How to Meet Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-7-2

Requirement

Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-7-2 – The organization must comply with any nationally-approved international agreements and commitments related to cybersecurity.

Understanding the Requirement

This control requires organizations to identify and adhere to any internationally-oriented cybersecurity agreements or commitments that have been nationally approved, and to make sure those obligations are integrated into the organization's policies, processes and technical controls. In practice that means keeping an approved inventory of obligations, mapping them to internal responsibilities and controls, and using appropriate technologies and evidence to demonstrate ongoing compliance to the National Cybersecurity Authority and other stakeholders. This is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and focuses on governance, implementation and verification of nationally-endorsed international commitments.

Technical Implementation

• Maintain an obligations register and ownership. Create a simple register that lists each nationally-approved international agreement or commitment, the specific requirements that apply to your organization (data handling, reporting timelines, encryption standards, cross-border rules, etc.), the approval/reference by the National Cybersecurity Authority, and a named business and technical owner for each item. Review and sign off on the register at least annually.
• Map obligations to policies, procedures and controls. For each obligation, document which internal policy or control satisfies it (e.g., access control policy, data export procedures, logging and retention rules). Update standard operating procedures so staff follow the required handling, reporting and escalation steps tied to each obligation.
• Technical controls to demonstrate compliance. Use existing SMB-friendly tools—centralized logging (syslog/SIEM-lite), vulnerability scanners, endpoint protection, configuration management and automated patching—to generate the evidence you need (logs, scan reports, configuration snapshots). Configure retention and tamper-evidence to meet any agreed timelines referenced in the obligations.
• Third-party and contract controls. Require vendors and cloud providers to attest or demonstrate compliance where obligations rely on external services. Add contract clauses requiring notification of incidents, evidence of controls, and cooperation with audits tied to the nationally-approved commitments.
• Periodic validation and reporting. Schedule periodic internal checks and external audits (as required) to validate compliance. Keep concise evidence packages (audit logs, procedure sign-offs, scan outputs) so you can quickly respond to regulator requests. Establish a simple reporting cadence to senior management and the National Cybersecurity Authority if mandated.
• Awareness and training. Ensure staff in operations, legal/compliance, and supplier management understand relevant obligations and their role in meeting them—cover reporting deadlines, required technical settings, and cross-border data handling rules in short, role-specific briefings.

Example in a Small or Medium Business

A 75-person cloud services SMB identified that its country had nationally-approved commitments requiring specific encryption standards for cross-border customer data transfers and a 72-hour incident reporting window for certain cyber incidents. The company created an obligations register, assigned the CTO as technical owner and the head of compliance as the business owner, and mapped each commitment to existing controls (TLS configuration baseline, storage encryption, incident response plan and notification templates). They updated hosting contracts to require that co-located providers and backup vendors meet the same encryption and notification obligations, and obtained written attestation. On the technical side they enabled full audit logging, configured automated alerts for suspected data exfiltration, and scheduled weekly automated configuration scans to prove encryption settings remain compliant. They trained customer support and operations staff on the 72-hour reporting requirement and ran one tabletop exercise to validate the notification workflow. When a ransomware event occurred on a single customer instance, the team used the established evidence packages and notification templates to meet the reporting timeline and demonstrate the controls to the regulator, avoiding penalties and preserving customer trust.

Summary

Meeting Control 1-7-2 means combining simple governance (an obligations register, owners and updated policies) with targeted technical measures (logging, encryption, configuration management and vendor controls) plus regular validation and staff awareness. For SMBs this approach keeps compliance manageable: document what applies, map it to clear controls, generate concise evidence, and update contracts and training so the organization can consistently demonstrate adherence to nationally-approved international cybersecurity agreements.