Control 1-2-2 of the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organizations to formalize HR policies and job descriptions so that personnel security, access responsibilities, and Saudization objectives are clear, auditable and tightly integrated with technical controls; this post gives Compliance Framework–specific, actionable steps and small-business examples to implement that requirement end-to-end.
Understanding Control 1-2-2 within the Compliance Framework
At its core this control ensures that HR artifacts (policies, employment contracts, role profiles and onboarding/offboarding checklists) explicitly define security duties, required clearances, and access levels so that hiring, provisioning and oversight are consistent with the organisation's risk profile and local Saudi regulations (including Saudization targets and PDPL considerations). Key objectives include establishing least-privilege responsibilities in job descriptions, documenting personnel screening requirements, and providing evidence for auditors that HR and IT work from the same source of truth.
Practical implementation steps
Design HR policies with security and Saudi compliance in mind
Start by updating HR policy templates to include: mandatory background checks (criminal records and employment verification as permitted by Saudi law and PDPL), security training expectations (initial and periodic), acceptable use and remote-work rules, data handling classifications, and a clause mapping Saudization targets to hiring plans. Implementation notes for the Compliance Framework: map each policy clause to a control objective (e.g., "background checks" -> personnel security objective) and store versions and approval records in the HRIS or a secured document management system with audit trails (TLS1.2+, AES-256 at rest).
Write job descriptions that drive least-privilege and traceability
For each role create a concise security responsibilities section that lists: required access types (e.g., "read-only to finance reports"), privilege levels (e.g., "no admin rights on production unless PAM-approved"), mandatory certifications or training (e.g., cyber awareness within 30 days), and separation of duties statements. Include a unique role code and link to an asset inventory entry so that when HR creates a new hire request it automatically maps to an IAM group via SCIM/HRIS integration or at minimum a standardized provisioning ticket template.
Technical integration and automation
Small businesses should prioritize automating assignment of access based on job description attributes: implement an IAM (Azure AD, Google Workspace, or a low-cost IdP) and use group mappings that mirror job roles. Use SCIM where possible to provision/deprovision accounts from the HRIS. Enforce MFA for all privileged roles and require hardware-backed tokens (FIDO2) for admin accounts. Maintain an access review cadence (quarterly) and implement role-attestation records stored with HR documentation to demonstrate compliance to auditors.
Small business examples and scenarios
Example 1: A 25‑person Riyadh fintech uses Google Workspace and a simple HRIS (BambooHR). They add a "security responsibilities" paragraph to each job posting, create three IAM groups (Employee, Finance‑Read, Admin), and use a shared onboarding checklist in the HRIS that triggers IAM group assignment. Example 2: A 50‑person consultancy hires a Saudi national under Saudization rules—HR records the Saudization quota and stores verification documents (ID, Nitaqat proof) in an encrypted HR folder, while IT holds a provisioning ticket linking the job code to access rights; offboarding is triggered automatically when HR changes the employee status to terminated, connecting to the IdP to remove access within 1 hour.
Compliance tips and best practices
Keep an auditable trail: timestamped approvals and version history in your DMS or HRIS are critical. Retain background check evidence and training completion records per Compliance Framework retention guidance (commonly 3–7 years depending on contracts). Conduct role-based risk assessments when defining privileges, require annual re-attestation of privileged role holders, and encrypt HR data at rest with role-limited keys. For PDPL alignment, obtain documented consent for background checks and store only the minimum personal data required, deleting or archiving per retention policy.
Risk of non-implementation
Failing to implement Control 1-2-2 increases insider risk, leads to overprivileged accounts, and creates gaps in audit evidence — all of which can cause data breaches, regulatory fines, failing Saudization audits or losing government contracts. Practically, this can mean unauthorized exfiltration of customer data, months of remediation, and reputational damage that is hard for small Saudi businesses to recover from.
In summary, implement Control 1-2-2 by embedding security duties into HR policies and job descriptions, automating provisioning through an IAM connected to your HRIS, enforcing least-privilege and MFA for privileged roles, and keeping auditable evidence mapped to the Compliance Framework objectives; these steps are practical for small businesses and essential to reduce personnel-related cyber risk while meeting Saudi regulatory and localization requirements.
