Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-2-3 – In line with related and applicable laws and regulations, and in addition to the applicable ECC controls from main domains (1), (2), (3) and subdomain (4-1), the cybersecurity requirements related to the use of hosting and cloud computing services must include at least the following:
Understanding the Requirement
This control requires organizations to apply specific cybersecurity requirements for hosting and cloud services that go beyond general controls from domains (1)–(3) and subdomain (4-1), while remaining aligned with applicable laws and regulations. At a high level the objectives (4-2-3-1 and 4-2-3-2) point to ensuring legal/regulatory compliance and enforcing service-level, security and operational safeguards with cloud providers. In short: identify cloud-hosted assets, manage vendor risk, contractually require security controls (encryption, logging, data residency, breach notification), and maintain monitoring and recovery capabilities — all tailored to the legal obligations referenced in the Essential Cybersecurity Controls (ECC – 2 : 2024).
Technical Implementation
- Inventory and classification: Maintain an up-to-date inventory of all hosting and cloud services (IaaS, PaaS, SaaS) including data types processed, data residency, sensitivity level, and which business processes they support. Use a simple spreadsheet or cloud asset management tool and review quarterly.
- Contractual and procurement controls: Update supplier contracts and SLAs to require minimum controls: encryption at rest and in transit, defined data residency, documented subprocessors, right-to-audit clauses or independent attestations (e.g., SOC 2), clear breach notification timelines, and retention/destruction rules that map to legal requirements.
- Identity and access management (IAM): Enforce least privilege and MFA for admin and developer accounts in the cloud console. Use centralized identity (SAML/SCIM or cloud IAM roles) and ensure service accounts have narrow scopes and rotated credentials. Log and review privileged access monthly.
- Logging, monitoring and alerting: Centralize cloud logs (audit, access, configuration, application) into a SIEM or log store you control. Implement retention policies consistent with compliance needs, configure alerts for privilege changes, data exfiltration indicators, and unexpected region usage, and test alerts quarterly.
- Data protection and backup: Apply encryption by default (customer-managed keys where required), granular storage permissions, and automated backups with offsite or cross-region copies. Regularly test restores (at least annually) and document recovery time and recovery point objectives aligned to business needs.
- Vendor risk and incident readiness: Perform initial due diligence (security posture questionnaire, certifications, penetration test results) and annual reassessments. Include cloud provider roles in your incident response plan, define escalation paths and RACI, and run tabletop exercises that involve provider communication and data recovery steps.
Example in a Small or Medium Business
A 40-person e-commerce SMB migrates its website and order database to a managed cloud provider. The IT owner creates a cloud inventory noting the web app (SaaS), the database (managed DB service), and a third-party analytics tool. They update procurement templates so new cloud contracts require encryption, data residency in their country, a 72-hour breach notification clause, and an audit report. The team enforces single sign-on with MFA for cloud console access and limits admin privileges to two named employees. They forward audit logs to a central log bucket retained for one year and configure alerts for suspicious data exports. Backups are scheduled daily with cross-region copies and quarterly restore tests. Finally, the SMB documents these controls in a short cloud security policy and runs a tabletop incident scenario with the provider to confirm notification and recovery timelines, ensuring compliance with local data protection rules and the ECC control objectives.
Summary
Meeting Control 4-2-3 combines policy, contractual, and technical measures: maintain an inventory and classification, enforce contractual security requirements with providers, apply IAM, centralize logs and monitoring, protect data through encryption and backups, and run vendor risk assessments and incident exercises. Together these actions ensure cloud-hosted systems meet legal obligations, operational resilience, and the specific objectives outlined in the Essential Cybersecurity Controls (ECC – 2 : 2024), while keeping the approach practical and affordable for SMBs.
