How to Meet Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-3

Requirement

Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-3 – The personnel cybersecurity requirements prior to employment must include at least the following:

Understanding the Requirement

This control requires that organizations define and apply minimum cybersecurity-related checks and conditions before hiring staff. In the context of the Essential Cybersecurity Controls (ECC – 2 : 2024), the control breaks into sub-objectives identified as 1-9-3-1 and 1-9-3-2, which together indicate a need for pre-employment vetting and role-aligned screening or verification. For an SMB that means documenting what checks are required, applying those checks consistently (for example identity, employment history, qualifications, and any higher-risk checks for privileged roles), and ensuring new hires agree to baseline security obligations before they are given access to systems and data.

Technical Implementation

• Write a short pre-employment security policy: Create a simple one-page policy that lists required checks (ID verification, proof of qualifications, reference checks, and where appropriate criminal record checks), the roles that require elevated screening, and the legal/consent steps. Make this part of HR’s standard hiring checklist so it is applied consistently.
• Automate identity and document verification: Use an inexpensive identity verification service or HR platform to validate IDs and certifications quickly. For SMBs, tools that scan government IDs, cross-check professional licenses, or verify education can reduce manual errors and speed onboarding.
• Role-based screening and least privilege: Classify roles by risk (e.g., standard user, admin, finance access) and require more extensive vetting for higher-risk positions — e.g., background checks or technical skills verification for system administrators and finance employees. Tie role classification to access provisioning so elevated access is only granted after checks complete.
• Signed security agreements before system access: Require new hires to sign an acceptable use policy, confidentiality/NDA, and any role-specific security rules as a condition of account creation. Store signed documents in HR records and block account provisioning until signed.
• Enforce technical gating during onboarding: Use an onboarding workflow that prevents account creation or network access until identity verification, signed agreements, and initial security awareness training are completed. Implement simple automation (scripts, MDM enrollment checks, or IAM workflows) to enforce these gates.
• Keep auditable records and review periodically: Maintain a log of completed pre-employment checks tied to employee records and review the process annually. For compliance and incident response, retain evidence that each hire passed the required checks, and periodically audit that the policy is followed.

Example in a Small or Medium Business

A twelve-person software consultancy formalizes a short pre-employment security checklist after a near-miss where a contractor had excessive access. The company creates a one-page policy stating that all hires must have ID verification, two professional references checked, and must sign the confidentiality and acceptable-use agreements prior to receiving credentials. For developer and admin roles (classified as high risk), they add technical skills verification and a basic background check subject to local law. HR integrates these steps into their applicant tracking system: once a candidate accepts an offer, the system triggers ID verification and sends the required agreements for e-signature. IT is notified only after all checks are complete; only then does IT provision accounts, enroll devices in the company MDM, and enable MFA. New hires must also complete a 30-minute security orientation before any access to customer environments is granted. The company retains scanned evidence of checks in a secure HR folder and reviews the onboarding flow quarterly to ensure the controls remain practical and lawful.

Summary

By combining a clear pre-employment policy with practical technical gates and role-based screening, SMBs can meet Control 1-9-3’s requirement that personnel cybersecurity checks occur before employment. Documenting required checks, automating identity verification, gating access until signed agreements and training are complete, and keeping auditable records ensure hires are appropriately vetted and access is limited by risk — all achievable with low-cost tools and integrated HR/IT workflows.