The Cyber Security Act and its compliance audit
The Cyber Security Act (Act no. 181/2014, Coll.) is effective from January 2015. In addition, this law defines the competencies of the National Cyber Security Centre. Regulated entities are e.g. networks providers, ISPs, administrators of important information systems and the administrators of critical information infrastructures. A year after its effectiveness, the NSA began perform its compliance audits. The aim of compliance audits is evaluation of conformity or nonconformity of fulfilling law obligations. The requirements on cyber security controls are built on the foundation of ISO/IEC 27001 (Information Security Management System), so compliance audit itself is based on the principles of auditing information security management system. The audit criteria based on the Cyber Security Act and its implementing legal regulation (Regulation on Cyber Security). The aim of this contribution is to clarify the details of the NSA´s approach to the compliance audit of the Cyber Security Act. Furthermore to provide detailed introduction to the compliance audit process and annual summary of existing experience gained from the audit work in 2016. Necessary is statistic of annual audit findings and lessons learned based on case studies
Alumnus of Managerial Informatics at Brno University of Technology. Currently works at the National Cyber Security Centre, where he has role of head of Department of regulations and audit. He focuses on issues of Cyber Security Act in relation to information security management system.