Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-13-1 – Requirements for cybersecurity incidents and threat management must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to have a documented, approved policy and procedure set that governs how cybersecurity incidents and threat information are managed from detection through closure. It covers an incident response plan, a severity classification scheme, clearly assigned roles and responsibilities, stakeholder communications (including a defined way to notify your National Cybersecurity Authority), sharing of incident and threat intelligence (indicators, reports), mechanisms to collect and handle threat feeds, and a schedule for periodic review. This control comes from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is focused on ensuring incidents are handled consistently, escalated correctly, and reported to authorities when required.
Technical Implementation
-
Create a concise Incident Response Plan (IRP):
Document step-by-step actions for detection, containment, eradication, recovery, and post-incident review. Include checklists for first responders, forensic evidence preservation steps, and time-based escalation triggers (e.g., 2 hours for suspected data exfiltration).
-
Define incident severity levels and decision matrix:
Use a simple three- to five-level scale (e.g., Low/Medium/High/Critical) tied to impacts such as data confidentiality, operational disruption, regulatory exposure, and potential public impact. Map each level to required response timelines, approval authorities, and notification requirements (internal and to the National Cybersecurity Authority).
-
Assign roles, responsibilities and communication paths:
Designate an Incident Response Lead (can be an IT manager for SMBs), backup leads, legal contact, PR/communications contact, and an executive sponsor. Produce a contact tree and an incident communication template for internal staff, customers, regulators, and NCA notification with required fields and evidence attachments.
-
Integrate threat intelligence and IOC handling:
Subscribe to at least one commercial or public threat feed relevant to your sector, set up automated ingestion into your SIEM/endpoint tools or a simple spreadsheet if no SIEM exists, and define triage rules to convert feeds into actionable indicators. Establish a secure channel and template for sharing IOCs and incident reports with the NCA.
-
Governance and executive approval:
Obtain formal sign-off of the IRP and incident policy from the organization head or their deputy. Record approvals in the policy header and schedule an annual review and approval event; add a clause for earlier reviews after a significant incident.
-
Testing, logging and continuous improvement:
Run tabletop exercises twice a year to validate roles and timelines, log actions taken during incidents for audit and NCA reporting, and update the IRP after each exercise or real incident. Maintain a lessons-learned register and adjust classification thresholds and notification templates as needed.
Example in a Small or Medium Business
Acme Retail, a 120-employee e-commerce SMB, created a one-page Incident Response Plan that ties to its broader cybersecurity policy and was approved by the CEO. The plan classifies incidents into Low, Medium, High and Critical; a suspected malware infection affecting >=10% of POS terminals is immediately classified as High. The IT Manager is the Incident Response Lead and has two deputies; the plan lists a legal contact and the marketing lead for external communications. Acme subscribes to a sector threat feed and imports new IOCs into its endpoint protection console for automated blocking. When a Critical ransomware event hit one weekend, the IRP’s containment checklist was followed, evidence preserved, and the NCA notification template was used to alert the authority within the timeframe specified. Executives reviewed the incident within 48 hours, approved emergency budget for recovery, and mandated a post-incident tabletop to improve response time and refine thresholds. The post-incident review updated the plan, documented lessons learned, and reaffirmed executive approval of the revised policy.
Summary
A clear, approved incident and threat management policy plus pragmatic technical measures ensure SMBs can detect, classify, respond to, and report cybersecurity incidents consistently. By combining a documented Incident Response Plan, a severity classification and escalation matrix, designated roles and communication templates (including NCA notification), integrated threat intelligence handling, regular testing, and executive sign-off, small organizations create a repeatable process that reduces response time, protects evidence, supports regulator reporting, and drives continuous improvement.
