Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-12-4 – The cybersecurity requirements for event logs and monitoring management must be reviewed periodically.
Understanding the Requirement
This control from Essential Cybersecurity Controls (ECC – 2 : 2024) requires that the rules, configurations, and operational practices governing event logging and monitoring are not static— they must be assessed on a regular, documented cadence and updated when business needs, technology, or regulatory obligations change. For an SMB that means establishing a simple, repeatable review process (for example, quarterly) owned by the cybersecurity function with input from operations teams, documenting findings and decisions, and obtaining formal sign-off from leadership so the logging and monitoring program stays effective and defensible.
Technical Implementation
- Establish a documented review plan and schedule. Create a short policy or procedure that defines the review interval (e.g., quarterly), review scope (log sources, retention, parsing rules, alert thresholds), participants (security lead, IT ops, app owners), and required outputs (change list, updated config, approval record).
- Use simple tooling to automate evidence collection. Leverage your SIEM, log management, or even a managed logging service to export coverage reports: which hosts, apps, and devices are sending logs; their volume; and parsing/alerting health. If no SIEM is available, use a checklist and scheduled scripts that confirm log agents are installed and files are being forwarded.
- Perform targeted configuration and effectiveness checks. Each review should include: verification that key systems (domain controllers, edge devices, web apps, databases) produce required events; that retention and integrity controls are in place; and that alerts fire on representative test events. Document any gaps and prioritized remediation steps.
- Review for regulatory and business changes. As part of the periodic review, confirm whether new regulatory requirements, cloud migrations, application rollouts, or third-party integrations require additional logging or retention adjustments. Update the list of required log sources and data elements when changes occur.
- Document decisions and require formal approval. Record the review results, proposed changes, and timelines in a simple form or ticketing system. Ensure the head of the organization or their deputy signs off on the updated requirements and on any exceptions, so there is an auditable approval trail.
- Measure and report outcomes. Track a small number of metrics (coverage percentage of critical hosts, time-to-remediate logging gaps, number of false-positive alerts reduced) and include them in the review package to demonstrate improvement and justify resources.
Example in a Small or Medium Business
Acme Retail, a 60-person e-commerce SMB, assigns its IT manager as the logging review owner and schedules quarterly reviews. Before each review the team exports a host coverage report from their cloud log ingestion service and runs a checklist that verifies the web store, payment gateway connectors, VPN, and perimeter firewall are forwarding logs. During the review the security lead tests alerting by simulating a failed login and observing that the SIEM rule triggers and creates a ticket. They identify two web servers that failed to forward detailed application logs after a recent patch; the remediation ticket includes configuration changes and an agent upgrade scheduled for the next maintenance window. The team documents the gap, the fix, and updates the logging requirement to include application-level logging for all production web servers. The updated requirements and the remediation plan are emailed to the COO, who reviews and signs off on the change. After implementation, the team records improved coverage metrics and a shorter time-to-detection, which they include in the next quarterly review to justify continued logging budget and to show regulatory readiness.
Summary
Periodic review of event logs and monitoring management combines a simple policy (documented schedule and approval path) with practical technical checks (coverage reports, alert testing, and configuration validation) to keep your logging program aligned with operations, risk, and compliance needs. For SMBs this means using lightweight, repeatable processes, automation where possible, clear ownership, and an approval trail so log management stays effective, auditable, and responsive to change.
