Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-6-1 – Cybersecurity requirements for mobile devices security and BYOD must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to create a formal, written policy that specifies security requirements for both corporate mobile devices and personal devices used for work (BYOD), then obtain documented approval from executive management. The policy should define scope, acceptable use, minimum technical controls, enrollment and de‑enrollment processes, and administrative responsibilities so that employees know what is permitted and IT teams have clear rules to enforce. Approval from the organization head or a delegated deputy demonstrates leadership support and gives the policy authority for consistent enforcement.
Technical Implementation
-
Draft a concise mobile & BYOD policy document that covers scope, roles, device eligibility, acceptable use, data classification, and disciplinary measures. Include specific minimum requirements such as OS patching cadence, required device PIN/passcode complexity, and mandatory disk/device encryption.
-
Implement an enrollment and lifecycle process: require device registration, documented owner consent, automated onboarding steps (configuration profiles), and clear offboarding procedures that include secure removal of corporate data and revocation of access when an employee leaves or a device is lost.
-
Use a mobile device management (MDM) or mobile application management (MAM) solution to enforce configuration: enforce OS updates, push security settings, restrict risky applications, deploy corporate apps in a container, and enable remote wipe for lost/stolen devices. For small budgets, prioritize MAM for BYOD to separate corporate data from personal data.
-
Apply access control and network protections: require multi-factor authentication for corporate email and cloud apps, limit access to sensitive systems based on device posture (e.g., only allow access from devices that meet minimum controls), and require use of company VPN or split-tunnel protections for sensitive traffic.
-
Define monitoring, incident response and audit steps: log device enrollments, failed access attempts and remote wipe actions; run quarterly compliance checks; and include mobile device scenarios in your incident response playbook (lost device, compromised app, unauthorized access).
-
Secure formal approval and governance: present the policy to executive management for documented sign-off, assign a policy owner (usually IT or security lead), and schedule regular review cycles (at least annually or after major changes in tooling or legislation).
Example in a Small or Medium Business
A 45‑person design firm implements Control 2-6-1 by drafting a one‑page mobile and BYOD policy that states which company services are allowed on personal devices, minimum password requirements, mandatory encryption, and the onboarding process. The IT manager prepares the policy and presents it to the CEO and the operations director, who formally approve and sign the document. The firm purchases an affordable MDM/MAM subscription and configures an automated enrollment profile that installs corporate email and a secure files container while leaving personal apps untouched. Employees who want to use BYOD sign a short consent form, register their device, and receive brief training during onboarding that explains remote wipe, acceptable use, and how to report loss or theft. When an employee leaves, the IT team remotely removes corporate apps and data while leaving personal information intact. Quarterly spot checks ensure enrolled devices have current OS versions and meet encryption requirements, and any compliance exceptions are escalated to HR and the operations director. The signed policy plus the MDM controls give the company the documentation and technical enforcement it needs to meet the requirement and demonstrate leadership support if auditors or customers ask for evidence.
Summary
Defining and documenting mobile device and BYOD requirements, and obtaining executive approval, creates the organizational authority needed to enforce controls. Pairing that policy with practical technical measures — device enrollment, MDM/MAM, enforced encryption and updates, access controls, and incident procedures — gives SMBs a clear, cost‑effective path to secure mobile usage while preserving employee flexibility. Regular reviews and documented sign‑off from leadership ensure the policy remains current and enforceable.
