Information security systems at critical infrastructure facilities to be audited every two years – State Service of Special Communications

The Cabinet of Ministers of Ukraine has approved the Procedure for conducting an independent audit of information security systems at critical infrastructure facilities.

This was reported by the press service of the State Special Communications Service. 

For critical infrastructure facilities of the first and second criticality categories, it is mandatory to conduct an information security audit every two years; for facilities of the third criticality category – every three years. However, in the event of a crisis at a critical infrastructure facility, the audit is conducted immediately.

Such an audit can be carried out by an individual or legal entity that has the appropriate certificate. The State Service for Special Communications should develop regulations that will determine the qualification requirements for future auditors and the procedure for issuing certificates.

It is noted that critical infrastructure operators will be able to independently select auditors and pre-agree with them on the criteria for assessing information security, the programme, procedures and methods for conducting an independent audit. Based on the results of the audit, the auditor will draw up a report that will be reviewed by the State Service for Special Communications. The materials will then be sent to the NSDC and the government.