Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 3-1-1 – Cybersecurity requirements for business continuity management must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to explicitly include cybersecurity needs inside its business continuity management (BCM) processes: define what cybersecurity systems and procedures must continue during disruptions, document incident response and disaster recovery expectations, and obtain formal approval from senior leadership. This guidance is aligned with the Essential Cybersecurity Controls (ECC – 2 : 2024) and focuses on ensuring continuity, incident response integration, and a defined disaster recovery approach supported by executive sign-off.
Technical Implementation
- Create a short cybersecurity-BCM policy: Draft a one- to two-page policy that states the objective (maintain cybersecurity posture during disruptions), scope (systems, people, processes), roles (BCM owner, cybersecurity owner, recovery lead), and required approvals (CEO or deputy). Keep it simple and attach it to your BCM documentation.
- Identify and prioritize critical cybersecurity assets: Maintain an inventory of critical systems (e.g., authentication servers, SIEM/log collectors, backup servers, VPN, email gateways). For each asset record owner, required recovery time objective (RTO), recovery point objective (RPO), and minimum acceptable functionality during an incident.
- Integrate an incident response appendix into the BCM plan: Document how cybersecurity incidents map to business impact levels, escalation paths, communication templates, and who triggers business continuity actions. Include technical steps to isolate affected systems, preserve evidence, and switch to alternate controls or failover environments.
- Develop and document a Disaster Recovery Plan (DRP): For prioritized assets define recovery procedures (restore from backups, failover to secondary sites, cloud restore steps), roles, runbooks with step-by-step commands or links, and verification checks. Store DR runbooks securely but accessibly during an incident.
- Obtain and record executive approval: Present the policy, prioritized asset list, incident response appendix, and DRP to the head of the organization or their deputy for formal sign-off. Record approval in the BCM documentation and note the next review date. Executive sponsorship should also authorize necessary budgets for testing and DR resources.
- Test, train, and maintain: Schedule tabletop exercises and at least annual technical recovery tests (partial or full) for critical systems. After each test or real incident, update documentation, adjust RTO/RPO assumptions, and re-secure executive re-approval for material changes.
Example in a Small or Medium Business
Consider a 50-person software company whose revenue depends on a customer portal and internal DevOps tools. The IT manager drafts a one-page cybersecurity-BCM policy that names the CTO as the cybersecurity owner and the COO as the BCM owner, lists critical assets (authentication server, payment gateway, CI/CD pipeline, backups), and specifies RTOs. The team builds an incident response appendix describing how a portal compromise triggers immediate containment steps, communications to customers, and activation of the DRP for the portal. They write a Disaster Recovery Plan that details how to restore the portal from encrypted cloud backups and how to failover DNS to a clean environment. The CTO presents the policy and DRP to the CEO, who formally approves it and allocates budget for a quarterly tabletop exercise and one full restore test per year. During the first test the team discovers a missing step in the backup restore runbook and updates the documentation; the CEO signs off on the revised plan. The company records lessons learned, trains the support team on the new failover checklist, and sets a six-month review cadence to keep the BCM aligned with technical changes.
Summary
Defining, documenting, and securing executive approval for cybersecurity requirements within BCM turns informal practices into repeatable, testable procedures. A concise policy, prioritized asset inventory with RTO/RPO, an incident response appendix, and a detailed disaster recovery plan—combined with executive sign-off and periodic testing—ensure your SMB can preserve critical cybersecurity capabilities during disruptions while meeting the control's approval and governance expectations.
