Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-6-1 – Cybersecurity requirements must be included in project and asset (information/technology) change management methodology and procedures to identify and manage cybersecurity risks as part of project management lifecycle. The cybersecurity requirements must be a key part of the overall requirements of technology projects.
Understanding the Requirement
This control (from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework) requires organizations to bake cybersecurity into both project management and IT asset change processes so risks are identified and managed throughout the project lifecycle. Practically, that means adding security acceptance criteria, vulnerability assessments, secure-configuration checks, patch verification and rules for monitoring connections into project and change workflows, with senior leadership formally endorsing those requirements.
Technical Implementation
- Embed security gates in the project lifecycle. Update your project methodology (project charters, stage-gate checklists, sprint definitions) to require a security acceptance item before moving to the next phase: e.g., design signoff must include a threat model review, and pre-production cannot occur until vulnerabilities above a defined severity are tracked and scheduled for remediation.
- Perform pre-deployment security testing. Require automated scans (SAST for code, SCA for dependencies, DAST or pentest for web apps) and a configuration baseline review before any system goes live or any major change is accepted. Define minimum scanning tools and frequency and record evidence in the project ticket.
- Fix and track findings before launch. Define remediation SLAs by severity (e.g., critical: 7 days, high: 30 days) and prevent approvals for production deployment until critical/high issues are mitigated or formally risk-accepted by an executive sponsor. Use your ticketing/change system to link findings to remediation tasks and closure evidence.
- Use hardened images and patch verification. Maintain a library of hardened VM/container images and configuration templates. As part of change management, require a checklist confirming baseline hardening and that all required patches were applied and verified in a staging environment prior to production rollout.
- Define integration and monitoring requirements. For any system that will connect to monitoring, logging or cyber surveillance (SIEM, IDS, endpoint telemetry), specify the connection requirements in project docs: expected log formats, retention, alert thresholds, and who will own incident triage. Include these requirements in change tickets and test alerts during staging.
- Secure executive approval and documentation. Add a formal security sign-off step that requires the head of the organization or their deputy to approve project cybersecurity posture where residual risk remains. Maintain an auditable package (risk register, test results, approvals) attached to every project and major change request.
Example in a Small or Medium Business
A 45-person regional e-commerce SMB plans to replace its order-management system. The IT manager updates the project template to include a security gate before user acceptance testing: the vendor must provide a software bill-of-materials, a current vulnerability scan, and a secure-configuration checklist. The dev team runs dependency scans (SCA) and an automated DAST against the staging environment; two high severity findings are discovered. These are logged in the change system, assigned to developers with a 14-day SLA, and a follow-up scan is required to show remediation. The hardened production image and patch list are stored in the company's image library and must be used by the deployment pipeline. The project plan also includes a requirement to send application logs to the SIEM with a defined retention period and alert thresholds; the security analyst verifies alerts during staging. Before launch, the CEO (as delegated executive) reviews the risk register and signs the security approval. The project moves to production only after the critical vulnerabilities are resolved and the executive sign-off is documented in the ticket.
Summary
Including cybersecurity requirements in project and change management transforms security from an afterthought into a controlled, auditable part of the development and deployment lifecycle. By embedding security gates, pre-deployment testing, hardened baselines, monitoring requirements, remediation SLAs and executive sign-off into project artifacts and change tickets, SMBs ensure risks are identified, mitigated, and accepted at the right level — reducing surprises in production and improving overall resilience.
