Control 1-1-3 of the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organisations to establish a repeatable, documented schedule for reviewing their cybersecurity strategy; this post shows you how to build a compliance-driven schedule (template + timeline), how to evidence the work for auditors, and how a small business can practicalize the requirement without a full security team.
What Control 1-1-3 requires (Compliance Framework perspective)
At its core, Control 1-1-3 mandates a documented cadence for strategy reviews that align with organisational risk, business changes, and compliance obligations. From a Compliance Framework standpoint, that means: a documented review policy; assigned roles and responsibilities (who runs, who approves); a schedule (frequency and triggers); defined artifacts to produce (risk register updates, minutes, decisions, action items); and demonstrable evidence stored in a retention-backed system. Implementation Notes: map the schedule to your Compliance Framework controls so each review ties back to control objectives, metrics, and evidence requirements.
How to build a compliance-driven review schedule
Start by inventorying critical assets and compliance obligations (PCI, data privacy, contractual security clauses). Use that inventory to classify review frequency by risk: critical systems (financial, customer data, authentication) require monthly operational checks and quarterly strategy touchpoints; moderate-risk systems can follow a quarterly operational cadence; low-risk systems may be reviewed semi-annually. Build triggers for out-of-cycle reviews: incidents, major regulatory changes, mergers/acquisitions, major product launches, or any security control failures. Document the end-to-end process in your Compliance Framework (process owner, inputs, outputs, tooling) so auditors can trace who did what and why.
Template & timeline — practical example for a small business
Use a simple 12-month template that combines recurring operational tasks and scheduled strategy reviews. Example timeline for a 50-person e-commerce business: Month 1 — baseline strategy review and risk register refresh; Months 2–11 — recurring operational controls: weekly authenticated vulnerability scans, weekly SIEM alert triage, monthly patch window (apply critical patches within 7 days, high within 30 days), quarterly tabletop exercise and business-continuity test, quarterly executive summary and risk posture review; Month 12 — annual strategy review with board or owner sign-off, external penetration test (or outsourced assessment) and compliance evidence consolidation. Trigger-driven: any security incident or major change causes an immediate ad-hoc review and updates to the strategy and risk register.
Roles, artifacts, tools and measurable thresholds
Assign roles: business owner or CISO (strategy owner), IT manager (operational lead), compliance officer (evidence custodian), and external assessor (independent validation). Key artifacts: versioned Cybersecurity Strategy document, Risk Register entries tied to reviews, Meeting minutes with decisions and action items, Change tickets showing remediation, Vulnerability reports, Pen test and remediation reports. Tools: GRC platform or even a structured SharePoint/Git repo for evidence; SIEM with daily alert dashboards (reviewed at least weekly); vulnerability scanner (credentialed scans weekly/monthly); CMDB or asset inventory updated monthly; patch management tools (WSUS/SCCM, Jamf, or managed solutions). Suggested measurable thresholds: log retention 90 days for incident investigation, time-to-patch critical = <=7 days, mean time to detect (MTTD) target <= 24–72 hours, vulnerability remediation SLA: critical 7 days, high 30 days.
Real-world small-business scenario and constraints
Example: an independent online retailer with 50 staff and a small IT team. Practical approach: outsource external penetration testing annually; run credentialed vulnerability scans weekly using a low-cost scanner or MSSP; centralise logs from web servers and POS systems to a cloud SIEM with a 90-day retention; schedule a quarterly executive review (30–60 minutes) where the owner signs off on high-level decisions and budgets; keep a living risk register in Google Sheets or the chosen GRC tool with a follow-up ticket assigned for each new risk. If budget is constrained, prioritise protective controls for the checkout system, customer database, and authentication (MFA for all staff), and document the rationale in the strategy to satisfy auditors.
Compliance tips and best practices
Keep the review process evidence-driven: every strategy change should reference the risk register entry, meeting minutes, and remediation tickets. Version-control your strategy (date, author, approver) and retain signed approval for the annual review. Run at least one tabletop exercise per year and document lessons learned as inputs to the next strategy review. Use metrics in every review: percent of assets with MFA enabled, patch compliance rates, number of critical vulnerabilities open, MTTD/MTTR, and the outcome of the latest pen test. Where possible, automate evidence collection (scheduled vulnerability reports, SIEM summary exports, ticketing system links) to reduce audit friction.
Technical specifics to include in your schedule
Be explicit in the schedule: define scan types (authenticated vs unauthenticated), scan frequency, patch window dates, backup verification cadence (restore test quarterly), and penetration testing scope and frequency (at least annually or after major changes). Specify configuration benchmarks (CIS, vendor hardening), and indicate use of automated IaC scanning for cloud resources. Include retention periods for logs and evidence (e.g., retain strategy reviews and minutes for 3 years or per your regulatory requirement). If you use an MSSP, formalise SLAs for incident notification and provide the provider’s reports as evidence in the GRC tool.
Risk of not implementing Control 1-1-3
Without a compliance-driven review schedule you risk strategy drift (controls that worked become obsolete), undetected vulnerabilities, missed regulatory changes, and poor prioritisation of remediation — all of which increase the likelihood of a breach. For small businesses this commonly translates into operational downtime, direct financial loss (ransomware payments or recovery costs), contractual penalties, lost customers and reputational damage. Example: a retailer that did not schedule quarterly reviews missed a failed backup test and only discovered corrupted backups during a ransomware event, turning what should have been a recoverable incident into a prolonged outage and significant revenue loss.
Summary: implement Control 1-1-3 by creating a documented, risk-based review cadence that maps to your Compliance Framework controls, assign clear roles, automate evidence where possible, and use the provided 12-month template (monthly operational checks, quarterly reviews, annual strategy sign-off with external validation) to ensure you can prove compliance and continuously improve your security posture. Start with the baseline review today, document the decisions, and iterate — compliance and security improve with repeatable, evidenced reviews rather than one-off checklists.
