Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-6-4 – The cybersecurity requirements for mobile devices security and BYOD must be reviewed periodically.
Understanding the Requirement
This control requires organizations to perform periodic reviews of their mobile device and BYOD cybersecurity requirements according to a documented and approved review plan and schedule. The review should be led by the cybersecurity function in cooperation with relevant departments (for example, IT), use either manual or automated channels to collect evidence, and include updates when laws or business conditions change. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the process must produce documented changes that are approved by senior management.
Technical Implementation
-
Create a documented review plan with defined intervals:
Draft a short, approved schedule that specifies who reviews what, how often (example: quarterly for high-risk groups, annually for others), and the evidence required (policy versions, MDM logs, exception lists). Store the plan where the cybersecurity team and IT can access it and reference it during audits.
-
Maintain a current device and BYOD inventory:
Use an MDM/EMM solution or a lightweight inventory spreadsheet for very small businesses. Track ownership, OS/version, last-seen timestamp, installed corporate apps, and compliance status. The inventory is the primary input to any periodic review and helps identify unmanaged devices quickly.
-
Automate evidence collection where practical:
Configure MDM logs, conditional access reports, and endpoint protection dashboards to produce periodic reports (CSV or PDF) that show policy application, patch levels, encryption status, and policy exceptions. Where automation isn't feasible, collect evidence via a standardized manual checklist performed by IT.
-
Review policies and controls against changes in law, risk, and business need:
At each review interval, check whether legal/regulatory changes, new apps or integrations, or shifts in remote-work practices require updates to the BYOD policy, acceptable use rules, or technical controls (e.g., mandatory device encryption, containerization, or corporate app restrictions).
-
Document findings, approvals, and remediation actions:
Summarize review results in a short report—include noncompliant devices, exceptions, required policy edits, and timelines for remediation. Require sign-off by the head of the organization or delegated officer and track remedial tasks to closure in a ticketing system or a simple spreadsheet.
-
Embed follow-up and continuous improvement:
After each review, schedule corrective actions (patching, re-enrollment, policy changes) and measure the closure rate. Use the next review to validate that previous issues were resolved and that controls remain effective.
Example in a Small or Medium Business
Acme Design Studio has 45 employees, and half use personal devices for email and some company apps. The IT manager creates a simple quarterly review plan that lists the cybersecurity team, the IT admin, and the HR representative as reviewers. They use the company's MDM to export a compliance report showing device encryption, OS versions, and whether the corporate container is present. During the first quarterly review they find eight devices that failed to install the corporate container and three older phones running unsupported OS versions. The team documents these findings, opens tickets to re-enroll or remove access, and updates the BYOD policy to require OS version minimums and automatic EMM enrollment for corporate email. The report is sent to the CEO for approval; the CEO signs off on the policy changes and remediation deadlines. Over the next month, IT closes the tickets and verifies compliance in the next scheduled report, noting improved enrollment and no further exceptions.
Summary
Periodic, documented reviews of mobile device and BYOD requirements ensure policies remain aligned with risk, technology, and legal changes. For SMBs this means combining a simple, approved review plan, an accurate device inventory, automated or checklist-driven evidence collection, clear remediation steps, and senior management sign-off. When these policy and technical measures are executed on a regular schedule and tracked to closure, they provide an auditable, repeatable method to keep mobile security controls effective and up to date.
