Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-7-1 – Cybersecurity requirements for protecting and handling data and information must be defined, documented and approved as per the related laws and regulations.
Understanding the Requirement
This control requires organizations to define, document, and obtain executive approval for rules that govern how data is protected and handled. In practice that means creating a clear policy and supporting procedures that cover data protection, ownership, classification and labeling, and privacy — aligned with policies issued by the National Data Management Office. The intent is to record who is responsible for each data type, how it must be treated across systems and processes, and to ensure the policy is formally approved by executive management.
Technical Implementation
-
Draft a concise Data Protection Policy that maps to the National Data Management Office guidance: include sections for Data & Information Protection, Ownership, Classification/Labeling, and Privacy. Keep the policy one to three pages with linked procedures for technical controls so staff can find operational steps easily.
-
Perform a data inventory and classification exercise: identify data stores, categorize data by sensitivity (e.g., Public, Internal, Confidential, Restricted), and apply labeling conventions. Document the results in a register that lists owners, locations, and retention requirements.
-
Assign data owners and custodians: name a responsible executive (or deputy) and operational owners for each data category. Make owner responsibilities explicit (access approvals, review cadence, classification decisions) and include them in job descriptions or a simple RACI matrix.
-
Specify handling and technical controls per classification: require encryption at rest/in transit for Confidential/Restricted data, role-based access controls, backup and retention rules, and approved methods for sharing and disposal. Document configuration baselines and enforcement mechanisms (e.g., DLP, access reviews).
-
Establish an approval and version control workflow: present the policy and key procedures to executive management for formal sign-off (organization head or deputy as required), record approval in the document header, and use versioning with review dates (e.g., annual review).
-
Operationalize with training and monitoring: run short role-based training for staff and data owners, publish quick reference guides, and schedule periodic audits or access reviews. Track exceptions and incidents against the policy and update controls based on findings.
Example in a Small or Medium Business
GreenLine Accounting, a 45-person regional firm, needed to meet the control for client financial and personal data. The IT manager led a two-week inventory to list where client files, payroll spreadsheets, and scanned IDs were stored. They established a simple three-tier classification (Public, Internal, Confidential) and assigned a partner as executive owner and the IT manager as operational owner. The team documented handling rules: Confidential files must be encrypted, accessible only to assigned staff, and transferred via the firm’s secure file exchange. The partner reviewed and formally approved the policy during a management meeting, and the signed document was posted on the internal intranet. IT implemented role-based permissions, enabled encryption for file shares, and set automated retention for archived files. Staff received a 30-minute training and a one-page quick reference so everyone knew how to label, share, and request access to client data.
Summary
By combining a short, approved policy that references the required data protection topics with practical technical measures (classification, ownership, encryption, access controls, and monitoring), SMBs can meet Control 2-7-1. The policy provides the formal record and approval trail required by regulators and leadership, while the documented procedures and controls ensure consistent handling of data day-to-day. Regular reviews, owner accountability, and basic training close the loop so the documented requirements are actually followed in operations.
