Frequently Asked Questions
Under section 15(1)(a) of the Cybersecurity Act 2018 the owner of a Critical Information Infrastructure must, starting from the date of the notice issued under section 7 (Designation of CII), carry out a cybersecurity audit of the compliance of the CII with the Act and applicable codes of practice and standards of performance.
The cybersecurity audit, in accordance with section 15(1)(a) of the Cybersecurity Act 2018, must be carried out at least once every two years (or at a higher frequency which may be directed by the Commissioner of Cybersecurity in any particular case), and to be carried out by an auditor approved or appointed by the Commissioner.
Critical Information Infrastructure owners (CIIOs) are required to submit the following online application forms for the purpose of obtaining the Commissioner’s approval for the proposed appointment of auditors:
a. Form A1: Application Form for Appointment of Auditor (to be completed by the owner of the CII); and
b. Form A2: Application Form for Appointment of Auditor (to be completed by the external audit firm/team/auditor).
Links to Forms A1 and A2 have been shared with CIIOs. For CIIOs that do not have access to the forms, please contact Regulations@csa.gov.sg.