Control 1-1-3 of the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organisations to review their cybersecurity strategy at planned intervals — a Practice within the Compliance Framework — to ensure controls, priorities and investments remain aligned to evolving threats, business objectives and compliance obligations.
Why scheduled strategic reviews are required (Practice: Practice)
Planned interval reviews turn a static cybersecurity plan into a living program. The Compliance Framework expects documented, repeatable processes that show decisions are based on current threat, technology and business context. For auditors and stakeholders, evidence of scheduled reviews (calendar invites, agendas, attendee lists, minutes, and action logs) demonstrates ongoing governance rather than one-off compliance exercises.
Practical checklist to prepare the review (Implementation Notes)
1) Define the cadence and triggers: set a baseline cadence (quarterly recommended for small businesses with internet-facing services, at minimum annual for low-risk operations) and specify event-driven triggers (major incident, merger, regulatory change, significant tech rollout). 2) Assign owners: designate an executive sponsor (CISO/CTO or delegated security lead), a review convener, and owners for each section of the strategy (risk, operations, incident response, third-party, training). 3) Publish a pre-read packet 7 days prior: current strategy document, risk register snapshot, recent vulnerability scan and pen-test summaries, SIEM/EDR incident trends, patch compliance rates, and budget vs spend for security projects.
What to review — practical technical and governance checks
During the review, evaluate specific technical controls and measurable KPIs: patching cadence (critical patches deployed within 7 days, high within 30), MFA coverage percentage for remote/privileged accounts (goal 100%), endpoint detection coverage (EDR deployed to X% of endpoints), firewall rule changes and orphaned rules, network segmentation status, backup frequency and restore-test results, and log retention/collection (e.g., 90 days hot logs, 365 days cold). Include results from vulnerability scans (monthly), authenticated scans, and last penetration test date and remediation status. Confirm supplier security assessments for key vendors and any pending critical third-party risks.
Deliverables, evidence and implementation notes specific to Compliance Framework
Documented outputs are essential for compliance: meeting minutes with decisions and action owners, updated strategy version with change log, revised risk register entries with assessed impact and likelihood, approved budget reallocation if required, and an updated roadmap with deliverables and deadlines. Store artifacts in your GRC tool or secure document repository (Confluence/SharePoint + GRC tags) and link to evidence for auditors. Implementation Notes: map each finding to a control in the Compliance Framework, cite the ECC–2:2024 clause, and capture remediation timelines and acceptance criteria.
Small-business scenario: an applied example
Example: a 30-person e-commerce startup runs a cloud-hosted shop, POS integration, and a small dev team. Recommended cadence: quarterly strategic reviews and an immediate review after any cardholder data incident or major platform upgrade. Pre-reads for the startup: last 3 months of IDS/SIEM alerts (Simple CloudWatch + third-party log aggregator), results of the monthly authenticated Nessus scan, MFA rollout status for admin accounts, and a one-page business-impact update. Actionable outcomes could include accelerating a critical patch roll-out, adding MFA to the payments admin console, or approving funds for an annual penetration test to support PCI compliance.
Compliance tips, best practices and the risk of non-implementation
Best practices: keep reviews concise and evidence-driven; use dashboards for KPIs (patch rate, mean time to detect/contain, vulnerability backlog), assign clear owners and SLAs for remediation, and include tabletop exercises or incident replay at least biannually. Use automation to produce evidence (vulnerability scanner reports, EDR coverage reports, MFA enablement logs). The risk of not implementing planned reviews includes stale strategies that miss new threats, misallocated security budgets, extended exposure windows, regulatory fines, failed audits, and increased probability of breaches or ransomware — all of which can be catastrophic for a small business with limited recovery capacity.
In summary, Control 1-1-3 of ECC–2:2024 under the Compliance Framework expects organisations to institutionalise timely, evidence-backed reviews of their cybersecurity strategy. Implement a predictable cadence with clear owners, pre-read evidence, measurable KPIs, and a documented follow-up process so the strategy evolves with the threat landscape and business needs — and so your small business can demonstrate continuous compliance and reduce cyber risk.
