Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-13-2 – The requirements for cybersecurity incidents and threat management must be implemented.
Understanding the Requirement
This control requires an operational capability to detect, classify, respond to, report and learn from cybersecurity incidents and threats. In practical terms for an SMB, that means documenting an incident response plan, defining severity levels and clear roles and communication paths (including how and when to notify the National Cybersecurity Authority), collecting and using threat intelligence, sharing relevant notifications and indicators with the NCA, and periodically reviewing and exercising the plan. This aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and focuses on making incident response repeatable, measurable and compliant.
Technical Implementation
-
Create a concise Incident Response Plan and runbook: write a one-page incident response summary and a companion runbook that lists steps for detection, containment, eradication, recovery and post-incident review. Include required time targets (e.g., initial triage within 30–60 minutes for high/critical incidents), an evidence-handling checklist (logs, disk imaging, chain-of-custody), and escalation criteria tied to severity levels.
-
Classify incidents by severity and map actions: define at least four severity levels (Low, Medium, High, Critical). For each level specify who is notified, response SLAs, containment measures and whether NCA notification is required. Example: "Critical" = data exfiltration or ransomware affecting production systems → immediate executive and NCA notification, activate full IR team and isolate affected hosts.
-
Assign clear roles & communications: designate an Incident Lead, Technical Responder(s), Legal/Privacy POC and a Communications POC. Publish a contact list and preferred secure channels (e.g., encrypted email, secure portal or telephone tree). Prepare standardized notification templates for internal stakeholders, customers (if applicable) and the NCA to speed reporting under pressure.
-
Collect and use threat intelligence: subscribe to affordable commercial feeds or free sources relevant to your sector, and ingest indicators into your endpoint detection/response (EDR) or SIEM. Automate IOC matching where possible and assign a weekly owner to triage new intelligence and tune detection rules.
-
Establish a mechanism to notify the National Cybersecurity Authority (NCA): determine the NCA's preferred submission channel (portal, email, or hotline), record the NCA contact details in the runbook, and test the notification process in tabletop exercises. Ensure you can securely share incident notifications, reports and IOCs in formats accepted by the NCA (e.g., STIX/TAXII or structured CSV) or via their portal.
-
Review and exercise regularly: run tabletop exercises every 6–12 months, update the plan after real incidents, and maintain an incident register with lessons learned. Track metrics (time to detect, time to contain, number of incidents by severity) to inform improvements and board reporting.
Example in a Small or Medium Business
Acme Manufacturing, a 150-person SMB, implements this control by drafting a one-page Incident Response Plan and a linked runbook for IT staff. They define four severity levels and map response actions: Low for routine malware on a single workstation, Critical for ransomware affecting production systems. The IT manager is named Incident Lead, with the COO as executive escalation and an external MDR vendor on retainer for 24/7 technical containment. Acme subscribes to a sector-specific threat feed and configures their EDR to automatically flag and quarantine matching IOCs. They record the National Cybersecurity Authority contact details and notification template within the runbook and run a quarterly tabletop that includes practicing an NCA notification. After an actual phishing-driven credential compromise, Acme followed the runbook, contained the breach within hours, submitted a structured notification and indicators to the NCA, and updated detection rules based on the root cause. The post-incident review produced three concrete actions—improve MFA coverage, tighten email filtering, and add a quarterly tabletop—which were implemented within two months.
Summary
By combining a documented incident response plan, clear severity classifications, assigned roles and communication templates, a tested mechanism for notifying the National Cybersecurity Authority, operational threat intelligence ingestion, and periodic reviews/exercises, SMBs can meet the control's requirements in a practical, repeatable way. These policy and technical measures ensure faster detection, more consistent response, compliant reporting and continuous improvement—reducing business impact when incidents occur.
