To print this article, simply register or connect to Mondaq.com.
The Office of Digital Transformation of the Presidency of the Republic of Turkey (“DTO”) released the Guidelines for Information and Communications Security Audits (“Audit Guidelines”) on October 27, 2021. The Guideline provides details on the audit procedures that public institutions and companies providing critical infrastructure services must ensure the security of critical data.
The audit guidelines issued by the DTO in accordance with the Information and Communications Security Directive explain the methodology regarding the audit procedures that public institutions and companies providing services in critical infrastructure sectors such as that energy, electronic communications, health and finance must lead. The guidelines are available online here in Turkish.
What do the audit guidelines say?
Establishments falling within the scope of the Information and Communications Security Directive must complete their operations to ensure compliance with the measures provided for in the said directives within 24 months. After this period, institutions must begin their audit process.
In this regard, the Audit Guidelines explain the audit process, which should be followed by public institutions and companies providing critical infrastructure services. Institutions should conduct their audit process primarily through internal audit units. If internal audit units are not available or insufficient, the process can be carried out by other staff of the institution, staff to be assigned from other public institutions and organizations, or through contracts. Services. In this context, a separate directive, which sets out the criteria for the staff and companies that will carry out the audits, has also been published. You can access the relevant directive here.
The audit guidelines also include the obligations of contracted institutions and auditors. Accordingly, institutions should obtain audit services from companies authorized under the certification program and should not obtain audit services from companies and auditors that have provided consultancy services to companies. relevant institutions in accordance with the Information and Communication Security Directive.
In accordance with the Audit Guidelines, the purpose of the audits is to assess the implementation of the Information and Communications Security Directive and the effectiveness of the measures applied to groups of assets. Audits consist of three stages:
(i) Planning of the audit procedure
(ii) Execution of the audit procedure
(iii) Communication of audit results
As part of planning the audit procedure, the audit team and the scope of the audit should be determined; and the audit strategy and audit program must be prepared. The audit team should consist of at least two people and the staff should have the necessary certificates or authorizations. In order to identify the operations of the institution, the audit team should analyze the organizational structure of the institution, business processes, previous audit reports, groups of assets of the company, etc. The group of assets that are covered by the audit should be identified. To this end, the audit team should act according to a risk-based audit approach and be based on materiality criteria. In accordance with the Guidelines, the audit team should include at least one group of assets in the audit, which relates to one of the main groups of assets defined as part of the compliance studies. After these steps, the audit strategy and program should be prepared in accordance with the audit objectives. Various methods such as interviews, reviews, security audits, penetration testing and source code analysis specified in the Audit Guidelines can be used in performing the audit procedures. However, the procedure can also be performed using additional methods.
Once the audit is complete, an audit report should be prepared and submitted to the DTO.
The audit guidelines provide guidance to public institutions and companies providing critical infrastructure services on audit procedures for implementing the guidelines on information and communications security and for measuring effectiveness. measures applied to groups of assets. In this context, the institutions concerned and the providers of critical infrastructure must manage their audit process in accordance with the guidelines, submit their reports to the DTO and closely follow the announcements and orientations of the competent authorities in the matter.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: Accounting and Auditing of Turkey