Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-2-2 – The cybersecurity requirements for identity and access management must be implemented.
Understanding the Requirement
This control requires a complete identity and access management (IAM) approach that enforces who can access systems and what they can do. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), organizations must implement technical and procedural controls including strong user authentication, password management aligned to policy, authorization based on need-to-know and least privilege, segregation of duties, managed remote access, and timely cancellation or updating of access when roles change.
Technical Implementation
- Define and document IAM policy and roles: Create a concise IAM policy describing authentication requirements, password rules, role definitions, approval workflows, and offboarding procedures. Map common job roles to access profiles (role templates) to make provisioning consistent and auditable.
- Enforce strong authentication and password controls: Require multi-factor authentication (MFA) for all remote access and privileged accounts. Apply a password policy (minimum length, banned reused passwords, password managers). Prefer single sign-on (SSO) with modern protocols (SAML/OAuth/ OIDC) to centralize authentication and reduce password sprawl.
- Implement least privilege and role-based access control (RBAC): Grant access based on the minimum permissions needed for tasks. Use RBAC or attribute-based controls to assign permissions via groups/roles, not individual assignments. Regularly review and remove unused privileges.
- Segregation of duties and approval workflows: Ensure critical tasks (e.g., financial approvals, system administration) require separate individuals or multi-person approval. Enforce approval workflows for elevated access and log who approved access changes for accountability.
- Secure remote access and monitoring: Require VPN or secure gateway with MFA for network access; restrict administrative access to jump hosts with session logging. Enable centralized logging of authentication and access events and forward logs to a SIEM or cloud log service for suspicious activity detection.
- Automate onboarding, offboarding and periodic access reviews: Integrate HR systems with IAM where possible to trigger account creation and revocation. Implement a documented offboarding checklist that disables accounts, reclaims assets, and rotates shared credentials. Schedule quarterly access reviews to validate permissions and reconcile them to role templates.
Example in a Small or Medium Business
Acme Marketing, a 45-person SMB that uses several SaaS tools and an internal file server, formalizes IAM to meet this control. They adopt an SSO provider connected to their HR directory so new hires receive a standard set of role-based group memberships; marketing contractors get access only to campaign tools, while finance staff receive access to billing systems. MFA is enforced for all users, and privileged accounts for system administration are isolated and require a second approval before elevation. The company documents an offboarding workflow that HR triggers the moment an employee’s termination is processed—this automatically removes cloud access, revokes VPN certificates, and initiates the return of hardware. Quarterly, the IT manager runs an access report, compares active accounts against current role assignments, and removes stale or excessive permissions. They also maintain a segregation-of-duties checklist so no single person can both approve invoices and change vendor bank details, and every change to role templates requires manager sign-off and audit logging.
Summary
Combining clear IAM policy, enforced authentication and password controls, RBAC/least-privilege assignments, segregation of duties, secure remote access, automated provisioning/offboarding, and periodic reviews delivers the technical and administrative coverage required by this control. For SMBs, prioritizing SSO with MFA, role templates, documented workflows and automated offboarding gives strong protection with limited operational overhead—meeting the requirement while keeping day-to-day administration manageable and auditable.
