M6.2.2 - INTERNAL AUDIT Implementation Guidance
The entity shall plan and conduct internal audits of the information security in place.
Back to M6.2.2 - P2 - INTERNAL AUDIT
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
Internal audits are another important means, in addition to the performance measurements, to assess compliance with the “always applicable” controls of this Standard, the entity’s own policies and procedures, and the applicable requirements from the entity’s sector, national or regulatory environment.
The information security controls in place at the entity should be subject to independent internal audits at a pre-defined schedule. This type of auditing should not come as a surprise but should be planned in advance, and the auditor should provide an audit plan of the areas to be audited and people to be met, to ensure the audit does not disrupt the business processes more than necessary (see also the sub-controls above).
One of the important concepts of internal audits is the independence of the internal auditor(s) carrying out the audits. If the necessary independence or expertise cannot be found within the entity, external resources can provide this service. If the entity uses external resources, care should be taken to ensure that the external resource have enough knowledge of the entity to successfully conduct the audit.
Another important aspect of the internal audit is the entity’s reaction to its results. The results of the internal audits should be considered by the Information Security Committee (refer to M.1.1.2 - P1 - LEADERSHIP AND MANAGEMENT COMMITMENT), and it should be ensured that all findings of the audit are corrected in a timely manner.
Back to M6.2.2 - P2 - INTERNAL AUDIT
