Information security audit (KRI)

Entities carrying out public tasks in Poland are required to arrange a periodic internal audit of information security — at least once a year. We carry it out in a way that disrupts the entity's day-to-day operations as little as possible.

Legal basis. § 19(2)(14) of the Regulation of the Polish Council of Ministers of 21 May 2024 on the National Interoperability Framework, minimum requirements for public registers and the electronic exchange of information, and minimum requirements for ICT systems (Journal of Laws 2024, item 773). Compliance is reviewed, among others, by the Supreme Audit Office (NIK).

New cybersecurity requirements (NIS2 / uKSC)

The regulatory framework is changing right now: under the Act of 25 July 2025 amending the Act on Informatisation (Journal of Laws 2025, item 1158), the requirements for the information security management system are moving from the KRI regulation to the amended Act on the National Cybersecurity System, which implements the EU NIS2 directive. In practice, this means that public entities must confirm the effectiveness of their safeguards through a security audit by the end of 2026. We help organisations navigate this transition — from a KRI compliance audit to preparation for the requirements of the new act.

What the audit covers

  • an assessment of the information security management system (ISMS) — policies, procedures and responsibilities (compliance with § 19 of the KRI regulation; methodologically based on PN-ISO/IEC 27001),
  • an inventory and assessment of the safeguards of the ICT systems used to process information and data,
  • verification of access rights management, information security training, data processing agreements and service contracts,
  • accountability (logs) and business continuity (backups, contingency plans),
  • the digital accessibility of online services (requirements of the Polish Digital Accessibility Act — WCAG 2.1),
  • an audit report: findings, non-conformities, recommendations and a proposed remediation programme.

Who is the audit for?

Public finance sector entities and other bodies carrying out public tasks, including:

  • central and local government bodies, courts, the prosecution service, audit and control bodies,
  • budgetary units and local government budgetary establishments, special-purpose funds,
  • public healthcare institutions (SP ZOZ) and companies providing medical services,
  • ZUS, KRUS, NFZ, and state or local government legal entities,
  • entities entrusted with carrying out a public task.

How we work

  1. Document checklist — the entity receives a list of documents to prepare for the auditors.
  2. Auditors' visit — work on site, as unobtrusive as possible (usually 1–2 days).
  3. Report — findings, non-conformities and proposed corrective actions.

The annual review in subsequent years is simpler — based on materials provided electronically, and concluded with a report.

Who carries out the audit? The audit is led by an auditor holding the CIA (Certified Internal Auditor) designation, who has passed the Polish state internal auditor examination (Ministry of Finance), is a qualified ISO 27001 auditor and has many years of experience in public sector entities — Monika Kalinowska.

Let's talk about your organisation

Audit, accounting, advisory or training — write to us and we will come back with a specific proposal.

Request a proposal