Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-2-3 – A cybersecurity steering committee must be established by the Authorizing Official to ensure the support and implementation of the cybersecurity programs and initiatives within the organization. Committee members, roles and responsibilities, and governance framework must be defined, documented and approved. The committee must include the head of the cybersecurity function as one of its members. It is highly recommended that the committee reports directly to the head of the organization or his/her delegate while ensuring that this does not result in a conflict of interest.
Understanding the Requirement
This control comes from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework. In short, the organization must create a formal cybersecurity steering committee with documented membership, roles, responsibilities and governance (a charter) that is approved by the organization's authorizing official. The committee must include the head of cybersecurity and should report at a senior level so cybersecurity decisions, funding and strategy are visible and aligned with business objectives while avoiding conflicts of interest.
Technical Implementation
- Create a Committee Charter (first 30 days): Draft a short charter (1–3 pages) that defines purpose, authority, membership, decision rights, meeting cadence, reporting lines and escalation paths. Keep the language clear: who approves the charter, who chairs meetings, what constitutes quorum, and how minutes and action items are recorded and tracked.
- Define membership and roles: Nominate standing members who influence or are influenced by cybersecurity—CEO or delegate, head of cybersecurity (CISO/IT Manager), IT lead, HR, Finance, Compliance/Legal, and a business unit owner. Assign alternate members and specify responsibilities (e.g., chair, risk owner, budget liaison, compliance reviewer).
- Set reporting line and conflict management: Ensure the committee reports to the head of the organization or their delegate. Where dual reporting could create conflicts (for example, IT reporting to the same executive who controls budgets for IT), include mitigations in the charter such as an independent member or external advisor to preserve impartial oversight.
- Operationalize meetings and outputs: Schedule regular meetings (monthly or quarterly by charter). Use a standard agenda template: risk posture update, program status, policy exceptions, budget requests, incident post-mortems and open actions. Record minutes, decisions and assigned owners; circulate minutes to the organization's head with a short executive summary and tracking dashboard.
- Align strategy, policy and risk: Use the committee to approve cybersecurity strategy, prioritize initiatives, and review policy changes. Require periodic reviews of controls against business objectives and risk register updates. Tie funding requests to documented risk reduction and measurable outcomes (e.g., mean time to detect, patching SLA adherence).
- Measure governance effectiveness: Define 3–5 KPIs for the committee such as percentage of action items closed on time, number of policy reviews completed, budget approvals vs. requests, and time to escalate critical incidents to executive level. Review these KPIs at each meeting and include them in the executive reporting package.
Example in a Small or Medium Business
Acme Cloud Services, a 120-employee SMB, creates a cybersecurity steering committee after the CEO (the Authorizing Official) approves the charter. The standing membership includes the CEO's delegate (VP Operations), the head of cybersecurity (IT Manager acting as CISO), the Head of HR, the Finance Director, and the Compliance Lead; a senior product manager attends as a business representative. The committee meets monthly with a fixed agenda: risk register review, project funding requests, policy exceptions and incident summaries. Minutes and action items are recorded in a shared tracker; a one-page executive summary is routed to the CEO within 48 hours. When a ransomware risk is elevated, the committee approves a targeted budget for endpoint detection and recovery and fast-tracks a contractor for deployment; the head of cybersecurity reports progress in subsequent meetings. Over the first year, the committee formalizes policy updates, aligns training with new hire onboarding, and shortens approval time for cybersecurity spending from six weeks to two.
Summary
Establishing a formal cybersecurity steering committee with a clear charter, defined membership (including the head of cybersecurity), scheduled oversight meetings, and measurable KPIs provides the governance backbone that this control requires. For SMBs, the combination of a concise charter, regular meeting discipline, documented minutes and executive reporting ensures decisions are visible, risks are managed proactively, and resources are allocated efficiently—while preserving independence and alignment with business strategy.
