Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-8-3 – Results from the cybersecurity audits and reviews must be documented and presented to the cybersecurity steering committee and Authorizing Official. Results must include the audit/review scope, observations, recommendations and remediation plans.
Understanding the Requirement
This control requires that every cybersecurity audit and review be recorded in a clear, consistent report and formally presented to governance — specifically the cybersecurity steering committee and the Authorizing Official. The report must explicitly state the scope of the audit or review, list observations (findings), provide actionable recommendations, and include a remediation plan for each observation. As part of implementing the Essential Cybersecurity Controls (ECC – 2 : 2024), organizations should treat these reports as both governance artifacts and operational work plans: they provide evidence for leadership and a prioritized set of tasks for IT/security teams to close gaps.
Technical Implementation
- Standardize a report template. Create a one-page executive summary plus a detailed appendix. Required fields: audit/review title, scope (systems, dates, tools used), methodology, findings (with evidence), risk rating (e.g., High/Medium/Low), recommended remediation actions, owner, target completion date, and status. Use this template for all internal and third‑party assessments.
- Capture scope and evidence precisely. For each audit, record exactly what was tested (IP ranges, applications, user groups), when, and which tools or checklists were used. Attach logs, screenshots, or exportable output from scanners/penetration tests so leadership can verify findings if needed.
- Prioritize observations and define remediation plans. For each finding assign a risk score, a remediation step (what will be changed), an owner (person or role), resources required, and a realistic timeline. Break large remediations into milestones so progress can be reported to the steering committee.
- Establish a presentation cadence and format. Decide how often results are presented (e.g., quarterly or after each major assessment) and who attends. Prepare a concise slide deck with the executive summary, top 3–5 findings, recommended decisions (e.g., budget approval, scope changes), and remediation status. Always include an action register with owners and dates.
- Track remediation in a ticketing or GRC tool. Use an existing ticketing system (Jira, ServiceNow, GitHub Issues) or a lightweight GRC tracker to convert each remediation plan into a tracked item. Update the status before each steering-committee meeting and maintain an audit trail of changes and closure evidence.
- Securely store and retain reports. Keep final reports and evidence in a controlled location with access limited to the steering committee, Authorizing Official, and necessary staff. Define a retention policy (e.g., retain for 3–5 years) and ensure backups exist to meet compliance or post-incident review needs.
Example in a Small or Medium Business
The IT manager at a 120-employee marketing firm schedules a quarterly vulnerability scan and an annual third-party penetration test. After each assessment, they generate a standardized report: a one-page executive summary (scope, high-level findings, overall risk posture) and a detailed appendix containing raw scanner outputs and screenshots. The report lists three high-priority findings, five medium issues, and suggested remediation steps; each item has an assigned owner, estimated cost, and a target completion date. The IT manager converts remedial tasks into tickets in the team’s existing tracking system and marks dependencies for the outsourced application developer where code changes are required. At the next monthly leadership meeting, the IT manager presents the executive summary to the cybersecurity steering committee — composed of the CTO, HR lead, finance director and the CEO acting as the Authorizing Official — highlights the top risks, requests budget for urgent patching, and shows the remediation timeline. The steering committee approves the budget and asks for weekly progress updates on the two highest-risk issues. Two months later, the IT manager submits closure evidence for the remediations and schedules a focused re-scan to verify results, logging everything in the secure report repository for future audits.
Summary
Documenting audit and review results using a consistent template, assigning owners and timelines, presenting concise executive summaries to the cybersecurity steering committee and Authorizing Official, and tracking remediation in a ticketing or GRC system ensures the control is met in practice. These policy and operational measures create traceable decisions, enable leadership oversight, and produce verifiable closure evidence — all of which help SMBs manage risk, demonstrate governance, and close security gaps efficiently.
