central, access-controlled repository (HRIS, intranet, or a secure document management system) with audit logging to show when items were changed and by whom.
- Standardize review checklists and evidence: Use a checklist to verify elements such as authority levels, required certifications, segregation of duties, access privileges, and training requirements. Require sign-off from the assigned representative (security lead or executive sponsor) and retain the signed record as evidence.
- Integrate reviews into HR and change processes: Tie role reviews to hiring, reorganizations, and access provisioning/termination procedures. When someone’s job changes, trigger an immediate review of cybersecurity responsibilities and access adjustments to prevent gaps or privilege creep.
Example in a Small or Medium Business
Acme Design Co., a 75-person SMB, appoints the IT manager as the cybersecurity roles owner and documents an annual review schedule approved by the COO. They keep role descriptions and a simple RACI matrix in the company intranet and require the IT manager and HR lead to review them each January. When a new national privacy regulation is published that affects data retention and breach notification timelines, the legal advisor flags the change and the expedited review is triggered. The IT manager updates affected role responsibilities (adding new reporting and incident notification duties for the operations lead) and revises access rules where necessary. Changes are recorded in the intranet document version history and signed off by the COO. As a follow-up, HR updates job postings and conducts a short training session for staff whose responsibilities changed, and the IT manager saves the training attendance as evidence for future audits.
Summary
Implementing this control combines a clear, documented review policy with practical technical steps: a central repository for role documentation, scheduled and trigger-based reviews, checklists for consistency, and an approval/sign-off process. For SMBs, these measures keep responsibilities aligned with legal requirements and operational changes, reduce gaps in accountability, and provide verifiable evidence that roles and responsibilities are periodically reviewed and updated when laws or business conditions change.
