Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-2-1 – Cybersecurity requirements related to the use of hosting and cloud computing services must be defined, documented and approved.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework requires organizations to produce a formal, approved policy that governs the use of hosting and cloud services. The policy should specify contract requirements for providers, geographic and data residency constraints, procedures for data removal and retrieval, mandatory data classification before moving data to a host or cloud, and inclusion of Service Level Agreements (SLAs) and non-disclosure clauses. Executive management must review and sign off on the policy so it becomes an approved, enforceable organizational requirement.
Technical Implementation
- Create a cloud/hosting policy document: Draft a concise policy that states permitted cloud use cases, required approval workflows (who can approve a cloud service), and the minimum security requirements vendors must meet. Include a one-page checklist for procurement and IT to use during vendor selection.
- Contract and SLA minimums: Define mandatory contract clauses such as data ownership, incident notification timelines (e.g., 72 hours), breach liability language, uptime SLAs (with credits/remedies), and requirements for audit rights or third-party assessments (SOC 2, ISO 27001). Put these as non-negotiable items in your vendor onboarding checklist.
- Data location and residency controls: Specify allowed hosting regions or countries per data classification. Implement technical controls (tagging and policy-based restrictions) to prevent workloads or storage from being provisioned outside approved regions. Require the vendor to document where data will be stored and backed up.
- Data removal and retrieval process: Define and test procedures for secure data deletion, return of data at contract end, and proof of deletion. Require vendors to provide a certificate of secure erasure or documented steps for data destruction and timelines for data retrieval in case of termination.
- Pre-hosting data classification: Implement a simple classification workflow (e.g., Public / Internal / Confidential / Restricted) that must be completed before any data or system is moved to hosting/cloud. Only allow approved classifications to be hosted in selected environments and enforce via procurement and change-control gates.
- Executive approval and governance: Formalize an approval step where the head of the organization or their deputy signs off on the policy and any exceptions. Maintain a register of approved vendors, approved regions, and documented exceptions so leadership can review periodically.
Example in a Small or Medium Business
Acme Design Studio, a 45-person SMB, needed to migrate file storage and a customer portal to a cloud provider. The IT manager used an internal cloud-hosting policy template to classify data; design assets and client records were marked as Confidential, while marketing materials were Internal. The procurement team used the policy checklist during vendor selection and rejected providers that could not guarantee data residency in the approved country or provide adequate SLAs. The chosen provider signed a contract including breach notification within 72 hours, proof-of-deletion obligations, and a mutual non-disclosure clause. Before migration, Acme documented the data retrieval and deletion steps and ran a test to confirm backups could be retrieved. The CEO and COO reviewed and signed the policy and the final contract, and an exceptions log was created for any future deviations. After go-live, IT schedules annual contract reviews and confirms the vendor’s compliance reports as part of ongoing governance.
Summary
For SMBs, meeting Control 4-2-1 means combining a clear, approved policy with tangible technical and contractual measures: classification before hosting, contract clauses and SLAs, documented deletion and retrieval processes, and enforced geographic controls. Executive approval and a vendor register turn these steps into enforceable organizational practice. Together, the policy and technical controls reduce risk when using hosting and cloud services and provide a repeatable, auditable approach for procurement and operations.
