Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-3-2 – The cybersecurity function must ensure that the cybersecurity policies and procedures are implemented.
Understanding the Requirement
This control requires the cybersecurity function to move beyond documented policies and procedures and make sure those controls are actively implemented across the organization. Implementation means identifying who the policies apply to (internal and external stakeholders), assigning responsibility, deploying technical and non-technical controls (manual or automated), and maintaining ongoing monitoring and follow-up to verify effectiveness. The focus is practical: ensure staff, systems, and third parties are following the approved, documented cybersecurity requirements and that compliance is tracked and enforced.
Technical Implementation
- Develop a clear implementation plan: list each policy and procedure, map it to affected systems and stakeholder groups, assign an owner for implementation, and set measurable milestones and deadlines. Keep the plan compact and practical — a spreadsheet or ticket board works for most SMBs.
- Use role-based responsibilities and simple SLAs: designate a cybersecurity owner (within IT or a security lead) and local owners (department managers or team leads). Define expected actions, timelines for remediation, and periodic checkpoints (e.g., 30/60/90 days).
- Combine manual and automated controls: implement low-cost automation where it reduces risk or effort (automated patching, endpoint detection, configuration baselines) and document manual processes where automation isn't feasible (access request approvals, physical access logs). Ensure automated tools are configured to enforce the documented policies.
- Implement verification and monitoring: create simple evidence collection and verification steps such as weekly configuration checks, monthly patch reports, and quarterly policy attestation. Use lightweight monitoring tools (SIEM-lite, cloud logs, MDM dashboards) and schedule periodic reviews.
- Integrate with change and supplier management: require that any system change, purchase, or third-party onboarding includes a check for policy alignment (security configuration, data handling, and contractual security clauses). Track third-party compliance with periodic reviews or attestations.
- Train and communicate: provide role-specific short training and distribute one-page job aids that describe the controls people must follow. Tie adherence to performance objectives for responsible owners so implementation is part of regular work rather than an extra task.
Example in a Small or Medium Business
AcmeCo, a 75-person marketing agency, assigns its IT manager as the cybersecurity function owner and creates a simple implementation plan that maps each policy to tools and people. For example, the access control policy maps to Active Directory groups and an access request process owned by HR; the patch management policy maps to their remote management tool and a monthly patch window. They set 30/60/90 day milestones, assign responsibilities to department leads, and track progress on a shared Kanban board. Automated measures include scheduled patching, endpoint antivirus, and managed backups; manual measures include documented onboarding/offboarding checklists and quarterly access reviews. The IT manager runs weekly checks of automation reports and raises tickets for gaps, while department leads attest quarterly that their teams follow procedures. For their main contractor, AcmeCo requires a signed security addendum and a light questionnaire annually to confirm alignment with the agency's policies. Over six months the agency reduces overdue patches and closes onboarding gaps, and leadership receives quarterly reports showing implementation status and remaining risks.
Summary
Implementing this control requires a practical program that links documented policies to owners, systems, and measurable actions. SMBs can meet the requirement by creating a simple implementation plan, assigning clear responsibilities, combining targeted automation with manual processes where needed, and establishing regular verification and reporting. These policy and technical measures ensure security requirements are not just written down but are actively enforced, monitored, and improved over time.
