Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-6 – Personnel cybersecurity requirements must be reviewed periodically.
Understanding the Requirement
This control requires that an organization reviews and updates its personnel cybersecurity requirements on a planned, periodic basis and whenever relevant external or internal changes occur. In practice this means having a documented review plan (for example, an annual review), recording any changes to job-related cybersecurity expectations, and obtaining formal approval from the head of the organization or their deputy. Following the Essential Cybersecurity Controls (ECC – 2 : 2024) guidance ensures these reviews are repeatable, traceable, and tied to legal, regulatory, or operational triggers.
Technical Implementation
-
Appoint a review owner and maintain a schedule: Assign a named person (e.g., Security Officer or HR lead) responsible for the personnel cybersecurity requirements review. Create a documented review calendar with a default interval (commonly 12 months) and include recurring reminders in your shared calendar or ticketing system.
-
Define triggers for out-of-cycle reviews: Specify events that force an immediate review — changes in law/regulation, a security incident, significant organizational changes (mergers, new services), or major technology additions. Document those triggers in the review plan so reviews are not only time-based but event-driven.
-
Use version control and change records: Store the personnel cybersecurity policy and related role-based requirements in a versioned document repository (e.g., company intranet with version history, secure file share). For every change, record the date, author, rationale, impacted roles, and what was modified.
-
Require formal approval and retain evidence: Build an approval step into the review process where the head of the organization or deputy signs off on updates. Keep signed approvals or recorded electronic confirmation as evidence for compliance and audits.
-
Operationalize updates via HR and IT processes: When requirements change, update job descriptions, onboarding checklists, mandatory training, and access controls. Ensure HR enforces the new requirements at hiring, role changes, and terminations so the personnel lifecycle reflects current cybersecurity expectations.
-
Monitor and test effectiveness: After updates are approved, run targeted checks — spot audits, phishing simulations, or role-based access reviews — to validate the changes are understood and enforced. Capture results and feed findings into the next review cycle.
Example in a Small or Medium Business
Imagine a 45-employee marketing agency with a part-time IT manager and an operations director who acts as the security owner. They document a yearly review in which the operations director is responsible for initiating the process in September and securing the CEO's approval by October. Triggers for an out-of-cycle review include any client contractual changes requiring higher security, a regulatory update affecting customer data, or any incident that involves employee credential misuse. During the scheduled review, they update role-based requirements — for example, adding multifactor authentication as mandatory for all staff with client data access, and expanding mandatory security awareness training for new hires. All changes are recorded in the company intranet with version notes and a PDF sign-off from the CEO stored in the compliance folder. HR updates job postings and onboarding checklists to reflect the new MFA and training requirements, while IT enforces the change via access control policies. After implementation, the agency runs a phishing test and an access review to confirm staff compliance and documents lessons learned for the next scheduled review.
Summary
Periodic and event-driven reviews of personnel cybersecurity requirements ensure policies stay current with legal, operational, and threat changes. By assigning an owner, using a documented review schedule and triggers, keeping versioned records, requiring executive approval, and integrating changes into HR and IT workflows, SMBs can make personnel requirements enforceable and auditable. Regular validation through testing and audits closes the loop so updates actually reduce risk rather than just live on a shelf.
