Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-1-6 – The cybersecurity requirements for managing information and technology assets must be reviewed periodically.
Understanding the Requirement
This control from Essential Cybersecurity Controls (ECC – 2 : 2024) requires that an organization periodically review and, when necessary, update its cybersecurity requirements that govern the management of information and technology assets. Reviews must follow a documented and approved plan, occur at planned intervals or be triggered by changes in laws, regulations, or business circumstances, and any revisions must be documented and formally approved by the head of the organization or their deputy. For an SMB, this means having a repeatable, auditable process that ensures requirements remain current and authorized at the executive level.
Technical Implementation
-
Create a documented review plan and schedule.
Define a written review policy that specifies review frequency (for example, annually for core policies, quarterly for critical asset protections), triggers for out-of-cycle reviews (regulatory updates, major system changes, security incidents), and the roles responsible for each review step. Keep the plan in a shared, access-controlled document repository so evidence of the schedule is always available.
-
Maintain an accurate asset inventory tied to requirements.
Keep a living inventory of information and technology assets (data classifications, servers, endpoints, SaaS services) and map each asset to the specific cybersecurity requirements that apply. When assets change—new cloud services, contractors, or devices—update the inventory and flag any impacted requirements for review.
-
Use a defined approval workflow with executive sign-off.
Implement a lightweight change-control process: after the review, produce a change record and routing for approval that requires sign-off by the head of the organization or their deputy. For SMBs, a documented email approval or a signed PDF attached to the change record satisfies the approval requirement; log the approver, date, and rationale.
-
Link reviews to compliance and legal monitoring.
Assign responsibility to a compliance owner (could be the IT manager or an external advisor) to monitor relevant laws and regulations and raise review tickets when changes occur. Integrate this monitoring with your review plan so legal triggers create an immediate, auditable review action.
-
Version control, documentation, and communication.
Store policy documents under version control (date, author, change summary). When requirements change, publish the updated version, maintain the change log, and communicate clearly to affected teams with required dates for implementation and validation steps. Retain past versions for audit evidence.
-
Automate reminders and collect review evidence.
Use calendar reminders, ticketing system automation, or a simple GRC spreadsheet to trigger reviews and record completion evidence (meeting minutes, approval screenshots, updated policy files). Periodically validate that reviews occurred as planned through an internal spot-check or audit.
Example in a Small or Medium Business
Blue Oak Marketing, a 35-person SMB, maintains a single document called "Asset & Security Requirements" that maps each technology and data type to controls (encryption, backup, access review). The IT manager sets an annual full review and a quarterly targeted review for cloud services; the review calendar is documented in a shared drive. When a new privacy regulation was announced, the compliance owner opened an immediate review ticket and convened IT, HR, and the CEO to assess impacts. The team updated access control requirements for customer data and prepared a short change memo. The CEO reviewed the changes and approved them by email, which was attached to the change record and policy version history. IT implemented the technical changes (access permissions and logging), and HR ran a brief training for staff on the new handling rules. Blue Oak retained the meeting minutes, approval email, and deployment notes as evidence for future audits and used those artifacts to justify the change during their next insurance renewal.
Summary
Putting a documented review plan, asset-aligned requirements, executive approval, and clear evidence collection in place lets SMBs meet Control 2-1-6. The policy elements (review schedule, approval authority, versioning) provide the governance and auditable trail while the technical actions (asset inventory, change implementation, automation of reminders) ensure reviews are timely and changes are applied. Together these measures create a repeatable, defensible process that keeps cybersecurity requirements current and demonstrably approved at the organization’s leadership level.
