Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-6-4 – The cybersecurity requirements in project management must be reviewed periodically.
Understanding the Requirement
This control requires organizations to periodically review the cybersecurity requirements that apply to project management, ensuring they remain current, effective, and aligned with business risk. It expects a documented and approved review plan with a defined interval (for example, an annual review), and that any updates are recorded and formally approved by the head of the organization or their deputy. This guidance maps to the Essential Cybersecurity Controls (ECC – 2 : 2024) and focuses on making review cycles repeatable, auditable, and visible to senior leadership so project activities continue to meet acceptable cyber risk levels.
Technical Implementation
- Establish a documented review schedule: Create a simple policy or procedure that specifies review frequency (e.g., annually or upon major organizational change), the roles responsible, and required outputs (updated requirements, review log, approval record).
- Assign an owner and review team: Designate a project-security owner (could be the PMO lead or a security liaison) responsible for coordinating reviews, collecting input from project managers, IT, and risk owners, and preparing a change package for approval.
- Use checklists and templates: Maintain a standard checklist that maps project lifecycle stages to cybersecurity requirements (requirements capture, threat assessment, secure design, testing, deployment, and decommission). Use a template for recording findings, proposed changes, and risk impacts to keep reviews consistent.
- Integrate with project governance and change control: Require that any updates to cybersecurity requirements be processed through existing change management or PMO approval workflows and ensure final sign-off by the head of the organization or their deputy is captured in the change ticket or meeting minutes.
- Log and retain review evidence: Keep an auditable review log that includes date, participants, key findings, approved changes, and a version history of the cybersecurity requirements. Store records in a centralized, access-controlled location for at least the organization’s retention period.
- Automate reminders and risk triggers: Where possible, use calendar reminders, ticketing alerts, or simple GRC tools to trigger periodic reviews and additional reviews after risk events (security incidents, regulatory changes, mergers, or major projects).
Example in a Small or Medium Business
Acme Tech, a 75-person managed services provider, formalized project cybersecurity reviews as part of its PMO practice. The PMO owner created a one-page procedure that required an annual review of project cybersecurity requirements and an immediate review whenever a new service line or major regulation change occurred. Each review used a standard checklist mapping requirements to project stages, and the security liaison gathered input from project managers, operations, and the external compliance consultant. Proposed updates were documented in a change form, the expected risk impact noted, and the PMO lead presented the package to the managing director for approval. The managing director—or their deputy if unavailable—signed the approval in the change ticket, which was stored in the company’s document repository with version history. Calendar reminders and a PMO dashboard flagged upcoming reviews and captured evidence that the review had occurred, keeping internal auditors satisfied and ensuring project teams had an up-to-date set of cybersecurity controls to follow.
Summary
A simple, documented review process that assigns ownership, uses templates and checklists, integrates with existing change control, and captures formal approval satisfies Control 1-6-4. For SMBs, the combination of a clear schedule, an auditable log, and executive sign-off delivers both governance and practicality: projects operate with up-to-date cybersecurity requirements, risk exposure is monitored, and leadership has visibility and accountability for decisions that affect the organization’s cyber posture.
