Information security audit (KRI)
Entities carrying out public tasks in Poland are required to arrange a periodic internal audit of information security — at least once a year. We carry it out in a way that disrupts the entity's day-to-day operations as little as possible.
New cybersecurity requirements (NIS2 / uKSC)
The regulatory framework is changing right now: under the Act of 25 July 2025 amending the Act on Informatisation (Journal of Laws 2025, item 1158), the requirements for the information security management system are moving from the KRI regulation to the amended Act on the National Cybersecurity System, which implements the EU NIS2 directive. In practice, this means that public entities must confirm the effectiveness of their safeguards through a security audit by the end of 2026. We help organisations navigate this transition — from a KRI compliance audit to preparation for the requirements of the new act.
What the audit covers
- an assessment of the information security management system (ISMS) — policies, procedures and responsibilities (compliance with § 19 of the KRI regulation; methodologically based on PN-ISO/IEC 27001),
- an inventory and assessment of the safeguards of the ICT systems used to process information and data,
- verification of access rights management, information security training, data processing agreements and service contracts,
- accountability (logs) and business continuity (backups, contingency plans),
- the digital accessibility of online services (requirements of the Polish Digital Accessibility Act — WCAG 2.1),
- an audit report: findings, non-conformities, recommendations and a proposed remediation programme.
Who is the audit for?
Public finance sector entities and other bodies carrying out public tasks, including:
- central and local government bodies, courts, the prosecution service, audit and control bodies,
- budgetary units and local government budgetary establishments, special-purpose funds,
- public healthcare institutions (SP ZOZ) and companies providing medical services,
- ZUS, KRUS, NFZ, and state or local government legal entities,
- entities entrusted with carrying out a public task.
How we work
- Document checklist — the entity receives a list of documents to prepare for the auditors.
- Auditors' visit — work on site, as unobtrusive as possible (usually 1–2 days).
- Report — findings, non-conformities and proposed corrective actions.
The annual review in subsequent years is simpler — based on materials provided electronically, and concluded with a report.
Let's talk about your organisation
Audit, accounting, advisory or training — write to us and we will come back with a specific proposal.