Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-5-1 – Cybersecurity risk management methodology and procedures must be defined, documented and approved as per confidentiality, integrity and availability considerations of information and technology assets.
Understanding the Requirement
This control requires an organization to establish a documented cybersecurity risk management methodology and supporting procedures that are aligned to the confidentiality, integrity and availability (CIA) needs of its information and technology assets. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the expectation is that the methodology covers asset identification and valuation, risk identification, assessment of likelihood and impact, defined treatment options, and ongoing monitoring — all approved and supported by executive management.
Technical Implementation
-
Scope and governance: Appoint a risk owner (often the IT manager or a senior operations lead) and obtain an executive sponsor. Document the risk management scope (systems, data types, processes) and who approves changes. Keep the governance simple for an SMB: one charter page that names roles, decision authority, and review frequency.
-
Asset inventory and classification: Build a concise inventory of hardware, software, cloud services, and data stores. For each asset capture owner, business function, and a CIA classification (e.g., High/Medium/Low for confidentiality, integrity, availability). Use a spreadsheet or lightweight CMDB; include monetary or operational value where possible to support impact calculations.
-
Risk identification and register: Run short workshops with IT, operations and a business representative to identify threats and vulnerabilities to each critical asset (e.g., ransomware, credential theft, data leakage). Enter findings into a simple risk register that includes risk description, asset, cause, existing controls and initial assessment fields.
-
Risk assessment method: Adopt a clear likelihood × impact matrix. Define qualitative or semi-quantitative scales (e.g., Likelihood: Rare–Almost Certain; Impact: Minor–Severe) and map them to a risk rating (Low/Medium/High). Provide examples in the procedure so assessors apply scales consistently.
-
Risk response and acceptance criteria: For each rated risk, document the chosen response: mitigate (apply controls), transfer (insurance/third party), accept (with documented rationale and owner) or avoid. Specify minimum treatment timelines for High risks and who must approve accepted risks (usually the executive sponsor).
-
Monitoring and continuous update: Establish a schedule for risk reviews (quarterly for high-risk items, biannually for others). After treatment actions, update the risk register with post-treatment ratings. Include trigger-based reviews (e.g., after a security incident, major change, or new regulation).
-
Documentation and approvals: Keep a concise methodology document that references templates (asset register, risk register, assessment worksheet). Have the executive sponsor formally approve the methodology and any significant changes; record approvals in the document history.
</ul>Example in a Small or Medium Business
A 40-person professional services firm implemented this control by starting with a two-hour workshop with their IT lead, head of operations and a finance representative to agree the scope and appoint the IT lead as the risk owner and the COO as executive sponsor. They created a simple asset register that listed servers, cloud accounts, customer databases and laptops, and applied a High/Medium/Low confidentiality, integrity, availability classification to each. Using a one-page assessment template, they identified risks such as lost credentials, unpatched servers and accidental data disclosure, then scored each risk with a defined likelihood/impact matrix. For the High risks (unpatched servers and credential theft) they documented mitigation steps, timelines and owners; for Medium risks they set acceptance or lower-priority treatments. The COO formally approved the methodology and the initial risk register, which was stored on the company intranet. The firm scheduled quarterly reviews, linked treatment items to ticketing tasks, and updated the register after a phishing attempt found during a staff training exercise — demonstrating the monitoring loop in action.
Summary
For SMBs, meeting Control 1-5-1 means implementing a compact, documented risk methodology that covers asset identification, risk identification and assessment, defined treatment options, and ongoing monitoring — with formal executive approval and clear ownership. Keeping templates lightweight, using a simple risk matrix, and tying remediation to operational tasks makes the process practical and sustainable while ensuring confidentiality, integrity and availability considerations drive decision-making.
