Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-5-2 – The cybersecurity risk management methodology and procedures must be implemented by the cybersecurity function.
Understanding the Requirement
This control requires that the organisation's chosen cybersecurity risk management methodology and its associated procedures are actively put into practice by the cybersecurity function — not just documented. Concretely, that means the cybersecurity team must implement all elements of the adopted methodology, maintain a risk register to record and monitor findings, and produce and execute risk treatment or mitigation plans. This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and focuses on turning policy into repeatable operational activity so risks are discovered, tracked, and reduced on an ongoing basis.
Technical Implementation
- Assign clear ownership: Designate a named cybersecurity owner (even if part-time) responsible for operating the methodology—define roles for risk identification, assessment, acceptance, and escalation. Document responsibilities in a one-page RACI to remove ambiguity.
- Operationalise the methodology end-to-end: Convert each step of your chosen methodology into procedures: asset inventory and classification, threat/impact analysis, likelihood scoring, risk scoring, and approval thresholds. Provide short checklists for assessors to ensure consistent application.
- Create and maintain a risk register: Use a simple spreadsheet, lightweight database, or an affordable SaaS tool to record risk ID, asset, owner, date, score, current controls, residual risk, and treatment plan. Require the cybersecurity owner to review and update the register at least quarterly and after major changes.
- Develop and action treatment plans: For each medium/high risk, define a specific treatment: mitigation (technical change), transfer (insurance/contract), accept, or avoid. Include measurable tasks, deadlines, owners, required budget, and success criteria (e.g., "reduce risk score from 16 to 6 within 90 days").
- Integrate with operational processes: Tie the risk methodology into change management, vendor onboarding, and incident response so risk findings trigger actions (for example, risk scoring above threshold blocks cloud workload deployment until controls are applied). Automate notifications from the risk register to owners and executive reporting where possible.
- Monitor, report, and improve: Establish KPIs (e.g., number of open high risks, time to closure, % of assets assessed) and a quarterly review with executive leadership. Use lessons from incidents and assessments to refine scoring criteria and procedures.
Example in a Small or Medium Business
The IT manager at a 60-person marketing agency is also the de facto cybersecurity function. She adopts the organisation’s risk methodology, documents concise procedures for inventorying systems and scoring risks, and creates a risk register in a shared spreadsheet. She schedules a kickoff assessment week, surveys each team to identify critical assets (CMS, client DB, finance files), then scores threats and impacts using the agreed matrix. For three identified high risks—an exposed CMS admin panel, single-factor MFA on finance accounts, and an unsupported server—she creates treatment plans with owners, dates, and estimated costs. She implements basic technical controls: enable MFA, restrict admin panel IPs, and migrate data off the unsupported server to a supported host. The risk register is updated weekly and presented to the business owner each month; remaining medium risks are tracked with deadlines and small budgets. Over the next quarter, two high risks are reduced to low or accepted status and the organisation documents the changes to show auditors and insurers active risk management.
Summary
Implementing this control means turning a written risk methodology into active, repeatable operations: assign ownership, translate methodology steps into procedures, maintain a live risk register, execute measurable treatment plans, and integrate risk activities with everyday IT processes. For SMBs this can be achieved with pragmatic, low-cost tools (spreadsheets or light SaaS), clear owners, and a cadence of reviews and reporting that ensures risks are monitored and remediated rather than left on paper. Together these policy and technical measures ensure the cybersecurity function consistently identifies, tracks, and reduces organisational cyber risk.
