Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-2 – The personnel cybersecurity requirements must be implemented.
Understanding the Requirement
This control requires an organization to implement the personnel-related cybersecurity requirements that have been identified, documented and approved for HR and workforce processes. In practice this means turning the human-resources cyber rules in your Human Resources Cybersecurity Policy into concrete actions: an implementation plan, operational HR procedures (onboarding, offboarding, training, contractors, disciplinary measures) and ongoing compliance controls. This guidance is aligned with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and focuses on making those personnel requirements active and auditable within an SMB.
Technical Implementation
-
Inventory and map personnel requirements into actionable controls — Start by extracting every personnel-related requirement from your approved Human Resources Cybersecurity Policy and map each to specific HR processes (recruiting, onboarding, role changes, offboarding, contractors). For each requirement assign an owner, a target completion date and measurable acceptance criteria (for example: "all new hires complete MFA setup and security awareness training before receiving domain access").
-
Create an implementation action plan with milestones — Develop a short project plan for rolling out personnel controls that includes prioritized tasks (high-risk roles first), responsible teams (HR, IT, security lead), resources required and a timeline. Include quick wins (mandatory security training for all staff this quarter) and medium-term items (integrating HR system with identity management for automated deprovisioning within 24 hours of termination).
-
Embed requirements in HR procedures and job artifacts — Update job descriptions, employment offers, contractor statements of work and NDAs to include security obligations (acceptable use, data handling, MFA use, reporting incidents). Document how HR will verify security prerequisites (background checks where appropriate, verification of certifications) and make those checks part of the hiring checklist used by recruiters and hiring managers.
-
Operationalize onboarding and offboarding controls — Ensure onboarding tasks include mandatory security setup (corporate device configuration, account provisioning, access approvals, initial security training). On offboarding, ensure procedures require immediate access revocation, device collection or remote wipe, exit interviews that remind of post-employment obligations, and transfer of business-owned data. Automate where possible using your identity provider and ticketing system to reduce human error.
-
Training, monitoring and enforcement — Implement role-based security training with tracked completion and periodic refreshers; maintain evidence of completion in HR records. Monitor compliance through periodic audits (sample user checks, verification of last login, MFA status) and enforce through defined disciplinary measures for non-compliance. For contractors and external stakeholders, require proof of compliance or include contractual clauses that bind them to your personnel cybersecurity requirements.
-
Review and continuous improvement — Schedule periodic reviews of the HR Cybersecurity Policy and personnel procedures (at least annually or after major incidents) and use metrics from the action plan (time-to-provision, percent of staff trained, percent of accounts deprovisioned within SLA) to drive improvements and report to leadership.
Example in a Small or Medium Business
AcmeCo, a 75-person software services firm, started by extracting all people-related security requirements from their HR Cybersecurity Policy and assigning a single project owner in HR. They created a three‑month action plan that prioritized automating account deprovisioning and rolling out baseline security training. Recruiters began including security obligations in offers and contractors had to sign a security addendum before access was granted. Onboarding checklists were updated so IT receives a ticket when an offer is accepted, triggering device imaging, MFA enrollment and access requests tied to the employee's role. Offboarding became a one-step process in their ticketing system that revoked access, archived the employee mailbox and triggered device return instructions; HR kept documented evidence of completion. Managers received monthly reports showing training completion rates and any outstanding access issues, and the executive sponsor reviewed these metrics quarterly. When gaps were found in remediation times, AcmeCo adjusted staffing and updated the SLA to meet the requirement that deprovisioning occurs within 24 hours of termination.
Summary
By converting the Human Resources Cybersecurity Policy into an explicit action plan, embedding requirements into HR procedures and operational workflows, and adding monitoring and enforcement, SMBs can make personnel cybersecurity requirements real, repeatable and auditable. Practical actions — mapping policy to processes, automating provisioning/deprovisioning, tracking training and contractual obligations for external workers — close the gap between documented requirements and day-to-day practice, satisfying Control 1-9-2 and reducing human-related security risk.
