The Digital Transformation Office of the Presidency of the Republic of Turkey (“DTO”) has published the Guidelines on Information and Communication Security Audits (“Audit Guidelines”) on 27 October 2021. The Guideline provides details on the audit procedures that public institutions and enterprises providing critical infrastructure services must carry out for the security of critical data.
Recent development
The Audit Guidelines published by DTO pursuant to the Guideline on Information and Communication Security explain the methodology regarding the audit procedures that public institutions and enterprises providing services in critical infrastructure sectors such as energy, electronic communication, health and finance must conduct. The Guidelines are available online here in Turkish.
What do the Audit Guidelines say?
Institutions within the scope of the Guideline on Information and Communication Security must complete their operations to ensure compliance with the measures under the mentioned guidelines within 24 months. After this period, institutions must initiate their audit process.
In this regard, the Audit Guidelines explain the audit process, which must be followed by the public institutions and enterprises providing critical infrastructure services. Institutions must carry out their audit process mainly through internal audit units. If internal audit units are not available or insufficient, the process may be carried out by other personnel within the institution, personnel to be assigned from other public institutions and organizations, or through service procurement. In this context, a separate guideline, which sets out the criteria for personnel and companies who will perform the audits, has also been published. You may access the relevant guideline here.
The Audit Guidelines also include the obligations of the outsourced institutions and the auditors. Accordingly, institutions must obtain audit services from companies authorized within the scope of the Certification Program and must not obtain audit services from companies and auditors who have provided consultancy services to the relevant institutions in compliance with the Guideline on Information and Communication Security.
Pursuant to the Audit Guidelines, the purposes of audits are to evaluate the implementation of the Information and Communication Security Guideline and the effectiveness of the measures applied to asset groups. The audits consist of three steps:
(i) Planning of the audit procedure
(ii) Performing the audit procedure
(iii) Reporting of the audit results
Within the scope of planning the audit procedure, the audit team and the scope of the audit must be determined; and the audit strategy and the audit program must be prepared. The audit team must consist of at least two people and the staff should have the necessary certificates or authorizations. In order to identify the operations of the institution, the audit team must analyze the institution’s organizational structure, business processes, previous audit reports, corporate asset groups, etc. The asset group that is covered by the audit must be identified. For this purpose, the audit team must act with a risk-based audit approach and take the materiality criteria as a basis. In accordance with the Guidelines, the audit team must include at least one asset group to the audit, which relates to one of the main asset groups defined under the compliance studies. After these steps, audit strategy and program must be prepared in line with audit purposes. Different methods such as interviewing, reviewing, security audits, penetration test and source code analysis specified in the Audit Guidelines may be used in the implementation of audit procedures. However, the procedure may be carried out by using additional methods as well.
Once the audit is completed, an audit report must be prepared and submitted to the DTO.
Conclusion
The Audit Guidelines provide guidance to public institutions and enterprises providing critical infrastructure services on the audit procedures for the implementation of the Information and Communication Security Guidelines and to measure the effectiveness of the measures applied to asset groups. In this context, relevant institutions and critical infrastructure providers must manage their audit process in accordance with the Guidelines, submit their reports to the DTO, and closely follow the announcements and guidance of competent authorities on the matter.