Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-5-4 – The cybersecurity requirements for network security management must be reviewed periodically
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organizations to establish a repeatable, documented process to review the set of cybersecurity requirements that govern network security management. The intent is to ensure network controls, configurations and policies stay current with changing risks, technology, operational needs and applicable laws — and that reviews are scheduled, executed by the cybersecurity function in cooperation with relevant departments (for example, IT), and formally documented and approved.
Technical Implementation
-
Establish a documented review plan and cadence. Define a review schedule (for example, quarterly) and triggers for out-of-cycle reviews (such as major incidents, network architecture changes, mergers, or regulatory updates). Put the cadence and triggers in a short, approved plan that specifies scope, participants, and outputs.
-
Assign clear roles and responsibilities. Designate the cybersecurity function as the owner of the review process, with IT operations responsible for implementing technical changes. Identify a single approver (e.g., the head of the organization or their deputy) who will sign off on changes, and maintain a documented delegation if approvals are delegated.
-
Use checklists and tool-assisted evidence collection. Create a standard checklist covering critical network items (firewall rules, segmentation, VPN access, remote access controls, IDS/IPS tuning, patch level, logging/monitoring settings). Perform the review via email for small updates or through a compliance management/ticketing system to capture evidence, statuses, and approvals.
-
Perform risk-based validation and testing. For each proposed change or confirmed requirement, assess impact and likelihood, run configuration validation (e.g., firewall rule review, vulnerability scans, segmentation tests), and, where practical, perform controlled tests in a lab or staging environment before applying changes to production.
-
Document changes, decisions and approvals. Keep a change log that records what was reviewed, the outcome, the technical changes applied, date/time, who performed the work, and explicit approval by the designated executive. Retain review evidence for your retention period to support audits and regulatory inquiries.
-
Monitor legal and regulatory changes and incorporate them into reviews. Maintain a short watchlist of laws, industry rules and customer contractual obligations that affect network security; update the review plan and requirements immediately when obligations change.
Example in a Small or Medium Business
Acme Financial Services is a 60-person SMB that manages client financial data and uses a modest cloud-hosted network with on-premises VPN and a firewall. The company’s security lead develops a documented quarterly review plan that lists what will be checked each quarter: firewall rules, VPN access lists, segmentation between client data and general office networks, logging/retention settings, and patch status of network appliances. The security lead schedules a one-hour review meeting with the IT manager and a representative from operations; they run automated vulnerability and configuration scans ahead of the meeting and attach results to the review ticket in their compliance system. During the review they identify an outdated VPN configuration that permits legacy protocols; the IT manager implements a mitigation in a staging environment, documents the change in the ticket, and schedules a maintenance window to deploy to production. The security lead updates the requirement document to remove the legacy protocol allowance and annotates the change log. Because the change touches client data handling, the head of the company reviews the ticket summary and signs off electronically. Acme keeps the review artifacts for two years to support client audits and updates the review plan immediately after a new regional data protection guideline is announced to ensure continued compliance.
Summary
Periodic, documented reviews tie policy to technical controls: a clear plan and cadence ensure reviews happen regularly, role definitions ensure accountability, checklists and automated scans provide repeatable technical validation, and documented approvals demonstrate governance. For SMBs this approach keeps network security requirements current with operational changes and legal obligations while producing the evidence needed for audits and informed decision-making.
