Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-1-2 – A roadmap must be executed to implement the cybersecurity strategy.
Understanding the Requirement
This control requires an organization to convert its cybersecurity strategy into an executable roadmap that sequences initiatives, assigns accountability, and tracks progress. Under the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, the roadmap should set clear priorities, align recommended cybersecurity work with the organization's mission and risk profile, include monitoring and corrective actions, ensure initiatives meet requirements, communicate a unified vision to stakeholders, and obtain approval from the NCA when activities exceed the organization's scope.
Technical Implementation
-
Create a structured roadmap document:
Draft a living roadmap that lists initiatives (e.g., vulnerability management, endpoint protection, MFA rollout), expected outcomes, timelines, milestones, and resource estimates. Use quarter-based milestones and identify critical-path tasks so progress is measurable.
-
Define priorities tied to risk and business impact:
Rank initiatives by risk reduction and business value (e.g., prioritize patching and MFA for systems that expose customer data). Maintain a short prioritized backlog and adjust it after periodic risk reviews.
-
Assign owners and governance:
Appoint an initiative owner and a small steering committee (IT lead, operations lead, and an executive sponsor). Hold monthly steering meetings to review status, approve scope changes, and escalate blockers.
-
Implement monitoring and KPIs:
Define clear success criteria and KPIs for each project (e.g., % of devices with latest patches, MFA coverage rate, time to remediate critical vulnerabilities). Use a simple dashboard or spreadsheet and report progress to leadership at defined intervals.
-
Plan for corrective action and change control:
Include trigger points in the roadmap for corrective measures (missed milestones, budget overrun, emerging threats). Define a lightweight change-control process so scope or timeline changes are reviewed and approved quickly.
-
Communicate and secure external approvals when required:
Create a stakeholder communication plan (staff briefings, vendor notifications, customer-impact statements). For initiatives outside your organization’s remit, document the rationale and submit required materials to the NCA for approval before execution.
Example in a Small or Medium Business
Sunridge Fabrication, a 120-employee SMB, adopts a cybersecurity strategy focused on protecting customer designs and manufacturing systems. The IT manager builds a 12-month roadmap that lists projects: deploy centralized patch management, enable MFA for all remote access, segment the OT and IT networks, and implement routine backups. Each project has an owner, a three-month milestone schedule, and measurable KPIs (patch rate, MFA adoption, network-segmentation test results, backup restore time). The CTO chairs a monthly steering committee with finance and operations to review progress and approve resource shifts. When a segmentation project requires vendor changes that affect partner systems, Sunridge documents the impact and seeks approval from the NCA as required under its obligations. They communicate the roadmap and upcoming user impacts to staff and major suppliers two weeks before each milestone. When the first quarter falls behind on patching, the steering committee reallocates contractor hours and adds an interim patch sprint to get back on schedule, then updates the roadmap and re-communicates the revised plan to stakeholders.
Summary
Translating a cybersecurity strategy into an executed roadmap means documenting prioritized initiatives, assigning owners, defining measurable milestones and KPIs, and operating a simple governance cadence to monitor progress and apply corrective actions. For SMBs, combining these policy elements with practical technical steps—prioritized projects, monitoring, change control, and stakeholder communications—ensures the organization delivers security improvements efficiently and can meet external approval requirements when needed.
