Apply

Audit consideration

Audit Need

National Information Assurance (NIA) Certification is granted after an organization goes through a formal audit by an Accredited Auditor, that will allow NCSA to determine if an organization is compliant to the NIA Standard requirements.

What is NIA Audit

NIA Audit is the process for obtaining appropriate and sufficient evidence about the Information Security Management System (ISMS), established by an organization, for a defined scope. The evidence are evaluated objectively based on a rigorous process, to determine conformance of the scope to NIA Standard’s requirements. The audits performed for the purpose of NIA Certification are performed following the requirements defined by the National Information Security Compliance Framework (NISCF) Audit Standard and the supporting Technical Directives (TDs) and Standard Operating Procedures (SOPs) developed by NCSA.

NISCF Audit Standard

NISCF Audit Standard is used to outline the requirements for organizations seeking NISCF's Audit Accreditation Services and Accredited Audit Service Providers, as well as for delivering NIA audit. This document also serves as a guide for applicants to NIA Certification (also referred to as auditees) helping them understand the audit process they will undergo.  

NCSA is committed to continuously improving the NISCF Audit Standard to support the auditees in their NIA Certification journey. To achieve this goal, the NISCF Audit Standard is revised and updated periodically.

The key objectives in publishing the latest version (version 3.0) are:  

  • Shortening the timelines to ensure quicker and smoother completion of audits;
  • Reducing the efforts required by both applicants and auditors by simplifying the audit procedures;
  • Demystifying the audit phases and activities; and
  • Increasing the number of NIA accredited audit service provider. 

In addition to the NISCF Audit Standard, NCSA has published multiple supporting documents that aim to provide better clarity of key areas of the audit. These supporting documents include four Standard Operating Procedures (which are directed primarily towards supporting the audit work of the accredited auditors) and five Technical Directives (which provide clarity regarding specific audit areas to both accredited auditors and the auditee).

Technical Directives

Technical directives provide specific technical rules to be followed and recommendations to be observed by the Accredited Audit Service Providers and NIA Certification applicant or auditee. The following are the list of Technical Directives available currently:

  • NIA Technical Directive on Audit Calendar - provides specific rules and recommendations for Accredited Audit Service Providers and auditees regarding the timelines for the main audit activities to be observed, ensuring that audits are performed within reasonable timelines;
  • NIA Technical Directive on Audit Objectives and Scope - provides clarity to the Accredited Audit Service Providers and auditees regarding the objectives and scopes for the various audits during the NIA Certification lifecycle (Initial Certification, Maintenance, Scope Expansion, Suspension and Re-Certification);

  • NIA Technical Directive on Audit Period - provides details related to the audit period requirements for the various audit during the NIA Certification lifecycle.

    The audit period (the historical period for which the conformance of the scope to audit criteria will be verified) has been shortened to reduce the sampling efforts on both auditors and auditees but still allowing to verify the Operating Effectiveness of NIA controls across a representative period of time;

  • NIA Technical Directive on Corrective Action Plan - provides specific instructions for Accredited Audit Service Providers and auditees regarding the development of an acceptable corrective action plan, in case non-conformities are identified during the audit; and
  • NIA Technical Directive on the Use of the Work of Others - provides details to the Accredited Audit Service Providers and auditees regarding the utilization of / leveraging other reports (ISO/IEC 270001 Certification, SOC2 and more) during NIA audit to reduce NIA audit efforts.

Copyrights © 2019-2024