Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-7-2 – The cybersecurity requirements for protecting and handling data and information must be implemented.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework requires an organization to implement concrete cybersecurity measures that protect and properly handle all data and information assets. At minimum, the organization must define ownership of data, apply a consistent classification scheme, and label information to indicate its classification. The control also expects an actionable plan and ongoing monitoring to ensure protection measures match each asset's classification and that internal and external stakeholders follow the same rules.
Technical Implementation
-
Inventory and assign ownership: Create a simple data inventory (spreadsheet or lightweight asset management tool) listing data repositories, types of data, and an assigned data owner for each item. Owners are responsible for classification, access approvals, and lifecycle decisions.
-
Establish a classification scheme and labeling standard: Define 3–4 classification levels (for example: Public, Internal, Confidential, Restricted). Specify criteria for each level (impact to business, legal/regulatory requirements) and a clear label format (file header, metadata tag, or filename suffix) so both users and automated tools can detect classification.
-
Apply controls by classification: Map technical controls to each classification level. For Confidential/Restricted data, require encryption at rest and in transit, role-based access control, MFA for privileged accounts, and DLP rules on mail and cloud storage. For Internal data, use access controls and backup procedures; Public data may have minimal controls.
-
Create and implement an action plan: Develop a pragmatic rollout plan with milestones—inventory completion, classification policy published, labeling applied to critical repositories, controls deployed, and user training delivered. Track progress with simple metrics (percentage of repositories classified, percentage of confidential data encrypted).
-
Operationalize monitoring and review: Configure logging and periodic audits to validate that labeled data is stored and transmitted according to policy. Owners should review classification and access quarterly (or when there are business changes) and update labels/controls as needed. Include third-party data handling in vendor assessments and contracts.
Example in a Small or Medium Business
A 40-person marketing agency starts by identifying where client data lives: cloud storage buckets, shared drives, and a CRM. They appoint a data owner for client accounts and another for internal HR records. The agency defines four classification levels—Public, Internal, Confidential, Restricted—and publishes a one-page classification guide. For Confidential client files they enable encryption on their cloud provider, restrict folder access to the client team, and add automatic DLP rules to block sending those files to external email addresses. They implement filename tags and metadata labels using the cloud platform's tagging features so files are searchable by classification. The agency rolls out a short training session for staff that explains how to tag documents and requests access changes through a standardized ticket. Finally, they set a quarterly review where data owners audit access lists, confirm encryption settings, and update classification for any files that change in sensitivity—ensuring compliance for both internal workflows and external client obligations.
Summary
Implementing this control means formalizing who owns data, how it is classified and labeled, and ensuring technical controls are applied consistently to match that classification. For SMBs, the practical path is inventory → classify → label → protect → monitor: assign owners, adopt a simple classification scheme, apply encryption and access controls based on sensitivity, and establish an action plan with regular reviews. These policy and technical measures together create clear accountability, reduce the risk of mishandling, and make it feasible to demonstrate ongoing protection to stakeholders and partners.
