Supplementary References 

Supplementary references will be introduced periodically to help owners of Critical Information Infrastructure (CII) proactively secure and build resilience into their systems. These references serve as additional resources for CII owners when complying with Code of Practices issued by the Commissioner of Cybersecurity. The list of supplementary references can be found below:


1. Security-by-Design Framework

The Security-by-Design Framework [2 MB] was developed to guide CII owners through the process of incorporating security into their Systems Development Lifecycle process. Security-by-Design is an approach which addresses the cyber protection considerations throughout a system’s lifecycle and it is one of the key components of the Cybersecurity Code of Practice for Critical Information Infrastructure.

2. Security-by-Design Framework Checklist

The Security-by-Design Framework Checklist [753kb] is a step-by-step supplementary worksheet to the Security-by-Design Framework. It acts as a quick reference guide for cybersecurity practitioners to adopt the Security-by-Design Framework.

3. Guide to Conducting Cybersecurity Risk Assessment for CII

The Guide to Conducting Cybersecurity Risk Assessment for CII [1.25MB] was developed to provide guidance to CII Owners on how to perform a proper cybersecurity risk assessment. This guidance document also spells out the expectations that CII Owners are required to note when conducting their risk assessment under the Cybersecurity Act 2018.

4. Guidelines for Auditing Critical Information Infrastructure  

The Guidelines for Auditing Critical Information Infrastructure [763kb] was developed to set out the expectations for cybersecurity audits and to provide guidance to appointed or approved auditors on key areas to take note of when conducting an audit of the CII under the Cybersecurity Act 2018.