Management Reviews provide governance oversight for your ECC compliance programme. The NCA expects organisations to demonstrate that senior leadership is actively involved in cybersecurity governance, not just the technical team.
Why Management Reviews Matter
ECC Domain 1 (Cybersecurity Governance) specifically requires management commitment and oversight. Documented management reviews serve as evidence that leadership:
- Understands the organisation's cybersecurity posture
- Reviews compliance progress and risk exposure
- Approves resource allocation for remediation
- Makes informed decisions about risk acceptance
Creating a Management Review
Click "New Management Review". Set the review date, add attendees, and select the topics to cover. Best practice is to conduct management reviews at least quarterly.
The review form includes pre-defined sections aligned with ECC governance requirements: compliance status, gap assessment results, audit findings, incident summary, risk register updates, and resource needs.
Record all decisions made during the review, including risk acceptance decisions, budget approvals, and policy change directives. Each decision can be assigned an action owner and follow-up date.
Add action items arising from the review. Each action item has an owner, priority, and due date. These items appear on the dashboard and generate reminders as due dates approach.
Review Content
| Section | What to Cover |
|---|---|
| Compliance Status | Current ECC compliance score, changes since last review, domain-level trends |
| Gap Assessment | Latest gap assessment results, priority remediation items, progress on open gaps |
| Audit Findings | Open audit findings, corrective action progress, overdue items |
| Incidents | Cybersecurity incidents since last review, lessons learned, NCA notifications |
| Risk Register | Top risks, changes in risk ratings, new risks identified |
| Resources | Budget utilisation, staffing, tooling, and training needs |