Cybersecurity Audit for CII

Frequently Asked Questions

Cybersecurity Audit for CII

How often must the Critical Information Infrastructure owners (CIIOs) carry out the cybersecurity audit?

Under section 15(1)(a) of the Cybersecurity Act 2018 the owner of a Critical Information Infrastructure must, starting from the date of the notice issued under section 7 (Designation of CII), carry out a cybersecurity audit of the compliance of the CII with the Act and applicable codes of practice and standards of performance.

The cybersecurity audit, in accordance with section 15(1)(a) of the Cybersecurity Act 2018, must be carried out at least once every two years (or at a higher frequency which may be directed by the Commissioner of Cybersecurity in any particular case), and to be carried out by an auditor approved or appointed by the Commissioner.

Which approach (compliance or risk-based) should the auditor adopt to conduct cybersecurity audit of the CII?

The auditor should adopt both compliance and risk-based approaches for the cybersecurity audit of the CII. For the compliance-based approach, the auditor should carry out a compliance test to ascertain the adequacy and effectiveness of the controls applied in the CII to comply with the Act, subsidiary legislations, applicable written directions, CoP, and SoP. For the risk-based approach, the auditor should identify the risks and threats that the CII faces and ascertain if the controls put in place are appropriate to mitigate the known risks and threats.

Will Critical Information Infrastructure owners (CIIOs) be given a grace period to comply with the Operation Technology (OT) Systems Requirements in Cybersecurity Code of Practice (CCoP) addendum?

CIIOs are given a grace period of six months from the issuance date of the CCoP addendum, to comply with the new OT clauses under the addendum. Compliance with the new OT clauses is effective from 19 June 2020.

What is the process for seeking approval from the Commissioner to appoint an auditor to conduct an audit of the Critical Information Infrastructure?

Critical Information Infrastructure owners (CIIOs) are required to submit the following online application forms for the purpose of obtaining the Commissioner’s approval for the proposed appointment of auditors:

a. Form A1: Application Form for Appointment of Auditor (to be completed by the owner of the CII); and

b. Form A2: Application Form for Appointment of Auditor (to be completed by the external audit firm/team/auditor).

Links to Forms A1 and A2 have been shared with CIIOs. For CIIOs that do not have access to the forms, please contact Regulations@csa.gov.sg.

Where a waiver of the Code of Practice (“CoP”) is granted to a CII, will the waived CoP clause(s) be subjected to the cybersecurity audit?

Where a waiver is granted, the waived CoP clause(s) remains subjected to the cybersecurity audit. The auditor should: (i) understand the purpose of the waiver request and the waiver condition; and (ii) validate the effectiveness of compensating controls (where applicable).