Within All Government Websites
Frequently Asked Questions
All of these words
This exact phrase
Any of these words
Without these words
Whole of Government
Cybersecurity Audit for CII
Will Critical Information Infrastructure owners (CIIOs) be given a grace period to comply with the Operation Technology (OT) Systems Requirements in Cybersecurity Code of Practice (CCoP) addendum?
CIIOs are given a grace period of six months from the issuance date of the CCoP addendum, to comply with the new OT clauses under the addendum. Compliance to the new OT clauses is effective from 19 June 2020.
How often must the Critical Information Infrastructure owners (CIIOs) carry out the cybersecurity audit?
Under section 15(1)(a) of the Cybersecurity Act 2018 the owner of a Critical Information Infrastructure must, starting from the date of the notice issued under section 7 (Designation of CII), carry out a cybersecurity audit of the compliance of the CII with the Act and applicable codes of practice and standards of performance.
The cybersecurity audit, in accordance with section 15(1)(a) of the Cybersecurity Act 2018, must be carried out at least once every two years (or at a higher frequency which may be directed by the Commissioner of Cybersecurity in any particular case), and to be carried out by an auditor approved or appointed by the Commissioner.
What is the cybersecurity audit period for which audit evidence is to be obtained?
The audit period for which audit evidence is to be obtained should minimally be 12 months from the point the audit begins, and there should be no gap between audit periods from the last audit.
Which approach (compliance or risk-based) should the auditor adopt to conduct cybersecurity audit of the CII?
The auditor should adopt both compliance and risk-based approaches for the cybersecurity audit of the CII. For the compliance-based approach, the auditor should carry out compliance test to ascertain the adequacy and effectiveness of the controls applied in the CII to comply with the Act, subsidiary legislations, applicable written directions, CoP, and SoP. For the risk-based approach, the auditor should identify the risks and threats that the CII faces and ascertain if the controls put in place are appropriate to mitigate the known risks and threats.
Where a waiver of the Code of Practice (“CoP”) is granted to a CII, will the waived CoP clause(s) be subjected to the cybersecurity audit?
Where a waiver is granted, the waived CoP clause(s) remains subjected to the cybersecurity audit. The auditor should: (i) understand the purpose of the waiver request and the waiver condition; and (ii) validate the effectiveness of compensating controls (where applicable).
Who would be the point of contact should there be a need to discuss interpretation of the policy and/or intent of the Cybersecurity Act or Code of Practice (“CoP”)?
All discussion on the policy, intent and interpretation of the Cybersecurity Act or CoP should be directed to the policy owner (i.e. CSA) at
If you are unable to find an answer to your query, please submit your
to let us know how we can help you.
Rate this Website
© 2019, Government of Singapore