Protecting organizations from cybersecurity threats is particularly a matter of implementing security measures and, subsequently, implementing cybersecurity incident response processes. “Panta rhei” is Plato’s abbreviated interpretation of the ancient philosopher Heraclitus’ claim that everything is constantly changing. Nothing is permanent and nothing is forever. Every industry, technology or environment is gradually undergoing natural but also provoked changes which also affect the level of protection of information assets. Therefore, it is highly appropriate that organizations do not rely solely on performed activities, but they regularly verify and test their current level of security.
Verification and testing are more objective if performed by someone who is sufficiently qualified, impartial and trustworthy to do such activity, which is not limited only to cybersecurity. And since the results of testing are usually submitted to statutory representatives or organization owners (who may not be experts in the field being tested), the most appropriate is to compare the actual state verification against formal requirements, optimally defined in writing. In the case of cybersecurity, provisions of the Decree of the National Security Authority No. 362/2019 Coll. laying down the Content of Security Measures, the Content and Structure of Security Documentation and the Scope of General Security Measures, constitute these formal requirements.
Act No. 69/2018 Coll. on Cybersecurity regulates, inter alia, obligations of operators of essential services to verify the efficiency of adopted security measures by conducting a cybersecurity audit. An audit report shall be obtained every two years and after each change that has a significant impact on implemented security measures. An audit can only be conducted by a certified cybersecurity auditor.
Requirements for auditors are laid down in the Decree of the National Security Authority No. 436/2019 Coll. on Cybersecurity Audit and Auditor’s Knowledge Standard. Auditors may only be certified by organizations that are accredited as bodies competent to assess the conformity with the requirements imposed on cybersecurity auditors. Accreditation is a third party attestation serving as an official proof of competence to perform specific conformity assessment tasks. In this case, it is a procedure under which the authority issues a certificate stating that the organization will be authorized to perform the certification of auditors. The Slovak National Accreditation Service (SNAS) is the national accreditation body of the Slovak Republic.
Since 1 January 2020 a new state-funded institution of the National Security Authority, the Cyber Security Competence and Certification Centre (hereinafter referred to as the Competence Centre), has started to execute its powers. The Competence Centre was established by a deed of incorporation/charter issued on 16 December 2019 under decision of the Director of the National Security Authority pursuant to Act No. 523/2004 Coll. on Public Administration Budgetary Rules. The establishment of the Competence Centre is also based on a Proposal for a Regulation of the European Parliament and of the Council establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres.
On 15 April 2020, the Competence Centre successfully completed the accreditation process according to a certification scheme for verifying the professional competence of the cybersecurity auditor and thus has become the first certification body in this field in Slovakia. A decision about the accreditation status has been made by the Slovak National Accreditation Service that assessed the compliance with all requirements in accordance with ISO/IEC 17024:2012 on requirements for bodies operating certification of persons.
The Competence Centre is planning to launch the certification of cybersecurity auditors in forthcoming weeks, in full respect of the measures taken by the Government of the Slovak Republic regarding the current pandemic situation. More information will be continuously published on the website www.cybercompetence.sk.
If a certification scheme for certification of cybersecurity products is proposed in near future (in compliance with ISO/IEC 17065:2012 on requirements for bodies certifying products, processes and services), then the Competence Centre will be, without doubt, the first Slovak organisation to apply for accreditation of this type.
« Späť na zoznam