Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-10-4 – The cybersecurity requirements for technical vulnerabilities management must be reviewed periodically.
Understanding the Requirement
This control requires organizations to perform periodic, documented reviews of the cybersecurity requirements that govern vulnerability management. Reviews should follow an approved plan with a defined interval (for example, quarterly), involve the cybersecurity function working with relevant departments such as IT, and use established channels (manual or automated) to assess whether existing requirements remain appropriate. Any updates must be documented and formally approved by the organization head or their deputy, and reviews should also be triggered by changes in law, regulation, or business context.
Technical Implementation
- Create a documented review plan: Draft a simple plan that defines scope (policies, SLAs, scanning cadence, patch timelines), owners (Cybersecurity lead + IT lead), review interval (e.g., quarterly), inputs (scan results, patch metrics, threat intel), and outputs (approved changes, evidence retained). Keep the plan lightweight and versioned.
- Automate evidence collection where possible: Integrate vulnerability scanners, patch management, and ticketing tools with a compliance tracking or reporting tool (even a shared spreadsheet if necessary) so that each review has up-to-date metrics: open vs. closed vulnerabilities, time-to-remediate, and exceptions. Automation reduces manual effort for SMB teams.
- Run periodic assessments and tabletop validation: At each interval, the Cybersecurity and IT leads review metrics, recent incidents, and threat intelligence. Include at least one tabletop or sign-off session per review to validate that remediation SLAs and technical controls still meet business needs.
- Trigger reviews on change: Define triggers that force an out-of-cycle review—examples include new regulatory requirements, a major vulnerability (e.g., widespread CVE), changes to the technology stack (cloud migration), or a security incident. Document the trigger response steps and timeline.
- Approve and document changes: Record review outcomes, decisions and policy updates in a controlled document repository. Require approval by the head of the organization or their deputy (or a delegated authority), and keep signed/recorded evidence with timestamps for auditability.
- Close the loop operationally: Convert approved requirement changes into actionable tasks—update runbooks, adjust scanner configurations, change SLA values in ticketing systems, and assign remediation owners. Track completion in the same system used for evidence collection.
Example in a Small or Medium Business
Imagine a 75-person managed services company that runs quarterly vulnerability reviews. The Cybersecurity lead creates a "Vuln Review Plan" that lists scope (servers, workstations, SaaS connectors), quarterly cadence, required reports, and owners. Vulnerability scans run weekly; results feed into the ticketing system where remediation tasks are created. Each quarter the Cybersecurity lead and IT manager meet to review open counts, average time-to-remediate, and any recent high-risk CVEs; they run a 30‑minute tabletop to validate escalation paths. When the Ministry issues a new compliance notice affecting encryption or patch timelines, the plan’s "trigger" clause prompts an immediate review; the team revises the requirement to shorten SLA for critical patches and documents the change. The revised requirement is approved by the CEO’s deputy, updated in the policy repository, and configuration changes are applied to the ticketing system so future scans enforce the new SLA. Records of the review, approvals, and evidence of operational changes are retained for internal audit and regulatory inquiries.
Summary
Periodic, documented reviews combine policy governance and technical practice to keep vulnerability management effective. A simple, approved review plan, automated evidence collection from scanning and ticketing tools, clearly defined triggers for out-of-cycle reviews, and formal approval and documentation create an auditable loop. For SMBs this approach is practical and scalable: it ensures requirements remain aligned with threats, operations and regulations while keeping the administrative burden manageable.
