The NCA Essential Cybersecurity Controls establish baseline cybersecurity expectations for organizations in scope.
Official source
What the controls are trying to do
The ECC framework helps organizations build a minimum cybersecurity posture across governance, defense, resilience, third-party services, cloud, and supporting technology. It is a control framework, so the useful implementation question is whether the organization can prove controls are operating.
What teams need to do
- Confirm entity scope and current ECC version.
- Map assets, systems, data, providers, and owners.
- Implement governance, identity, access, vulnerability, configuration, monitoring, incident, and
recovery controls.
- Review third-party and cloud providers where they support controlled systems.
Evidence to maintain
- ECC applicability and control mapping.
- Asset, system, and provider inventory.
- Access, vulnerability, configuration, logging, incident, and recovery evidence.
- Third-party and cloud evidence, issues, and remediation.
Common gaps
- Control evidence is not tied to the NCA control language.
- Providers are not mapped to controlled assets.
- Exceptions lack remediation owners.
How Halbarad helps
Halbarad helps teams connect providers, systems, controls, evidence, incidents, issues, subcontractors, and monitoring signals.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.