Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-2-1 – Cybersecurity requirements for identity and access management must be defined, documented and approved.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework requires your organization to establish a written, approved identity and access management (IAM) policy that defines how accounts are granted, changed, reviewed and revoked. At minimum the policy should cover access to standard user accounts, privileged accounts, and remote connections, designate who can approve each class of access, and describe password or credential management, periodic access reviews, and procedures for revocation and change. Executive management must formally approve the policy and ensure the organization enforces it.
Technical Implementation
- Create a concise IAM policy document: Draft a one- to two-page policy that defines account types (standard user, privileged, service, contractor), approval authorities for each, remote access requirements, password/credential rules, and the lifecycle steps (provision, modify, review, revoke). Keep it practical and role-based so busy teams can follow it.
- Implement role-based access and provisioning workflows: Map common job functions to roles with pre-approved access sets. Use a documented onboarding checklist (HR + manager + IT signoffs) to provision accounts, and a mirrored offboarding checklist that immediately revokes access when people leave or change roles.
- Protect privileged and remote access: Require multi-factor authentication (MFA) for privileged accounts and any remote access (VPN, RDP, cloud admin consoles). Limit privileged accounts to named individuals, use a privileged access console or jump box where possible, and record administrative sessions.
- Automate password and credential management: Deploy a business-grade password manager for team accounts and a separate vault for privileged credentials. Enforce strong password complexity and rotation rules where automation can't be used; evaluate moving to certificate or key-based auth for systems where feasible.
- Schedule and document periodic access reviews: Conduct quarterly reviews for privileged accounts and at least semiannual reviews for general access. Use a simple spreadsheet or your identity system’s reporting to capture reviewer sign-off, corrective actions, and timestamps — keep these records with the approved policy.
- Obtain executive approval and maintain change control: Present the IAM policy and enforcement plan to executive management (CEO/owner) for formal sign-off. Record the approval, version the policy, and require approval for major changes so the policy stays authoritative and auditable.
Example in a Small or Medium Business
A 40-person digital agency creates an IAM policy that lists three roles (employee, contractor, IT-admin), specifies who can approve each, and requires MFA for any remote access. HR initiates onboarding via a standard form; the hiring manager selects the role and required systems, and IT provisions accounts only after HR confirms start date and identity. The IT manager is the only person with privileged admin rights and must use a vault to retrieve credentials when needed; all privileged actions are logged. When an employee leaves, HR files an offboarding ticket that triggers immediate revocation of access and retrieval of company devices. The CEO signs the policy and receives quarterly reports on access review results; corrective actions are tracked until closed. Over the first year the agency documents two instances where contractor access was tightened after a review, demonstrating the policy works and remains approved by leadership.
Summary
Defining, documenting, and approving an IAM policy paired with practical technical controls — role-based provisioning, MFA for remote and privileged access, automated credential management, and scheduled access reviews — meets the ECC 2-2-1 requirement. For SMBs, keep the policy clear, assign approval authorities, automate routine tasks where possible, and keep executive sign-off and recorded reviews so the policy is both enforceable and auditable.
