Cyber Security Management System

NCCS Article 32

Within 24 months of being notified by the competent authority that they have been identified as a high impact or critical impact entity in accordance with NCCS Article 24 Paragraph 6, each entity shall, in accordance with NCCS Article 32 Paragraph 1

(a) determine the scope of the cybersecurity management system considering interfaces and dependencies with other entities;

(b) ensure that all its senior management is informed of relevant legal obligations and actively contributes to the implementation of the cybersecurity management system through timely decisions and prompt reactions;

(c) ensure that the resources needed for the cybersecurity management system are available;

(d) establish a cybersecurity policy that shall be documented and communicated within the entity and to parties affected by the security risks;

(e) assign and communicate responsibilities for roles relevant to cybersecurity;

(f) perform cybersecurity risk management at entity level as defined in NCCS Article 26;

(g) determine and provide the resources required for the implementation, maintenance and continual improvement of the cybersecurity management system, taking into account the necessary competence and awareness of cybersecurity resources;

(h) determine the internal and external communication that is relevant to cybersecurity;

(i) create, update and control documented information related to the cybersecurity management system;

(j) evaluate the performance and effectiveness of the cybersecurity management system;

(k) conduct internal audits at planned intervals to ensure that the cybersecurity management system is effectively implemented and maintained;

(l) review the implementation of the cybersecurity management system at planned intervals; and control and correct non-compliance of the resources and activities with the policies, procedures, guidelines in the cybersecurity management system.

Within 24 months of identification, all high impact and critical impact entities shall establish a cyber security management system and shall review this system every three years thereafter. According to NCCS Article 32 Paragraph 2, the scope of the cybersecurity management system shall include all assets within the high impact and critical impact scope of the high impact and critical impact entity.