Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-1-1 – Cybersecurity requirements for managing information and technology assets must be defined, documented and approved.
Understanding the Requirement
This control from Essential Cybersecurity Controls (ECC – 2 : 2024) requires an organization to formally define the cybersecurity expectations that apply to its information and technology assets, document those expectations so they are clear and repeatable, and secure executive approval so the requirements carry authority. At a practical level the organization must identify asset types and descriptions, set classification levels based on the data processed and asset criticality, define lifecycle-stage controls (preservation, processing, storage, destruction, etc.), and assign roles and responsibilities for ownership and management.
Technical Implementation
-
Create an asset inventory template and populate it immediately. For SMBs, a simple spreadsheet or lightweight CMDB can work: record asset ID, type (server, laptop, cloud app, dataset), owner, location, data types processed, and business impact. Make inventory updates part of onboarding/offboarding and procurement workflows so it stays current.
-
Define a clear classification scheme (for example: Public, Internal, Confidential, Restricted) and map data types and asset criticality to those levels. For each classification, specify minimum technical controls (encryption at rest/in transit, access control, backup frequency) and handling rules (who may access it, approved storage locations, transmission restrictions).
-
Document lifecycle requirements for each asset class. Specify required security controls and processes at each stage — acquisition (secure configuration, baseline hardening), operation (patching, monitoring, backups), transfer (secure migration, contractual requirements for cloud providers), and disposal (data sanitization, secure decommissioning). Include retention periods and evidence of sanitization for regulated data.
-
Assign roles and responsibilities. Appoint an asset owner for each major asset or asset group and document responsibilities (maintenance, access approvals, classifying data, coordinating with IT/security). Also identify an executive approver or sponsor to formally approve the documented requirements and resolve conflicts.
-
Integrate the requirements into existing processes and tools. Add classification checks to procurement checklists, require security configuration baselines in deployment pipelines, enforce classification labels in file storage and collaboration tools, and include asset owners in change-control reviews so lifecycle and security requirements are enforced.
-
Formalize approval and review: produce a short policy document summarizing requirements and secure sign-off from Executive Management (or their delegate). Schedule regular reviews (e.g., annual or when significant changes occur) and maintain an approval record. Use simple metrics—inventory completeness, percent of assets with assigned owners, and percentage of classified assets—to drive follow-up actions.
Example in a Small or Medium Business
A 40-person digital services firm creates its first formal set of cybersecurity requirements. The IT lead builds a spreadsheet asset inventory and records all laptops, cloud apps, customer databases, and internal network devices. They adopt a four-level classification (Public, Internal, Confidential, Restricted) and map customer PII and billing records to Confidential or Restricted. For each classification, the IT lead lists minimum controls: full-disk encryption and MFA on endpoints handling Confidential data, tenant isolation and contractual encryption guarantees for cloud-hosted databases, and quarterly backups with offsite storage for critical systems. The firm documents lifecycle rules: secure onboarding with baseline images, monthly patching for production servers, and secure wiping procedures when equipment is retired. Each major system gets an assigned owner — usually a team lead — who is responsible for approving access requests and confirming classification. The CEO reviews and signs the short requirements document to provide executive approval, and the company schedules a six-month review and tracks inventory completeness as a KPI. Staff receive a one-hour briefing so they understand classification labels and the disposal process for hardware and media.
Summary
Defining, documenting, and approving cybersecurity requirements for information and technology assets is achievable for SMBs by combining simple policy documentation with practical technical steps: a maintained asset inventory, a clear classification scheme, lifecycle controls, and assigned owners. Executive approval gives the requirements authority, and embedding them into procurement, change, and decommissioning processes ensures they are followed. Regular reviews and a few measurable indicators keep the program current and auditable, meeting the control's expectations without heavy overhead.
