Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-7-4 – The cybersecurity requirements for protecting and handling data and information must be reviewed periodically.
Understanding the Requirement
This control requires organizations to run a formal, periodic review of the cybersecurity requirements that govern how data and information are protected and handled. Reviews must follow a documented and approved plan (for example, a quarterly cadence), involve the Cybersecurity function and relevant departments such as IT and data owners, and use either manual channels (email, meetings) or automated compliance tools. The process should cover identity and access management (IAM) controls, trigger updates when laws or regulations change, and record any revisions so they can be approved by the organization’s leader.
Technical Implementation
-
Define and document a review schedule and scope: establish a written review plan that specifies frequency (quarterly is a common baseline for SMBs), which data types and systems are in scope (customer PII, financial records, HR data, cloud storage), and measurable outcomes (e.g., evidence of IAM changes, list of updated policies).
-
Assign roles and RACI: name the Cybersecurity lead as the owner of the review process, list IT for technical verification, data owners for policy validation, and an executive approver (CEO, COO or delegated deputy) for sign-off on changes. Clarify who executes remediation tasks and who validates completion.
-
Use simple tooling to run reviews: SMBs can start with a lightweight compliance management system or even a structured spreadsheet and ticketing workflow. Automate where practical (change logs from IAM systems, access review reports from identity providers) so reviewers get current evidence rather than manual spot checks.
-
Include IAM-specific checks: each review should validate user access lists, privileged accounts, multi-factor authentication coverage, orphaned accounts, and service account permissions. Produce an action list for any required role changes, temporary access removals, or privilege reductions.
-
Track legal and regulatory triggers: add a monitoring task to the plan to evaluate changes in laws or sector regulations. When a legal change is identified, run an out-of-cycle review and update retention, consent, or cross-border processing requirements as needed.
-
Document, approve and retain evidence: capture review findings, the exact changes made to requirements or procedures, and evidence (screenshots, export of access lists, signed policy revisions). Require approval from the head of the organization or their deputy and retain records for audits and future reviews.
Example in a Small or Medium Business
A 35-person marketing agency implements this control with a quarterly review cadence. The agency’s IT manager and a part-time cybersecurity lead prepare a review package that includes current user access listings from their cloud identity provider, recent changes to cloud storage buckets, and a summary of any incidents or access requests since the last review. Department heads (creative, finance, HR) validate that the data categories and handling rules still match business needs. When a new privacy regulation is published affecting client data retention, the cybersecurity lead triggers an out-of-cycle review, updates the retention policy, and coordinates with IT to adjust backup and deletion processes. All changes are documented in a review log, and the CEO signs off on the updated requirements. The agency uses a simple ticketing system to assign remediation tasks and marks them as complete only after IT verifies changes and the cybersecurity lead rechecks access lists. Over time this routine produces an audit trail and reduces the number of orphaned accounts and excessive privileges.
Summary
Periodic review of data protection requirements combines straightforward policy controls (documented review plans, executive approval, legal triggers) with practical technical steps (IAM checks, evidence collection, remediation tracking). For SMBs, a lightweight, repeatable process—backed by clear roles and simple automation where possible—meets the control’s intent: keeping data handling and protection requirements current, enforceable, and demonstrable to auditors or regulators.
