Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-13-4 – The requirements for cybersecurity incidents and threat management must be reviewed periodically.
Understanding the Requirement
This control (from Essential Cybersecurity Controls (ECC – 2 : 2024)) requires that an organization periodically reviews its documented requirements for detecting, responding to, and managing cybersecurity incidents and threats. For an SMB this means having a defined review cadence, a documented plan for how reviews are performed and who is involved, and a process to update requirements when business conditions, technologies, or laws change. The review must be formalized, recorded, and approved by senior leadership so the incident and threat management program stays current and effective.
Technical Implementation
-
Create a documented review plan and schedule. Define scope (incident detection, alerting thresholds, escalation paths, response time objectives, threat intelligence consumption), a review interval (e.g., quarterly for high-risk environments, semi-annually for lower risk), and the roles responsible for each review step. Store the plan in a central location (policy repository or shared drive) and version it.
-
Assign ownership and cross-functional reviewers. Nominate a Cybersecurity Lead or IT Security owner to run the reviews and involve IT operations, application owners, legal/compliance, and an executive sponsor. Use short, repeatable checklists that include technical controls (SIEM rules, IDS/IPS signatures, EDR policies), procedural items (incident playbooks, escalation matrices), and evidence of training/exercises.
-
Use a mix of manual and automated review channels. For many SMBs, a compliance or ticketing system (e.g., a lightweight GRC or ITSM tool) can track review tasks, collect reviewer comments, and preserve records. Complement system-driven checks with periodic tabletop exercises and simulated incidents to validate that documented requirements work in practice.
-
Trigger reviews on changes and legal updates. Include event-based triggers in the plan so reviews occur after significant changes — new cloud services, major software updates, security incidents, or changes in relevant laws/regulations. Maintain a watchlist (or assign legal/compliance) to surface regulatory changes that affect incident and threat management obligations.
-
Document changes and obtain formal approval. Record every review outcome and any updates to requirements in a change log. Require sign-off by the head of the organization or their deputy (or delegated executive) for material changes. Keep archived versions for audit and retention purposes.
-
Measure and improve. Track simple metrics such as time-to-detect, time-to-contain, number of incidents surfaced by threat intelligence, and percentage of playbooks exercised. Use those metrics in each review cycle to justify updates and to prioritize remediation and training.
Example in a Small or Medium Business
AcmeTech, a 120-employee SaaS provider, formalized its incident and threat management review by creating a quarterly review plan stored in their policy repository. The IT Manager (Cybersecurity Lead) runs the review with representatives from DevOps, Customer Support, and Legal. Each review uses a checklist covering SIEM alert rules, EDR configuration, incident playbooks for ransomware and data exfiltration, and recent threat intelligence reports. After a minor phishing incident, the team triggered an out-of-cycle review that updated escalation contacts and shortened the required time-to-contain for suspected credential compromise. They logged the changes in their compliance tracker, attached evidence from the phishing simulation and tabletop, and obtained the COO's sign-off on the revised requirements. The organization also runs one tabletop annually and captures metrics (detection time, containment time) to feed into the next scheduled review. This combination of scheduled and event-driven reviews keeps AcmeTech's incident readiness aligned with operational changes and regulatory expectations.
Summary
Periodic review of incident and threat management requirements is a practical control that ensures defenses stay aligned with changes in technology, business processes, and regulations. For SMBs, implement a documented review schedule, assign clear ownership, use both automated tracking and manual exercises, trigger reviews after changes or incidents, and require executive approval for updates. When supported by simple metrics and retained evidence, these policy and technical measures keep incident response effective, auditable, and defensible.
