Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-5-4 – The cybersecurity risk management methodology and procedures must be reviewed periodically according to planned intervals or upon changes to related laws and regulations. Changes and reviews must be approved and documented.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organizations to maintain a living cybersecurity risk management methodology: scheduled, documented reviews and a documented approval process for any changes. The goal is to ensure the organization's risk approach stays current against new threats, internal changes, and shifting legal or regulatory obligations. For an SMB, that means having a simple, repeatable review cadence, a clear trigger list for regulatory changes, and records showing who approved updates and when.
Technical Implementation
-
Establish a documented review schedule.
Create a one-page review plan that specifies the review interval (for example, annual) and responsibilities. Record the schedule in a shared calendar and set automated reminders (Microsoft 365/Google Workspace calendar or an IT ticketing tool) 60 and 30 days before each review window so it isn’t missed.
-
Appoint an owner and approval authority.
Designate a named owner (IT Manager, CISO, or Compliance Lead) responsible for conducting reviews and a senior approver (COO/CEO or board member) who signs off on changes. Document their roles in the procedure and capture approvals as signed change records or emailed approvals retained in a compliance folder.
-
Maintain version control and a change log.
Keep the methodology and procedures in a single source (enterprise wiki, document management, or Git-based repo). Use incrementing version numbers, a short summary of changes, the author, approver, and date. Save previous versions for audit evidence and internal tracking.
-
Define review triggers tied to laws and regulations.
Build a short trigger checklist that includes new cybersecurity laws, sector-specific regulations, major incidents, mergers/acquisitions, and significant changes in technology or services. Subscribe to relevant regulator updates, industry alerts, or use a simple legal-watch service to surface law changes that require an immediate review.
-
Use practical assessment checklists and metrics.
During each review, run a checklist covering risk identification, risk acceptance criteria, controls mapping, incident response alignment, and residual risk. Record any metric changes (number of critical assets, change in threat landscape, new regulatory obligations) and link them to specific procedural updates.
-
Document approvals and retain evidence.
Capture approvals as signed PDFs, recorded meeting minutes, or an approval ticket in your workflow tool. Retain review reports and evidence for a defined retention period (e.g., 3–5 years) to demonstrate compliance during audits or regulatory inquiries.
Example in a Small or Medium Business
Imagine a 75-employee managed services company that provides cloud hosting and stores client data. The IT Manager is assigned as the owner of the risk management methodology and creates a simple annual review calendar entry with reminders. Each year they run a one-day workshop with the head of operations, a senior engineer, and a legal consultant to check whether the risk methodology still reflects current services and regulatory obligations. When a new national data protection rule is issued mid-year, the legal consultant flags the change and the IT Manager triggers an ad-hoc review within two weeks. The team updates the procedure to include new data handling requirements, updates the risk register to reflect increased compliance risk, and records the changes in the document repository with a new version number. The COO reviews the changes and provides written approval, which is stored alongside the updated procedure. The IT Manager sends a short internal bulletin and schedules a 30-minute training for affected staff to ensure operational alignment.
Summary
By combining a simple documented review schedule, a clear owner and approver, version control, trigger-based reviews for legal changes, and retained approval evidence, SMBs can meet Control 1-5-4 efficiently. These policy and technical controls ensure the risk management methodology remains current, auditable, and aligned with both operational realities and regulatory obligations—while keeping the process lightweight and practical for smaller teams.
