Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-5-3 – The cybersecurity risk assessment procedures must be implemented at least in the following cases:
Understanding the Requirement
This control from Essential Cybersecurity Controls (ECC – 2 : 2024) requires that organizations run defined cybersecurity risk assessment procedures whenever specific events or changes occur. The control’s objectives are captured by the reference items 1-5-3-1, 1-5-3-2, 1-5-3-3 and 1-5-3-4, which together indicate that assessments must be applied when systems or services are introduced or changed, when third-party relationships are established or altered, after security incidents, and on a defined periodic schedule. In practice this means having documented triggers, a consistent assessment method, assigned responsibility, and repeatable follow-up actions so that risks are identified and mitigated promptly.
Technical Implementation
-
Define explicit triggers tied to the objectives (1-5-3-1 → 1-5-3-4):
Create a short list of events that automatically trigger an assessment: new systems or cloud services, significant configuration changes, onboarding or renewing third-party vendors, post-incident reviews, and scheduled annual or biannual reviews. Put these triggers in change request templates and vendor onboarding checklists so assessments occur reliably.
-
Use a lightweight, repeatable assessment template:
Develop a one- to two-page risk assessment template SMB staff can complete quickly. Include asset description, data sensitivity, threat scenarios, likelihood and impact (simple 3x3 matrix), existing controls, residual risk, and recommended mitigations with owners and deadlines. Keep language practical so non-experts can deliver assessments.
-
Assign clear roles and SLAs:
Designate an assessment owner (IT lead or security champion) and approver (business owner). Set SLAs: e.g., initial assessment within 5 business days for new services, post-incident assessment within 48–72 hours, and remediation actions tracked with 30/90-day targets depending on risk level.
-
Integrate assessments into existing processes and tools:
Embed the assessment step into procurement, change management and incident response workflows. Use existing ticketing systems, shared drives, or a simple GRC spreadsheet to record results, risk scores, and remediation status so actions are visible to leadership.
-
Apply pragmatic testing and verification:
Where feasible, perform small technical checks as part of the assessment — e.g., validate secure configuration, check patch level, verify MFA, and run a quick vulnerability scan. For third-party services, require vendor security questionnaires and evidence of SOC/penetration test reports where appropriate.
-
Review and update the program periodically:
Schedule a program review every 6–12 months to refine triggers, adjust the template, and confirm the risk appetite. Capture lessons learned from incidents and vendor issues to improve future assessments.
Example in a Small or Medium Business
BrightStreet Marketing is a 45-person SMB that manages client data and uses several SaaS tools. When the company decided to adopt a new CRM, the IT lead completed the risk assessment template, noting data classification, integration points, and whether the CRM supports encryption and role-based access. The procurement process required the vendor to complete a vendor security questionnaire and provide recent penetration test evidence; the assessment flagged two gaps (no enforced MFA for API access and unclear data export controls). The business owner approved the CRM only after the vendor agreed to enable MFA and provide a written data handling addendum. Two months later a third-party integration introduced an unexpected data flow; the integration triggered a post-change assessment that identified a misconfigured API key — the team rotated credentials immediately and tightened access controls. BrightStreet logs all assessments in their ticketing tool, assigns remediation owners, and runs a full review of vendor assessments every 12 months. After a minor phishing incident, they ran a post-incident assessment, updated email filtering rules, and moved some high-risk data into a more restricted repository to reduce exposure.
Summary
Implementing Control 1-5-3 means having practical, repeatable risk assessment procedures that trigger on new or changed systems, third-party relationships, incidents, and periodic reviews. For SMBs this looks like short assessment templates, clear roles and SLAs, integration with procurement and change workflows, quick technical checks, and a tracking mechanism for remediation. Together these policy and technical measures ensure risks are identified, owned, and reduced in a timely way without imposing heavy overhead on a small IT team.
