TFL Vsebine / Revija SIR*IUS

Cybersecurity topical requirement

V letu 2024 je bil prenovljen Mednarodni okvir strokovnega ravnanja pri notranjem revidiranju (angl. International Professional Practices Framework - IPPF), ki v osrednji del poleg standardov vključuje tudi tematske zahteve (angl. Topical Requirements). Gre za novo, obvezno sestavino okvira, katere namen je izboljšati doslednost, strokovnost in primerljivost notranjerevizijskih poslov na področjih z visoko stopnjo tveganja. Tematske zahteve določajo minimalna osnovna merila za presojo treh ključnih vidikov: upravljanja, obvladovanja tveganj in notranjega kontroliranja. Februarja 2025 je bila izdana prva tematska zahteva, ki se nanaša na kibernetsko varnost, skupaj z obsežnim uporabniškim priročnikom. Tema je še posebej aktualna, ker je Slovenija v letu 2025 sprejela nov Zakon o informacijski varnosti (ZInfv-1), s katerim je bil v nacionalni pravni red prenesen zahteven evropski regulativni okvir - Direktiva (EU) 2022/2555 o ukrepih za visoko skupno raven kibernetske varnosti (NIS 2). Zakon širi krog zavezancev na številne organizacije v javnem sektorju in uvaja obveznosti, kot so imenovanje odgovornih oseb, izvajanje varnostnih ukrepov in poročanje o incidentih. S tem dobiva področje kibernetske varnosti večji pomen tudi z vidika notranje revizije, ki bo morala v prihodnje vse pogosteje presojati, kako organizacije obvladujejo ta tveganja - in ali to počnejo skladno s predpisi. Tematska zahteva za kibernetsko varnost ponuja standardiziran in praktično uporaben okvir, ki je za notranje revizorje lahko orodje za učinkovito in skladno izvedbo revizij na tem zahtevnem področju.

In 2024, the International Professional Practices Framework (IPPF) was revised, introducing a new mandatory element alongside the Global Internal Audit Standards: Topical Requirements. This new component is designed to enhance the consistency, professionalism, and comparability of internal audit engagements in areas with high levels of risk. Topical Requirements establish minimum baseline criteria for assessing three core aspects: governance, risk management, and controls. In February 2025, the first Topical Requirement on Cybersecurity was issued, accompanied by a comprehensive user guide. The topic is particularly timely, as in 2025 Slovenia adopted a new Information Security Act (ZInfv-1), implementing the EU Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2). The Act significantly expands the circle of included entities, together with many public sector organizations, and introduces new obligations such as the appointment of responsible officers, the implementation of security measures, and mandatory incident reporting. This gives cybersecurity greater relevance for internal audit, which will increasingly be called upon to assess how organizations are managing these risks - and whether they are doing so in line with regulatory requirements. The Cybersecurity Topical Requirement thus provides a standardized and practically applicable framework that internal auditors can use as a tool for effective and compliant audits in this complex and evolving area.