The cyber security audit verifies the fulfillment of obligations under the law and assesses the compliance of the adopted security measures with the requirements under the law and related special regulations relating to the security of the networks of operator of essential service and information systems in order to ensure the required level of cyber security and prevent cyber security incidents. The audit identifies deficiencies in the provision of cyber security by the operator of essential service in order to take measures to eliminate and correct them and to prevent cyber security incidents.
The audit is carried out by the conformity assessment body which is accredited as the body competent to evaluate conformity in the cybersecurity area according to ISO / IEC 17024. The basic service operator is obliged to verify the effectiveness of the security measures taken and the fulfillment of the requirements by performing a cyber security audit within 2 years from the date of inclusion in the register of basic service operators. The cost of the audit shall be borne by the operator of the basic service.
The operator of essential service is obliged to verify the efficiency of implemented security measures and the fulfilment of requirements by carrying out cybersecurity audit up to 2 years since the day of being registered in the essential services operators’ registry. The costs for audit shall bear the operator of essential services. The audit shall be carried out in the extend declared according to general binding regulation issued by the Authority with regard to information classification and networks and information systems category after every change with the significant impact on implemented security measures has been made and in certain time interval.
The operator of essential services is obliged to submit a final report on the results of the audit to the Authority together with the remedial measures and deadlines for their elimination within 30 days from the audit completion.
The authority may carry out the audit of the essential service operator anytime, or the Authority may request the conformity assessment body to carry out the audit with the aim to affirm the efficiency of implemented security measures and the fulfilment of the requirements according to the Act on cybersecurity. The costs on such an audit shall bear the Authority.