Control 1-1-2 within the Compliance Framework's ECC – 2 : 2024 requires organizations to establish and demonstrate a measurable baseline of defensive controls, documented responsibilities, and ongoing verification to reduce attack surface and ensure accountable maintenance of core controls; this post gives a practical, small-business–focused 90-day implementation plan with technical steps, artifacts for auditors, and real-world examples you can act on immediately.
Interpreting Control 1-1-2 — what you must deliver
Before you start the 90-day plan, translate Control 1-1-2 into concrete deliverables for your organization: an up-to-date inventory of assets, assigned owners for each asset class, baseline hardening/configuration standards, evidence of authentication and patching controls (for example MFA and automated patching), a logging/monitoring configuration with retention and alerting, and an evidence package showing verification (scans, policy documents, change tickets, screenshots). These are the artifacts most auditors will expect when they review compliance to the Control under the Compliance Framework.
90-day phased implementation plan
Days 1–30: Assess, assign, and secure quick wins
Kick off with a short governance meeting to assign a Control Owner and a 90-day project lead. Immediately perform asset discovery and owner assignment: use network scans (e.g., nmap -sS -O -p- 192.168.1.0/24) and agent-based discovery (Intune, Jamf, or endpoint management). Create a simple CSV inventory with columns: asset ID, hostname/IP, owner, OS, role, criticality, last-patched date. Implement quick security wins that significantly reduce risk: enable Multi-Factor Authentication (MFA) for all administrative and remote-access accounts, enforce least-privilege for administrative groups, deploy disk encryption for laptops, and enable automatic updates for servers and endpoints. Document these steps in a change ticket tracker and capture screenshots or logs (MFA enablement logs, MDM enrollment confirmations) as evidence.
Days 31–60: Baseline hardening, patching, and logging
Develop and apply baseline configurations for each asset class (Windows domain-joined, Linux servers, cloud workloads, network devices). For Windows, use Group Policy or MDM to set password minimum length (recommend 12+), account lockout (e.g., lock after 5 invalid attempts), and enable Windows Event Forwarding to a central collector. Example PowerShell to list local administrators for verification: Get-LocalGroupMember -Group "Administrators" | Select Name. For Linux, enable unattended-upgrades or configure yum-cron; use CIS or vendor-specific benchmarks as templates for baselines. Turn on centralized logging (rsyslog -> syslog-ng -> ELK/Splunk/Cloud SIEM) and configure retention to meet the Compliance Framework evidence requirements (retain security-relevant logs for the period specified by your policy — commonly 90 days or more). Run authenticated vulnerability scans (Nessus/OpenVAS) and prioritize remediation of Critical/High findings within the next 30 days.
Days 61–90: Verify, document, train, and prepare evidence
Perform verification activities: re-scan assets to confirm remediation, review configuration drift against baselines, and run sample authentication and access reviews for critical accounts. Conduct a tabletop or short penetration test/simulated phishing exercise to validate controls in practice and follow with remediation tickets. Consolidate evidence into an audit package: inventory CSV, owner assignment document, baseline configuration exports (GPO backups, CIS-CAT reports), patching reports, MFA enablement logs, vulnerability scan reports before/after remediation, SIEM alert samples, and training attendance records. Publish a short internal “compliance readiness” report for management summarizing status against Control 1-1-2 and include action items for the continuous-improvement backlog.
Technical implementation details and small-business examples
Small-business example: a 50-user company with a single AD domain and cloud-hosted services. Practical technical steps: enroll all laptops into Microsoft Intune or another MDM; create a compliance policy that requires BitLocker and prevents jailbroken/rooted devices; enable Conditional Access policy requiring MFA for all cloud app access; schedule Windows Update maintenance windows via WSUS or Intune and verify via reporting. On the network, segment management interfaces from user VLANs and require VPN with MFA for remote access. For inventory and asset tracking, use an easy-to-deploy agent like CrowdStrike or an open-source CMDB (e.g., GLPI) to track ownership and lifecycle status. For logging, forward Windows Event Logs to a small SIEM or cloud log service (Azure Sentinel, Splunk Cloud) and set three pragmatic alert rules: repeated failed logins, creation of new admin accounts, and suspicious privilege escalation events.
Compliance tips and best practices
Keep auditors and management informed: use weekly status emails and a shared evidence folder (read-only for auditors) as you proceed. Treat documentation as code: version your baselines and policies in a repository (Git) so you can export the exact configuration applied at audit time. Prioritize fixes by risk and reproducible impact — patching known exploited CVEs and protecting remote access should outrank low-risk cosmetic hardening. Automate evidence collection where possible: scheduled scripts that export current GPO settings, snapshot lists of privileged accounts, and automated reports from MDM and patch management systems save time and reduce errors. Finally, make one person accountable for maintaining the inventory and another for verification so responsibilities are not diffuse, satisfying the “assigned ownership” parts of Control 1-1-2.
Risk of not implementing Control 1-1-2
Failing to implement Control 1-1-2 leaves the organization exposed to avoidable threats: unmanaged assets open blind spots for attackers, missing or stale baselines create configuration drift that attackers exploit, lack of MFA and patching greatly increases the chance of account takeover and ransomware, and poor logging/verification means breaches may remain undetected. Non-compliance can also lead to failed audits, contractual penalties, increased cyber insurance premiums, and reputational damage. For a small business, a single successful ransomware event or credential theft can be existential — so the practical, 90-day focus on inventory, ownership, baseline hardening, and verification is a risk-managed approach with measurable outcomes.
Summary
Control 1-1-2 is achievable within 90 days for most small businesses if you follow a phased approach: (1) establish ownership and inventory, (2) implement baseline configurations, MFA, patching, and logging, and (3) verify controls and collect audit evidence. Use simple, repeatable technical steps (MDM enrollment, GPO/Intune baselines, vulnerability scans, SIEM forwarding) and prioritize high-impact items like MFA and patching. Document everything, automate evidence collection where possible, and assign clear responsibilities — these actions will reduce risk quickly and create a sustainable posture that satisfies the Compliance Framework.
