Minimum documentation requirements for NCA ECC Compliance

Published on : 08 Sep 2021

Documentation and evidence requirements for NCA ECC Compliance

The National Cybersecurity Authority (NCA) published the Essential Cybersecurity Controls framework to help government organizations protect their systems, networks, and data against cyber threats. The regulations and guidelines mandate a common approach to information security across public sector organizations, third parties involved, and private companies responsible for critical national infrastructure to help maintain a high level of security confidentiality across the industry.

The regulation requires the organizations to not implement security measures as per the guidelines but also maintain documentation and evidence of implementing the security safeguards. Let us take a look at some of the documents and evidence requirements for NCA ECC Compliance. The below-given list can work as a checklist for your organizations to consider when complying with NCA ECC Compliance. 

Documentation and Evidence Checklist for NCA ECC Compliance

ECC SubdomainCybersecurity Governance
1Cybersecurity Strategy Planned

2Cybersecurity Roadmap Outlined
3Cybersecurity Governance Framework

4Cybersecurity Policies, Procedures & Processes
5List of Technical security safeguards implemented
6Cybersecurity Roles and Responsibilities
7Cybersecurity Risk Management Methodology
8Cybersecurity Requirements in Change Management
9Cybersecurity Requirements in Application Development
10List of Applicable Cybersecurity Laws, Regulations, and Industry standards
11Compliance Management Framework, Process and Procedures

12Cybersecurity Compliance Assessment, Tracking and Reporting Tool
13Cybersecurity Independent Audit and Review Reports

14Cybersecurity Training and Awareness Framework Document
15Cybersecurity Awareness & Training Plan and Materials
16Cybersecurity Requirements in Human Resources Process Document

 Cybersecurity Defense

1Cybersecurity Asset Management Policy, Procedures, and Process
2Information Classification Policy
3Cybersecurity Identity and Access Management Policy, Procedure & Processes
4Information Handling and Protection Standard
5Email Security Policy and Procedures
6Network Security Policy and Procedures
7Mobile Device Security Policy and Procedures
8Web Application Security Policy, Procedures, and Processes
9Backup and Recovery Policy and Procedures
10Cryptography Policy
11Vulnerability Management and Penetration Testing Policy, Process, Procedure, and Reports
12Cybersecurity Incident and Threat Management Policy, Process, and Procedure
13Security Monitoring Policy
 Cybersecurity Resilience
1Business Continuity Management Policy, Procedure, and Processes
Third-Party and Cloud Computing Cybersecurity

1Cybersecurity Requirements & Implementation in Third-Party Management
2Cybersecurity Third Party Management Contracts & Agreements
3Cybersecurity Requirements in Cloud Computing for the Third Party
4Cloud Computing Security Assessment Report
Industrial Control Systems Cybersecurity
1Industrial Control Systems and Operational Technology Security Policy, Procedures, and Processes
2Industrial Control Systems and Operational Technology Security Assessment Reports


Having the listed documents in place is essential for organizations to prove that security threats have been addressed and that appropriate security measures have been implemented to mitigate any risks or cyber threats.  Further, these documents work as evidence for organizations to provide to auditors for the Compliance Audit. These documents listed here can work as a compliance checklist that can also help organizations put in place the technologies, processes, and people appropriate for achieving, and sustaining compliance while also managing risk.

But, having this list is just about half the work done since organizations will need effective appropriate identification of applicable documentation, identification of the right templates and appropriate expertise to ensure that ground realities and organizational expectations are reflected in the documentation set. Organizations looking for assistance in NCA ECC Compliance and documentation, VISTA InfoSec can be your true partner and guide for achieving your compliance goals. We have been in the Cybersecurity Industry for 16+ years and have the experience, expertise, and knowledge to help organizations like you in your efforts of compliance. For more details about us, or the regulation or the NCA ECC services that we offer, you can visit our website  or drop us a mail at [email protected] 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.