Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-3-4 – The cybersecurity requirements for protecting information systems and information processing facilities must be reviewed periodically.
Understanding the Requirement
This control requires that an organization periodically reviews the set of cybersecurity requirements that protect its information systems and processing facilities. Reviews must follow a documented, approved plan and occur at planned intervals (for example, annually). Any changes discovered during the review process should be recorded and the updated requirements approved by the head of the organization or their deputy so the organization maintains current, authorized protection measures that reflect changes in technology, threats, business needs, and regulatory obligations.
Technical Implementation
-
Establish a documented review plan and schedule. Define scope (systems, facilities, services), cadence (e.g., annual, or more frequently for critical systems), roles (owner, reviewers), and deliverables (review report, change log). Store the plan where leadership and relevant teams can access it (secure shared drive or documentation platform).
-
Create a concise review checklist tailored to your environment. Include items such as system inventory accuracy, configuration baselines, access control lists, patch status, backup verification, physical access controls, third-party vendor security, and compliance with applicable regulations. Use the checklist during every review to ensure consistent coverage.
-
Assign a review owner and a small cross-functional team. For an SMB, the owner might be the IT manager or a designated security lead, with participants drawn from IT operations, facilities, and a business unit representative. The owner is responsible for coordinating evidence collection, running technical checks, and compiling the findings.
-
Document findings and proposed changes in a formal change record. For each item, record the issue, risk level, proposed corrective action, responsible party, and target completion date. Keep versioned records (simple version-controlled documents or ticketing system entries) so you can show the history of decisions and approvals.
-
Implement an approval workflow that requires sign-off by the head of the organization or their deputy. For SMBs without a formal C-level approver, document a delegated approval process (e.g., CEO or COO approval, or an authorized deputy). Capture approvals in writing (email, signed document, or ticket approval) and retain them with the review artifacts.
-
Close the loop with remediation and verification. After approved changes are implemented, verify they were applied correctly (configuration checks, patch verification, access reviews) and record the verification result in the review record. Use simple metrics to track progress, like percent of findings closed within 90 days.
Example in a Small or Medium Business
The owner of IT at a 60-person marketing agency sets up an annual cybersecurity requirements review as part of the company’s operational calendar. They define scope to include the hosted CRM, file servers, VPN, office Wi‑Fi, and the data center provider contract. A three-person review team (IT lead, operations manager, and a senior account manager) uses a standardized checklist to validate system inventories, patch levels, account privileges, and third-party contractual protections. The team documents five findings, including an outdated firewall rule set and an expired vendor SOC report. Each finding is entered into the ticketing system with assigned owners and target dates. The IT lead prepares a one-page summary and submits it to the CEO for approval of the proposed changes. Once approved, IT applies the firewall changes, requests an updated SOC report from the vendor, and confirms remediation via screenshots and logs. The closure evidence and the CEO’s approval are saved in the company’s secure documentation folder, and the review schedule is updated to trigger the next annual review.
Summary
Periodic review of cybersecurity requirements is a low-cost, high-impact control for SMBs. By putting a simple documented plan, a reusable checklist, a named owner, and a clear approval and record-keeping process in place, small organizations can ensure protections stay current with business changes and threats. Combining policy (documented schedule and approval) with technical measures (inventory checks, configuration verification, patching, and remediation tracking) fulfills the control and provides clear evidence of governance and continuous improvement.
