Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-1 – Personnel cybersecurity requirements (prior to employment, during employment and after termination/separation) must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to formally define, document and obtain executive approval for cybersecurity expectations tied to personnel at three lifecycle points: before hiring, while employed, and after separation. Under the Essential Cybersecurity Controls (ECC – 2 : 2024) framework this means contracts, policies and operational procedures must explicitly include responsibilities (such as acceptable use, privileged access rules), non-disclosure or post-employment confidentiality clauses, and vetting/screening criteria for sensitive roles. The documented requirements should be owned and signed off by a representative of leadership so they have organizational authority and can be enforced consistently.
Technical Implementation
- Create a single "Personnel Cybersecurity Requirements" document: Draft a concise policy that covers: pre-hire screening criteria, role-based access expectations, mandatory training and acceptable use during employment, and post-employment obligations (NDAs, return of assets, data handling). Make the document auditable and store it with version control so approvals and revisions are traceable.
- Embed clauses into HR/contract templates: Update employment agreements and contractor statements of work to include cybersecurity responsibilities, non-disclosure clauses that survive termination where legally appropriate, and explicit consent for role-related background checks. Coordinate with legal or external counsel to ensure enforceability in your jurisdiction.
- Apply role-based vetting and onboarding checklists: Define which roles require screening (e.g., admins, developers with production access, finance) and standardize background checks, reference checks, and identity verification before access is granted. Use an onboarding checklist that requires completion of an initial cybersecurity briefing and credential issuance only after checks pass.
- Operationalize access and privileged account controls: Implement least-privilege access provisioning procedures that tie access requests to approved job functions. Require manager approval and IT confirmation before provisioning, and use time-bound privileges or elevated-access workflows where possible (just-in-time access).
- Formalize separation and offboarding procedures: Maintain a documented offboarding checklist that includes immediate termination of network credentials, collection of company devices, revocation of cloud and third-party access, exit interviews that reconfirm post-termination obligations, and archival of documentation confirming completion.
- Secure executive approval and periodic reviews: Obtain signature/approval from the organization head or delegated executive for the requirements document and schedule periodic reviews (annually or on major change) to keep policies current and demonstrably approved.
Example in a Small or Medium Business
AcmeCo, a 60-person managed services provider, adopted a single personnel cybersecurity requirements document and attached it to all employment contracts. During recruitment the HR lead checks applicants for roles requiring elevated access and requests basic background checks and professional references before extending offers. Once hired, staff complete an onboarding checklist that includes mandatory security awareness training, signing the NDA, and manager-confirmed role-based access requests submitted through the IT ticketing system. Privileged accounts are granted only after the IT manager verifies the need and applies time-bound permissions through a secure privileged access tool. When an employee leaves, HR triggers the offboarding checklist: IT immediately disables accounts, reclaims company devices, and the manager confirms return of intellectual property; HR archives the signed documentation. The CEO signs off on the requirements document and the company reviews the policy every year and after any major hiring or platform change.
Summary
Defining, documenting and approving personnel cybersecurity requirements combines policy and technical controls to manage risk across the employee lifecycle. By embedding responsibilities and NDAs into contracts, vetting sensitive roles, enforcing least-privilege access, and using a documented offboarding process — all with executive approval and periodic review — SMBs create a repeatable, enforceable program that protects systems and data before, during and after employment.
