This post gives a practical, step-by-step checklist to implement Essential Cybersecurity Controls (ECC – 2 : 2024) Control 1-9-6 for personnel cybersecurity reviews, mapped to a Compliance Framework practice so small and mid-sized organizations can build defendable evidence and operationalize recurring personnel security checks.
Understanding Control 1-9-6 and its objectives
Control 1-9-6 requires organizations to conduct formal personnel cybersecurity reviews that validate appropriate access, attest to role fit, confirm completion of mandatory training, and surface insider-risk indicators on a defined cadence. The key objectives are: (1) ensure least privilege and remove stale or inappropriate access, (2) confirm personnel have required security awareness and role-based training, (3) record manager attestations and HR changes, and (4) create auditable evidence for Compliance Framework assessments.
Implementation notes for Compliance Framework
Map Control 1-9-6 to your Compliance Framework by creating a policy (Personnel Cybersecurity Review Policy), a procedures document (review cadence, responsibilities, evidence types), and a RACI (HR, IT/IAM, Line Managers, Security, Audit). Define frequency (e.g., quarterly for privileged roles, semi-annual for business users), evidence retention (retain attestations and logs for at least 24 months or as required by your framework), and KPI targets (percentage of completed attestation within SLA). Capture evidence as screenshots, signed attestation forms (digital), ticket IDs showing remediations, and automated reports from IAM/HRIS systems.
Step 1 — Prepare and scope the review
Begin by scoping: extract authoritative lists from HRIS (employee status, manager, role, department) and IAM (active accounts, group memberships, privileged roles). For small businesses the authoritative sources might be Google Workspace Directory, Microsoft Entra ID (Azure AD), or an HR spreadsheet. Create a mapping table: username → role → manager → privileges → lastAuthDate → trainingStatus. Example technical extraction: run Azure AD PowerShell to export users and group memberships: "Get-AzureADUser | Select DisplayName,UserPrincipalName,AccountEnabled | Export-Csv users.csv" and "Get-AzureADGroupMember -ObjectId
Step 2 — Execute the review and collect evidence
Issue manager attestation requests with a clear checklist (verify role, confirm access required, confirm training complete, escalate exceptions). Automate where possible: send emails or use ticketing (Jira/Trello) with pre-filled evidence links. For technical verification, query system logs and configuration: check MFA status, last sign-in times, group memberships, conditional access policies, and privileged activity in SIEM (e.g., Splunk or Elastic). A practical small-business approach: export a CSV that joins HRIS and IAM columns, highlight accounts with "last sign-in > 90 days" or "privileged membership", and send managers a checklist with direct links to screenshots or CSV lines to attest. Require managers to record attestation in the ticketing system and to provide remediation tickets for any changes requested.
Step 3 — Remediate findings and record outcomes
Create a remediation workflow with SLAs (e.g., remove stale accounts within 5 business days, apply role changes within 3 days). For account removals use documented steps: disable account, revoke sessions/tokens (e.g., PowerShell command to revoke refresh tokens in Azure AD: "Revoke-AzureADUserAllRefreshToken -ObjectId
Compliance tips, best practices, and technical specifics
Operationalize these best practices: enforce MFA and conditional access to reduce risk from stale credentials; implement Role-Based Access Control (RBAC) and avoid granting permissions directly to user accounts; use PAM for any privileged user; automate periodic queries (PowerShell, Google Admin SDK, or REST API calls) and produce machine-readable reports (CSV/JSON) for auditors. Track metrics such as percentage of attestations completed within SLA, number of stale privileged accounts removed, and mean time to remediate. For evidence, keep immutable logs or an append-only audit trail (SIEM or a cloud audit log) and store attestations in a secure, versioned document store (encrypted S3 + access logs) or in your GRC tool.
Risks of not implementing Control 1-9-6
Failing to perform personnel cybersecurity reviews increases the risk of unauthorized access, data exfiltration, insider threats, and compliance violations. Stale privileged accounts and forgotten service accounts are frequent vectors for attackers; without regular attestations and remediation you could face fraud, customer data loss, regulatory fines, and reputational harm. During an audit you will struggle to provide evidence of regular reviews, which can lead to non-conformance findings and corrective action plans with tight deadlines and higher remediation costs.
Summary: implement Control 1-9-6 by creating a documented policy, automating authoritative data extracts from HRIS and IAM, executing manager attestations on a defined cadence, remediating with clear SLAs, and retaining auditable evidence. For small businesses this can be achieved with a combination of spreadsheets or low-cost tools plus scripted exports, clear manager workflows, and a small set of automated checks—delivering strong security outcomes and a defensible Compliance Framework posture.
