NCA Essential Cybersecurity Controls (ECC)

The National Cybersecurity Authority “NCA” has developed the Essential Cybersecurity Controls (ECC – 1: 2018) to set the minimum cybersecurity requirements based on best practices and standards to minimize the cybersecurity risks to the information and technical assets of organizations that originate from internal and external threats. The Essential Cybersecurity Controls consist of 114 main controls, divided into five main domains:

• Cybersecurity Governance

• Cybersecurity Defense

• Cybersecurity Resilience

• Third-party and Cloud Computing Cybersecurity

• Industrial Control Systems Cybersecurity

1-1. Cybersecurity Strategy
1-2. Cybersecurity Management
1-3. Cybersecurity Policies and Procedures
1-4. Cybersecurity Roles and Responsibilities
1-5. Cybersecurity Risk Management
1-6. Cybersecurity in Information and Technology Project Management
1-7. Compliance with Cybersecurity Standards, Laws and Regulations
1-8. Periodical Cybersecurity Review and Audit
1-9. Cybersecurity in Human Resources
1-10. Cybersecurity Awareness and Training Program
2-1. Asset Management
2-2. Identity and Access Management
2-3. Information System and Information Processing Facilities Protection
2-4. Email Protection
2-5. Networks Security Management
2-6. Mobile Devices Security
2-7. Data and Information Protection
2-8. Cryptography
2-9. Backup and Recovery Management
2-10. Vulnerabilities Management
2-11. Penetration Testing
2-12. Cybersecurity Event Logs and Monitoring Management
2-13. Cybersecurity Incident and Threat Management
2-14. Physical Security
2-15. Web Application Security
3-1. Cybersecurity Resilience Aspects of Business Continuity Management (BCM)
4-1. Third-Party Cybersecurity
4-2. Cloud Computing and Hosting Cybersecurity
5-1. Industrial Control Systems (ICS) Protection