Cyber security audit
The aim of the cyber security audit is to determine the effectiveness of the implementation of measures in the field of information systems at the basic service operator in accordance to Act no. 69/2018.
Act no. 69/2018 on cyber security determines the obligation of basic service operators to verify the effectiveness of the security measures taken by carrying out the audit:
- 1. within two years from the date of inclusion of the basic service provider in the register of basic service operators.
- 2.thereafter at regular intervals every two years, or
- 3. in case of any significant change, no later than two months after the change has a significant effect on the implemented security measures.
An audit is defined as a systematic process of obtaining and evaluating relevant evidence objectively to determine the degree of consistency between the information obtained and the established criteria. The audit has a specified scope and duration (as defined in Decree No. 436/2019) and is performed through interviews, questionnaires, examination of records, sampling, observation of performance and work procedures, data analysis, etc.
The audit is primarily focused on:
- identification and categorization of the operator's assets and information systems
- assessment of threats, vulnerabilities and potential impacts
- procedures and management system for information systems and cyber security
- human resources management, personnel security
- access and identity management
- third party service delivery management, supplier service management
- monitoring and testing of cyber security-related procedures
- continuity management of processes related to cyber security, emergency recovery planning
- the process of dealing with cyber security incidents
The output of the audit is the audit conclusion statement and an audit recommendation that includes the auditor's proposal to mitigate the risk and eliminate any non-compliance, justification of the findings and recommendation of appropriate risk minimization measures. The auditor declares compliance (criterion is met, auditor did not identify risk or opportunity for improvement), partial compliance (criterion is met in part, auditor identified opportunity for improvement) or non-compliance (criterion is not met, auditor identified risk without implementing adequate measures).
The basic service operator shall submit the final report of the audit results, together with the remedial actions, to the National Security Office.