Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-8-1 – Cybersecurity reviews must be conducted periodically by the cybersecurity function in the organization to assess the compliance with the cybersecurity controls in the organization.
Understanding the Requirement
This control requires the organization’s cybersecurity function to run recurring, documented reviews that check whether implemented security controls meet organizational policy, applicable laws, and any international requirements adopted by the organization. Reviews should follow an approved plan and defined cadence (for example, quarterly) and produce evidence that controls operate effectively. This guidance aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is intended to ensure continuous oversight rather than a one-time audit.
Technical Implementation
- Designate roles and cadence: Assign a named cybersecurity reviewer or team (for many SMBs this is the IT manager or a contracted MSSP) and document the review frequency in policy (quarterly is a common baseline). Put review tasks on a calendar and link them to management reporting deadlines.
- Create a lean, mapped review plan and checklist: Build a written review plan that maps each internal control (patching, access control, backups, logging, etc.) to checklist items and required evidence (logs, screenshots, configuration exports, scan reports). Keep the checklist concise so it’s practical for SMB operations.
- Collect measurable evidence: Automate evidence collection where possible: export patch reports from your endpoint management tool, pull firewall rule/config backups, schedule vulnerability scans, and collect authentication logs. If automation isn’t available, use dated screenshots and exportable reports stored in a secure location.
- Record findings and track remediation: Use a simple ticketing system or spreadsheet to log deficiencies, assign owners, set remediation deadlines, and track status. Prioritize fixes by risk (critical/high/medium) and require closure evidence before marking items complete.
- Report and escalate: Produce a short review report showing scope, findings, risk prioritization, remediation status, and compliance posture. Present this to leadership each cycle and escalate significant or persistent gaps to the executive sponsor so they can allocate budget or resources.
- Periodic external validation and policy alignment: At least annually or when major changes occur, bring in a trusted external assessor (consultant or MSSP) to validate internal reviews and ensure the review plan aligns with regulatory obligations and international requirements the organization follows.
Example in a Small or Medium Business
Acme Logistics, a 75-employee SMB, assigns its IT manager as the cybersecurity function and documents a quarterly review plan. The plan lists five control areas: patch management, user access reviews, backups, perimeter device configurations, and endpoint protection status. For each area the IT manager collects evidence—patch reports from the RMM tool, an export of Active Directory group membership, backup job logs, firewall configuration backups, and the latest antivirus console report. Findings are entered into a simple ticket tracker with owners, due dates, and risk ratings; critical issues must be resolved within 7 days, high within 30 days. After each quarterly review the IT manager prepares a one-page summary for the CEO showing trends and outstanding risks; persistent or high-risk items are escalated for budget approval. Once a year Acme engages a local cybersecurity consultant to test a sample of controls and confirm the internal review process is effective and compliant with national requirements. Over time, Acme reduces repeat findings by tracking root causes and improving configuration standards.
Summary
By formalizing a documented review plan, assigning clear roles, collecting verifiable evidence, tracking remediations, and reporting to leadership, SMBs can meet Control 1-8-1’s requirement for periodic cybersecurity reviews. These policy and technical measures create a repeatable cycle of assessment, remediation, and oversight that demonstrates controls are implemented, operating effectively, and aligned with legal and organizational obligations.
