What do we offer?
If your organization is involved in public tasks, it is crucial to develop and implement an information security management system. But your responsibility doesn’t end there – according to the Act on the National Interoperability Framework, you are required to continuously monitor, control, maintain, and improve the system to ensure the confidentiality, availability, and integrity of information. PBSG experts can help you with this!
We will conduct a KRI audit to assess the security of your information and IT systems. We will check if your information management system complies with the requirements of the ISO/IEC 27001 standard. The outcome of our work will be a report with recommendations. We ensure that the conclusions and suggestions we provide will be aligned with the specifications and domain in which you operate, and we will adapt the solutions to your existing standards and procedures. Thanks to the KRI audit, you will enhance your institution’s prestige and ensure the security of the data entrusted to you by your clients.
Leverage our experience and raise the standards of your information security management.
How do we work?
1. Preparation for the audit
We will assign an auditing team that will collaborate with your staff. We will define audit procedures to ensure smooth information and document flow. The KRI audit is tailored to the needs of the specific unit, so you can expect us to use tools that match the nature of your organization. We will also ensure that the entire process runs smoothly and successfully, without disrupting the daily operations of your organization.
2. Conducting the KRI audit
Before starting the work, we will introduce the auditing team, its role, and present the audit objectives and communication model. We will review the current situation and conduct the audit using established tools, such as document analysis, specifications, instructions, interviews, and checklists. We will analyze, among other things, the methods of ensuring security during information exchange, technical standards, as well as communication and encryption protocols.
3. Report with recommendations
You will receive a report with recommendations from us. We want your employees to gain the required knowledge in the field of information security and practical solutions, so we will ensure the report is clear, concise, and written in an accessible language. We prioritize communication and partnership, so we will answer all questions and clarify any ambiguities.
4. Post-audit actions
We want to be your partner, one you can rely on for expertise and support at every stage of cooperation. Our KRI audits are thorough, detailed, and robust, and you can count on our continued assistance, for example, in implementing an information security system or applying corrective actions outlined in the report. We care about your satisfaction and the security of your organization’s operations, which is why our auditors and coordinators are at your disposal.
Let's talk about your project! Fill out the form
What else do we offer?
We will help implement a full Information Security Management System in your organization or its individual components. Check out our offer for other services related to Information Security Management Systems.
Comprehensive implementation of ISMS
Discover the scope of the serviceInformation Security Audit
Discover the scope of the serviceInformation Security Risk Analysis
Discover the scope of the serviceISO 27001 Compliance Audit
Discover the scope of the serviceISO 27001 Implementation
Discover the scope of the serviceISMS Documentation
Discover the scope of the serviceISO 27001 Certification
Discover the scope of the serviceCompliance Audit with Recommendation D
Discover the scope of the serviceInformation Security Training
Discover the scope of the serviceTISAX Implementation
Discover the scope of the serviceWhy us?
Knowledge and experience
Individual approach
Convenient conditions
Business-oriented approach
They trusted us
Key questions about the KRI audit
What is a KRI audit?
KRI stands for the National Interoperability Framework. The requirements for information security management are outlined in the Regulation of the Council of Ministers dated April 12, 2012, on the National Interoperability Framework, minimum requirements for public registers, electronic information exchange, and minimum requirements for telecommunication and IT systems.
According to the regulation, an entity performing public tasks is required to develop, establish, implement, operate, monitor, review, maintain, and improve an Information Security Management System (ISMS) that ensures the confidentiality, availability, and integrity of information, taking into account attributes such as authenticity, accountability, non-repudiation, and reliability.
At the same time, the regulation mandates the enforcement of a series of actions to ensure an adequate level of information security. A KRI audit is essentially an analysis to verify whether the requirements of the act have been met.
How much does a KRI audit cost?
The cost of a KRI audit depends on several factors, such as the size of the organization, the nature of its activities, the market environment, regulations, and the complexity of its processes. The number of locations and the expected project timeline are also important, as these affect the cost structure and final price. Each audit is priced individually based on the scope of needs and the preferred schedule.
How long does a KRI audit take?
A KRI audit typically takes up to several months and depends on the size of the organization and the specifics of the project. The schedule is tailored to the individual needs of your organization.
What is the scope of activities in a KRI audit?
- Organizational Audit:
- Regulations in the area of information security management.
- Responsibility for information security and coordination of tasks related to information security management.
- Documentation regarding personal data protection and other informational assets.
- Cooperation and rules for information exchange with third parties.
- Inventory of assets, assignment of assets to owners, and approval for asset usage.
- Information classification.
- Management of information security incidents.
- Handling employees leaving the organization (asset return, revocation of access rights).
- Handling employees changing positions within the organization.
- Business continuity management.
Physical and Environmental Audit:
- Verification of the secure area boundaries.
- Checking entry/exit security.
- Verification of room and device security systems.
- Checking the security of structured cabling.
- Verification of cooling systems.
- Checking alarm systems.
IT Audit:
- Verification of existing procedures for managing IT systems.
- Checking protection against malicious software.
- Verification of backup management procedures.
- Checking procedures for error registration.
- Verification of access procedures to operating systems, including protection against unauthorized software installations.
- Checking security for workstations and data storage devices, particularly those processing personal data.
- Verification of passwords (usage, creation policies, change procedures, and storage mechanisms).
- Analysis and assessment of update management mechanisms.
When and how to conduct a KRI audit?
A KRI audit is an independent review that analyzes, among other things, documentation, specifications, instructions, and other documents functioning within the company. Additionally, tools such as interviews and checklists are used. The obligation to conduct an internal audit is regulated by the Regulation of the Council of Ministers dated April 12, 2012, on the National Interoperability Framework (KRI). According to this regulation, entities performing public tasks are required to conduct an audit at least once a year. It is worth taking advantage of this, especially since the time needed to implement any necessary changes ranges from 1 to 3 months, depending on the level of organization and the size of the entity.
Who can conduct a KRI audit?
You can conduct the audit yourself, provided you meet the requirements outlined in the regulation and the ISO/IEC 27001 standard. However, this task should ideally be entrusted to independent experts, as only then can you be sure that the audit is carried out correctly and in the most objective manner possible.
What does the KRI documentation include?
As part of the KRI audit service, you will receive a report with recommendations for changes and potential improvements. At PBSG, we focus on transparency and providing concrete information, so you will receive a document outlining practical solutions and recommendations. Additionally, you can take advantage of our service for developing and implementing an information security management system documentation in compliance with the KRI regulation. This is especially important because the KRI regulation specifies about 70 requirements for the information system, defined across 15 areas, as well as around 40 documentation-related requirements – it’s crucial to ensure that every aspect of the security system is properly addressed.
What are the benefits of a KRI audit?
The purpose of conducting a KRI audit is to verify data security and optimize processes related to IT systems. This brings a range of benefits for the organization, from updating the security system, enhancing the security of information and data, to ensuring compliance with legal regulations. A high level of security, ensured by regular KRI audits, guarantees the protection of the organization’s assets and also increases work efficiency. This, in turn, contributes to building greater public trust.