Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-15-4 – The cybersecurity requirements for external web applications must be reviewed periodically.
Understanding the Requirement
This control requires organizations to perform periodic, documented reviews of the cybersecurity requirements that apply to external web applications — including identity and access management (IAM), secure configuration, and compliance with laws and regulations. The review must follow an approved plan, occur on a defined interval (for example, quarterly or risk-based), involve the Cybersecurity function working with relevant departments such as IT, and result in documented updates and formal approval by senior leadership. This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024).
Technical Implementation
-
Establish a documented review plan and schedule.
Create a written plan that defines scope (all externally-facing web apps and APIs), ownership (application owner, IT, Cybersecurity), frequency (e.g., quarterly for high-risk apps, semiannual for lower risk), and escalation paths. Make the plan an approved policy that specifies evidence to collect and retention periods for records.
-
Maintain an accurate external web application inventory and risk rating.
Keep a living inventory that lists app name, owner, hosting location, third-party dependencies, risk level, and current security controls (WAF, TLS, MFA). Use the risk rating to determine review frequency and depth — higher-risk apps get more frequent and deeper reviews.
-
Use a checklist tailored to IAM and common web-app risks.
Standardize reviews with a checklist that covers authentication (MFA, password policy), authorization (role-based access, least privilege), session management, input validation, dependency patching, TLS/cipher suites, logging/monitoring, error handling, and data protection. Include legal/regulatory checks (privacy, cookie consent) and third-party contract obligations.
-
Combine automated scans with manual assessments and stakeholder interviews.
Run automated vulnerability scans, dependency checking (SCA), and configuration audits; complement these with manual code/config reviews and interviews with app owners and IT to confirm IAM settings, onboarding/offboarding processes, and any recent business changes that affect requirements.
-
Document findings, apply changes, and require formal approval.
Record review results, risk decisions, remediation plans, and acceptances in a compliance tool or centralized repository. Route significant requirement changes to the head of the organization (or their deputy) for approval and capture approvals as part of the evidence package.
-
Implement an evidence and change-control process.
Keep signed review records, tickets, and configuration snapshots for audits. When requirements change (e.g., new regulation or security finding), update the requirement documents, notify stakeholders, and track implementation through change control and deployment pipelines.
Example in a Small or Medium Business
Acme Retail, a 70-person e-commerce SMB, lists its customer-facing store, admin portal, and public API in a single inventory spreadsheet managed by IT. The company’s Cybersecurity lead creates a quarterly review plan for high-risk apps and a semiannual plan for lower-risk ones. For the e-commerce site, the review uses a checklist covering MFA for admin accounts, role cleanup for staff access, TLS configuration, and third-party payment gateway contracts. Automated vulnerability scans and dependency checks run weekly; once each quarter the Cybersecurity lead and IT Ops walk through the checklist, confirm IAM settings, and interview the store manager about any new integrations. Findings are logged in a simple compliance management tool and remediation tickets created in the ticketing system; the CTO reviews and signs off on requirement updates. When a new privacy regulation is announced, the Cybersecurity lead updates the requirement document, triggers an expedited review, and obtains executive approval before changes are pushed to production, ensuring documented evidence is available for future audits.
Summary
Periodic reviews of external web application requirements protect SMBs by ensuring IAM, configuration, and regulatory controls stay current as applications and external requirements change. By adopting a documented review plan, maintaining an up-to-date inventory and risk ratings, using standardized checklists with automated and manual assessments, and recording approvals and changes, small and medium businesses create a repeatable process that reduces exposure and provides audit-ready evidence. The combination of policy governance and practical technical steps keeps external web applications aligned with security expectations and business needs.
