A cybersecurity audit is the first step in ensuring the continuity of an organization’s operations. It is especially important for operators of essential services, whose activities are critical to the economy and society of the country. In such cases, the audit should be conducted in accordance with the applicable legal regulations, and one such regulation is the Act on the National Cybersecurity System (KSC Act). Who is affected by this audit? What does a compliance audit with the KSC look like?

We are witnessing a huge digital transformation that undoubtedly makes life and business operations easier. Thanks to modern technologies and systems, we can increase business efficiency and create new business models. This is the good side, but there is also the bad side. With the development of technology, the risk of various attacks, including those by cybercriminals, increases.

Cyberattacks are not only related to blocking internal company systems but also to the loss of critical data and serious financial consequences. This is especially important for key operators who provide critical services for the country, such as energy or water supply. The legal foundation that outlines the best measures for effective protection against cyberattacks is the Act on the National Cybersecurity System.

What is a cybersecurity audit?

Let’s start with what an audit is. A cybersecurity audit examines and evaluates the implemented technical and organizational safeguards to ensure an optimal level of security. Through this, you not only gain an assessment of existing protections but also comprehensive support regarding how to mitigate various threats.

Remember: Every audit, including a cybersecurity audit, should end with a detailed report and a discussion of its findings. The report should include guidelines and recommendations, along with proposed actions to facilitate the implementation of cybersecurity changes.

Check out the offer for a compliance audit with the KSC: Cybersecurity Audit.

What is the National Cybersecurity System?

The Act on the National Cybersecurity System (KSC) was signed by the President of the Republic of Poland on August 1, 2018. It was the first law that comprehensively defined the legal and organizational frameworks for the national security system. Importantly, this law was necessary because it was required by the European Parliament and Council Directive (EU) on measures for a high common level of network and information systems security across the Union, known as the NIS Directive (Network and Information Systems Directive). It is the first legal act of its kind in Poland.

In short: The Act on the National Cybersecurity System aims to ensure the security of businesses and organizations when using modern technologies while maintaining confidentiality.

What is the National Cybersecurity System? The KSC is intended to ensure digital security at the national level. This primarily concerns the uninterrupted provision of essential and digital services. To achieve this, it is necessary to reach an optimal level of security for the information systems used to provide these services and to ensure proper incident handling. Regarding essential services, the KSC defines operators of essential services as companies or institutions that provide services of critical importance for maintaining essential social or economic activities. Specifically, we describe who is affected by the KSC Act in the next paragraph.

Who is affected by the KSC?

The Act on the National Cybersecurity System (KSC) was signed by the President of the Republic of Poland on August 1, 2018. It was the first law that comprehensively defined the legal and organizational frameworks for the national security system. Importantly, this law had to be created because it was required by the European Parliament and Council Directive (EU) on measures for a high common level of security of network and information systems across the Union, known as the NIS Directive (Network and Information Systems Directive). It is the first legal act of its kind in Poland.

In short: The Act on the National Cybersecurity System aims to ensure the security of businesses and organizations when using modern technologies while maintaining confidentiality.

As mentioned, the KSC Act addresses operators of essential services (OES) – entities that provide services of critical importance for the proper functioning of the state. The condition for classification as an OES is the provision of services through information systems and having an organizational unit located in Poland. Additionally, the Polish legislator has included public administration and the telecommunications sector within the scope of the law. Since September 5, 2022, the list of essential service operators has been maintained by the minister responsible for informatization.

The list of OES includes over 500 entities, including companies from sectors such as:

energy
finance
transport
healthcare
digital infrastructure
drinking water supply and distribution
as well as digital service providers

What are their obligations? The law defines them quite clearly. For example, entities specified by the law must regularly conduct security audits, gather information about threats and vulnerabilities to incidents, report incidents, and cooperate with the appropriate NASK CSIRT (Computer Security Incident Response Team). In addition, the operator of essential services should continuously assess and manage risks, as well as implement appropriate technical and organizational measures to ensure the continuity of operations and the required security.

What does a compliance audit with the KSC look like?

When it comes to operators of essential services, the legislator has not clearly specified which methodology should be used for conducting a cybersecurity audit. This means that a company or organization can choose selected practices and develop the audit framework on its own.

The security audit can be conducted based on:

the KSC Act – the legal act regulating the principles of digital security in Poland

ISO 19011 – guidelines for auditing management systems

ISO 27001 – guidelines for auditing an information security management system

ISO 22301 – guidelines for auditing a business continuity management system

COBIT best practices – assessment of the maturity of cybersecurity processes

ITIL best practices – assessment of information technology service management

In practice, a cybersecurity audit looks like this, as demonstrated in the PBSG offer. We have been conducting security audits for years, including cybersecurity audits. We operate on the assumption that every company or institution is different, with its own specific nature, way of functioning, and structure. Therefore, in the first phase, we always start with planning. We define the audit program, which includes the characteristics of the audited area and the procedures designed to facilitate the flow of work and documents. We specify the methodology – here, we verify your company’s compliance with the requirements of the KSC Act (along with its accompanying regulations) and the requirements of ISO 27001 and ISO 22301 standards.

Why is it worth conducting a compliance audit with the KSC?

The KSC Act imposes the obligation of periodic security audits. The first audit should be conducted 12 months after receiving the administrative decision recognizing the entity as an operator of a critical service. Subsequent audits should take place no less frequently than once every 2 years. The audit should be conducted by an authorized auditor (requirements are specified by the Act).

Failure to conduct an audit results in a financial penalty, but this should not be the only incentive for regular inspections. Regular cybersecurity audits allow the company to keep its finger on the pulse, as it receives a real assessment of its security system and updates the risk register, which changes over time, just as technology evolves.

Thanks to the compliance audit with the KSC:

You will find out if your organization meets the requirements of the KSC Act.
You will receive a threat register along with the probability of their occurrence.
You will gain an independent opinion and recommendations, which will help eliminate system weaknesses.
You will update the documentation regarding IT security.
You will learn about possibilities to counteract risks.
You will ensure business continuity for your organization.
You will maintain the image of a partner caring about the security of your service.

The KSC audit is worth using as a tool for business improvement. It not only allows you to meet the requirements of the law but, most importantly, protects against drastic consequences. Moreover, some cyberattacks, such as theft of data or patent and trade secrets, happen in a way that is virtually without trace and unnoticed. Without a cybersecurity audit, which checks system vulnerabilities to breaches and data leaks, you might not even realize that your company has become the source of an attack.

The security assessment based on the KSC Act is an absolutely crucial element for determining whether the existing processes are effective and optimal, and whether the system and technology are properly implemented. This will allow you to estimate the risks associated with cybersecurity and, most importantly, verify your readiness to meet the requirements and obligations set by the regulations of the National Cybersecurity System Act.

IMPORTANT: On October 5, 2022, a new draft amendment to the National Cybersecurity System Act appeared on the Ministry of Digitalization’s website. By the end of the month, the draft was withdrawn and will be reviewed by the Committee of the Council of Ministers for National Security and Defense Affairs. This is worth noting, as the amendment to the KSC Act is one of the most important regulations for the industry. For preparing this article, we used the currently applicable provisions of the law (as of November 4, 2022).

Check the training courses

Training