Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 3-1-4 – The cybersecurity requirements for business continuity management must be reviewed periodically.
Understanding the Requirement
This control requires organisations to establish a repeatable, documented process to review and update the cybersecurity elements of their business continuity management (BCM). As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the focus is on conducting these reviews at planned intervals and whenever there are significant changes (for example regulatory updates or business changes), recording what changed, and obtaining formal approval from the head of the organisation or their deputy. The outcome is a current, approved set of cybersecurity requirements that align BCM plans with the organisation’s risk, legal, and operational environment.
Technical Implementation
- Define a documented review policy and schedule. Create a short policy that states who is responsible for reviews (BCM owner/IT lead), the frequency (commonly annual, or every 6–12 months for higher-risk firms), and triggers for ad-hoc reviews (e.g., new regulations, major incidents, new systems or suppliers). Keep the policy brief and approved by senior management.
- Maintain a single source of truth for BCM cybersecurity requirements. Store the requirements and associated artefacts (DR plan, recovery time objectives, control lists) in a central repository with version control (document name, version, author, date, change summary). For SMBs this can be a secured shared drive or a simple document management tool.
- Implement a change and evidence log. For every review, record what changed, why, who proposed it, and who approved it. Include evidence such as meeting minutes, test results, audit findings, regulatory notices, or vendor notifications. This log is your proof of compliance and supports continuous improvement.
- Use practical review procedures and lightweight tests. Run a focused set of activities during reviews: checklist-based gap assessments, tabletop exercises for the most critical scenarios, and verification of recovery procedures for critical systems. Document findings and remedial actions with owners and deadlines.
- Monitor external triggers and integrate them into the process. Assign someone to watch for legal/regulatory updates, industry advisories, or significant supplier changes that would trigger an out-of-cycle review. Subscribe to a small number of trusted alert sources or designate a compliance contact to summarize impacts.
- Formal approval and retention. After a review and any updates, obtain formal sign-off from the head of the organisation or their deputy (email approval or signed document). Retain approved versions and approvals for a defined retention period to satisfy audits and demonstrate governance.
Example in a Small or Medium Business
Acme Manufacturing (50 employees) assigns its IT manager as the BCM cybersecurity owner and documents a simple review plan: annual reviews and immediate re-reviews triggered by any new regulation or after a cybersecurity incident. Each year the IT manager runs a 2-hour tabletop exercise focused on production systems, uses a checklist to verify backup and failover processes, and captures recommended changes in a change log. When a new national data protection guidance arrives mid-year, the manager triggers an out-of-cycle review, updates the recovery priorities to reflect the new compliance items, and records the rationale for each update. The IT manager prepares a short change summary and emails it to the operations director and CEO for approval; the CEO replies with a signed email approval that is stored with the updated documents. The company keeps the approved versions in a secured shared folder with version numbers and retains the approvals for three years. After approval, the operations team runs the updated recovery steps in a controlled test and updates staff responsibilities in the incident response checklist so everyone knows the revised expectations.
Summary
By combining a documented review policy, a centralised repository for BCM cybersecurity requirements, an evidence-based change log, practical testing, and formal sign-off by the head of the organisation (or deputy), SMBs can meet the control’s requirement for periodic review. These policy and technical measures ensure continuity requirements remain current, auditable, and aligned with regulatory or business changes — reducing recovery time and regulatory risk while providing clear proof of governance.
