Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-1-2 – The cybersecurity requirements for managing information and technology assets must be implemented.
Understanding the Requirement
This control requires your organization to implement approved, documented cybersecurity requirements for managing all information and technology assets — including creating an official asset register, classifying every asset, and assigning encoded identifiers based on that classification. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), it also requires you to put in place specific procedures for handling assets according to their classification and to ensure those procedures align with applicable laws and regulations.
Technical Implementation
- Create and maintain an asset register: Start with a single authoritative inventory (spreadsheet or lightweight CMDB) that records asset type (hardware, software, data, cloud service), owner, location, purchase/lease date, and business purpose. Assign a unique encoded identifier to each asset (e.g., ACCT-LOB-0001 for an accounting server) so assets can be tracked throughout their lifecycle.
- Define a practical classification scheme: Use 3–4 classification levels (for example: Public, Internal, Confidential, Restricted). For each level document acceptable handling rules: encryption requirements, remote access controls, backup frequency, permitted storage locations, and disposal methods. Keep classifications simple so staff can apply them consistently.
- Document and approve policies and procedures: Produce an approved official document (Asset Management Policy and procedures) that records the inventory process, classification criteria, encoding rules, and roles/responsibilities (asset owner, IT custodian, security lead). Obtain sign-off from an appropriate authority (business owner, CEO, or security committee) and store the document where it is discoverable and version-controlled.
- Operational controls based on classification: Implement controls mapped to each classification: label assets and datasets, apply disk/DB encryption for Confidential/Restricted data, use MFA and least privilege for access, log access to sensitive assets, and restrict removable media. Make these controls part of onboarding/offboarding and change management so protection follows the asset.
- Procedures for handling, transfer, and disposal: Define step-by-step procedures for common actions: provisioning, approving access, transferring assets between sites, incident handling, and secure disposal (wipe or physical destruction). Ensure these procedures reference legal/regulatory requirements (data residency, retention, breach notification) relevant to your industry or clients.
- Review, monitoring, and continuous improvement: Schedule periodic reviews (quarterly or biannually) to reconcile physical/virtual inventories, verify encoding accuracy, and test that handling procedures are followed. Use simple automated scans (network discovery, endpoint inventory tools) where possible and document exceptions with remediation plans.
Example in a Small or Medium Business
A 40-person professional services firm begins by assigning a single staff member as the asset owner and using a shared spreadsheet as their official asset register. They list every laptop, server, client database, cloud storage bucket, and third-party SaaS account, then assign each item an encoded ID (e.g., PS-DB-0003). The firm defines three classification levels—Internal, Confidential, and Restricted—and documents handling rules: Confidential and Restricted items must be encrypted at rest, require MFA for remote access, and are approved only by the relevant practice leader. They publish an Asset Management Procedure, obtain sign-off from the managing partner, and train staff on labeling and where to store client files. For an upcoming laptop refresh, IT follows the documented disposal process: full disk wipe, certificate of destruction for any hard drives removed, and updating the register to mark the asset retired. The firm also schedules a quarterly inventory reconciliation, uses a lightweight endpoint agent to detect unregistered devices, and documents any deviations with corrective actions to ensure the policy is actually implemented.
Summary
Combining a documented, approved asset register and classification scheme with clear technical controls and handling procedures ensures the organization can manage information and technology assets securely and consistently. Practical measures — unique encoding, role-based ownership, encryption and access rules tied to classification, plus regular reviews and legal alignment — make the policy enforceable and auditable for an SMB without requiring heavy tools. Together, these policy and technical steps meet the control’s requirement to implement cybersecurity requirements for managing assets across their lifecycle.
