o ECC refers to regulatory practices and frameworks mandated by national or global regulators (NCA). These guidelines outline the necessary measures and countermeasures that organizations need to adopt. Their purpose is to identify, prevent, and mitigate security risks while effectively managing threats to information and technology assets.
o Relevant for:
§ All Public sector entities: ministries, national authorities, institutions, agencies, and affiliated companies that operate under their purview.
§ Private sector organization who work in tandem with public entities.
§ Companies and institutions that operate as vendors or host the infrastructure of government agencies.
§ Non-mandated organization and companies can also benefit from the implementation of these controls.
o Purpose:
§ ECC-1:2018 incorporates the following key elements: emphasis on safeguarding the fundamental goals of information protection, namely confidentiality, integrity, and availability. It is developed based on a foundation of industry best practices, standards, and a combination of local and international regulatory frameworks. The controls within ECC-1:2018 specifically address essential cybersecurity aspects: strategy, personnel, processes, and technology.
o Salient features:
§ The implementation of ECC-1:2018 controls offer numerous advantages to organizations, extending beyond being mandatory for certain entities. These benefits include:
· Assisting in the development of a robust cybersecurity strategy within the organization.
· Ensuring the commitment of top management towards effectively managing and implementing cybersecurity programs.
· Creating, implementing, and periodically reviewing cybersecurity policies and procedures.
· Defining and documenting the organizational structure, as well as the roles and responsibilities pertaining to cybersecurity.
· Meeting national legislative and regulatory requirements pertaining to cybersecurity.
· Addressing cybersecurity risks associated with human resources.
· Safeguarding the organization's information and technology assets against internal and external cyber threats.
· Timely detection and effective resolution of technical vulnerabilities.
· Appropriately and effectively addressing cyber risks and implementing cybersecurity requirements for cloud computing and hosting.
o Timelines:
§ The timeline for implementing ECC depends on various factors such as the organization's size, industry, employee count, existing policy framework, and the complexity of its ICT infrastructure. While some organizations may complete the ECC rollout in a matter of weeks, others might require months or even years. If your organization is considering the implementation of Essential Cybersecurity Controls, we recommend reaching out to us to schedule a comprehensive gap analysis audit. This will provide a more accurate assessment of the required lead time and associated costs, tailored to your organization's specific circumstances.
