Cybersecurity audits and risk assessments of critical information infrastructure
15.—(1) The owner of a critical information infrastructure must—
- (a) at least once every 2 years (or at such higher frequency as may be directed by the Commissioner in any particular case), starting from the date of the notice issued under section 7, cause an audit of the compliance of the critical information infrastructure with this Act and the applicable codes of practice and standards of performance, to be carried out by an auditor approved or appointed by the Commissioner; and
- (b) at least once a year, starting from the date of the notice issued under section 7, conduct a cybersecurity risk assessment of the critical information infrastructure in the prescribed form and manner.
(2) The owner of the critical information infrastructure must, not later than 30 days after the completion of the audit mentioned in subsection (1)(a) or the cybersecurity risk assessment mentioned in subsection (1)(b), furnish a copy of the report of the audit or assessment to the Commissioner.
(3) Where it appears to the Commissioner from the report of an audit furnished under subsection (2), that any aspect of the audit was not carried out satisfactorily, the Commissioner may direct the owner of the critical information infrastructure to cause the auditor to carry out that aspect of the audit again.
(4) Where it appears to the Commissioner—
- (a) that the owner of a critical information infrastructure has not complied with a provision of this Act, or an applicable code of practice or standard of performance; or
- (b) that any information provided by the owner of a critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete,
the Commissioner may by order require an audit in respect of the critical information infrastructure to be carried out by an auditor
