How We Held an NCA ECC Compliance Program Together Through a Live Audit and a Leadership Exit
Low starting maturity, a leadership vacuum halfway through, and a regulator's audit running in parallel: delivery never stalled, the governance foundation landed, and the NCA evaluation ended better than it began.
Agency and system names anonymized for security. Full briefing available under mutual NDA.
8 min read
- Client
- Private regulatory labs and compliance services organization (anonymized)
- Domain
- Cybersecurity governance and regulatory compliance
- Engagement
- NCA Essential Cybersecurity Controls (ECC) compliance transformation
The situation
The client operates in regulatory labs and compliance services, where alignment with the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC) is a hard requirement. When the engagement began, the organization had clear intent but a low baseline, with limited visibility into its own compliance status across the ECC's control domains.
Midway through the program, the executive who owned the project and made its decisions left the organization. A vacuum in accountability opened at exactly the moment the program needed decisions, slowing internal alignment and decision flow. In the same engagement window, the organization entered a live NCA audit cycle.
Compliance programs rarely fail on technical grounds. They fail when nobody owns them.
The challenge
The engagement had to hold together against structural gaps and organizational instability at the same time:
- Fragmented governance structures, with incomplete or missing policies and documentation across key control areas.
- No structured view of compliance status across ECC domains, and no prioritization framework for security investment.
- Weak alignment between technical controls and the governance requirements they were supposed to satisfy.
- A program that depended on a single executive owner, then lost that owner midway.
- A concurrent, active NCA audit that raised the stakes on every gap.
Left unaddressed, this combination risked audit non-compliance, delayed regulatory alignment, and continued fragmentation of cybersecurity governance. And the stakes ran higher than paperwork: for an organization whose own business is regulatory compliance services, an adverse finding from its regulator undermines the credibility its work depends on.
The approach
ExeQut ran the transformation in seven phases: gap assessment, compliance roadmap, governance and documentation build-out, stabilization after the leadership change, control implementation guidance, audit support, and a closing maturity assessment. When internal ownership broke midway, the operating model was rebuilt in flight to keep delivery moving. ExeQut led the governance work and carried the audit-facing effort; the client's teams implemented controls, working from ExeQut's prioritized guidance.
Baseline honestly, then sequence by risk
A full NCA ECC gap analysis across governance, technical, and operational domains established the real starting point: the organization's existing controls fully mapped against the ECC domains, and a compliance tracking and reporting structure defined for audit readiness. From that baseline the team built a roadmap sequenced by risk and regulatory impact, matched to what the organization could actually absorb, then developed the policies, procedures, and governance frameworks needed to close the most critical gaps, aligned with the ECC's cybersecurity policy hierarchy requirements.
Become the continuity layer
When the program's owner departed, ExeQut expanded its role from advisor to continuity driver. Weekly alignment sessions continued with the stakeholders who remained, cross-functional workshops rebuilt alignment between the IT and compliance teams, and an executive reporting line kept structured options and risks in front of the client's remaining leadership, who made the decisions. Authority over the program, including risk acceptance, stayed with the client throughout; what ExeQut supplied was the cadence, so that no single departure could stall delivery.
The program's owner left in the middle of a live regulator audit. The program stayed on track.
Treat the audit as a workstream, not an event
Audit readiness ran in parallel with delivery rather than as a final phase. Audit-critical controls were prioritized to bring the highest-exposure gaps into immediate regulatory alignment, and ExeQut prepared evidence, clarified control mappings, and delivered executive-level presentations during the active NCA audit cycle. ExeQut absorbed that work deliberately, to reduce the execution burden on a client team working through a leadership vacuum.
Leave a map, not just documents
The engagement closed with a maturity assessment that measured how far the organization had moved, and strategic recommendations that turned the remaining gaps into a prioritized investment plan for the client's leadership. The continuity role was a bridge, not a dependency: by close, the program's ownership and cadence sat back inside the client's own governance structures, not with ExeQut.
The outcome
The organization moved from a low-maturity compliance posture to a structured, auditable cybersecurity governance model:
- Compliance maturity higher across key ECC domains at the closing assessment, with the remaining distance to target sequenced into the investment roadmap rather than left as a finding.
- A structured governance framework and policy suite covering governance, risk, and operational security controls where fragments existed before: the evidence base every future audit starts from.
- A live NCA audit supported through its full cycle, with the organization exiting the evaluation stronger than it entered.
- Clear accountability for cybersecurity responsibilities, written into the governance framework and its reporting structure rather than resting on any one individual, and therefore resilient to the next leadership change.
- A prioritized roadmap that lets leadership fund compliance work by risk, not by guesswork.
In our experience, organizational instability of this kind routinely derails compliance delivery timelines. Here, internal decision flow slowed when the owner left, and delivery stayed on track because the program's cadence had moved into ExeQut-run governance sessions. The structure left behind converts future compliance spending from reactive scramble into planned investment.
Designed for the future
Each artifact left behind carries a next step: the compliance tracking structure supports continuous ECC monitoring, the governance framework gives enterprise risk management integration a place to attach, the control implementation guidance anticipates SOC and operational security buildout, and the policy suite is the base an ISO 27001 alignment program would start from, when the organization is ready.
What we took from it
- Governance maturity is often the primary bottleneck. In low-maturity environments, documentation and governance structures are what make every subsequent control stick.
- Plan for ownership loss, then hold the cadence yourself. When a program depends on one executive, the advisory role must be ready to expand into continuity assurance, and to carry the program's rhythm until the client can take it back.
- Run audit readiness in parallel. Treating the audit as a final phase leaves no room to fix what it finds; treating it as a workstream turns it into feedback.
- Sequence by organizational readiness. A roadmap the client cannot absorb is a shelf document; adapting the sequencing kept delivery real.
Want the unredacted briefing?
Agency, systems, architecture, vendors, and outcomes. We walk you through the full engagement under mutual NDA.
Request a private briefing →