Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-1-5 – Information and technology assets must be classified, labeled and handled as per related law and regulatory requirements.
Understanding the Requirement
This control requires an organization to identify all information and technology assets, assign them a classification that aligns with applicable laws and regulations, and ensure those assets are labeled and handled according to the approved classification. In practice this means creating a documented asset-management requirement, maintaining a single register of assets with owners and criticality, obtaining owner sign-off on classifications, applying physical or digital labels or codes, and enforcing handling procedures for each classification level. This guidance aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is intended to make legal and regulatory obligations traceable and actionable for SMBs.
Technical Implementation
- Document policy and governance: Create a short, approved policy that defines scope, classification levels (e.g., Public, Internal, Confidential, Regulated), roles (asset owner, custodian), and a legal mapping that states which laws affect which asset types. Get sign-off from the named representative or executive owner.
- Build a single asset register: Maintain a central register (spreadsheet or light CMDB) listing asset name, description, owner, location, classification, and criticality. For SMBs, a well-structured spreadsheet with controlled access is sufficient to start.
- Classify with owners and map to law: Hold short workshops with asset owners to assign classifications and document the rationale — for example, identify which datasets are regulated (financial, personal data, health) and mark those assets as "Regulated/Confidential." Capture the legal requirement column in the register.
- Label and code assets: Apply visible physical labels for hardware (asset tags/stickers) and metadata labels for digital assets (tags in inventory, CMDB or endpoint management). Where possible automate tagging via endpoint management, cloud tags, or configuration management tools so labels persist and are searchable.
- Define and enforce handling procedures: Create short handling checklists per classification level — e.g., storage location, encryption requirement, access approvals, transfer rules, and secure disposal steps. Integrate these into onboarding/offboarding, change control, and procurement workflows so handling is routine.
- Operationalize with technical controls and training: Use MDM/EMM, file encryption, access control lists, and DLP policies to enforce handling; schedule periodic reviews and owner attestations; train staff on label meaning and required handling steps, and audit compliance quarterly.
Example in a Small or Medium Business
AcmeTech, a 60-person managed services firm, started by drafting a one-page asset-classification policy and assigning the IT manager as the representative for approval. They ran a two-hour workshop with department leads to list assets — servers, laptops, CRM database, printers, and cloud services — and captured these in a single spreadsheet asset register with owners and criticality. The team mapped the CRM and payroll database to privacy regulations and classified them as "Confidential – Regulated," while public marketing files were marked "Public." Laptops and servers received barcode asset tags; cloud resources were tagged using the cloud provider's metadata fields. For confidential assets they enforced disk encryption, restricted remote access to approved users, and added an explicit disposal checklist that required IT and HR sign-off. Owners signed off on each asset’s classification in the register, and quarterly owner attestations were scheduled to capture changes. After three months the firm used endpoint management reports and the register to demonstrate consistent labeling, handling, and regulatory mapping during an internal compliance review.
Summary
By combining a concise, approved policy with a single asset register, owner-driven classification mapped to legal requirements, visible and automated labeling, and practical handling procedures enforced by technical controls and regular owner attestation, SMBs can meet the control’s requirement. These measures make asset status and regulatory obligations transparent, reduce risk from mishandling, and provide an audit trail to show compliance with laws and internal policy.
