E-ITS auditing
E-ITS has undergone a major change compared to its predecessor IT Baseline Security System (ISKE). This makes it easier for institutions and organisations to implement an information security management system. The new information security standard E-ITS has a significantly wider scope and clearer requirements. Implementing an E-ITS compliant information security management system ensures better protection for the organisation and of information as a whole. E-ITS is similar in structure to the ISO/IEC 27001 standard, and has a similar auditing approach and requirements.
Private sector organisations that are covered by the Cybersecurity Act are obliged to organise risk management and implement information security measures in accordance with E-ITS or ISO 27001.
Expiration of the IT Baseline Security System ISKE
The three-tier baseline security system of information systems (ISKE) will be in effect until 31 December 2023. By then, all those who had earlier applied ISKE will be required to have implemented the new information security standard E-ITS. The legal basis for the implementation of ISKE ceased to exist as of 1 January 2023 and it has no longer been lawful to apply the standard since then. This does not affect the validity of the result of ISKE audits that were valid as of 1 January 2023, and the institution can rely on them until the end of their validity.As of 1 January 2023, it is no longer allowed to conduct audits that comply with the ISKE standard, and it is expected that institutions and organisations will have completely switched to E-ITS by 2024.
Auditing
The requirement for E-ITS auditing depends on the security level of the organisation's information system; it can be either a two or a three-year cycle. Each audit cycle consists of a main audit, a follow-up audit (if the level of the information security in the organisation is currently low) and an annual interim audit. There is also a pre-audit, which is mandatory the first time the organisation's compliance with the E-ITS standard is audited. It is important to keep in mind that the gap between the pre-audit and the main audit must not exceed six months.If the institution was previously not required to apply E-ITS or ISKE, they must start implementing E-ITS within six months from the date of entry into force of the Government regulation. A specific action plan for the implementation of the standard must be drawn up, and the institution must complete the principal E-ITS audit by the end of 2025.
For example, service providers, who employ an average of less than 10 staff during the financial year and whose annual balance sheet total or annual turnover does not exceed two million euros, do not have to carry out an E-ITS audit.
When ordering an audit, organisations must keep in mind that auditing based on the new information security standard E-ITS is more extensive compared to previous ISKE audits. ISKE audits had to be carried out every two, three or four years (depending on the level of security). However, according to the E-ITS standard, the audit obligation is annual. An audit should be ordered at least two months in advance.
When ordering an E-ITS audit, the institution must clearly and comprehensibly describe the scope of the audit, including the business processes subject to the audit along with the protection requirements and possible specific features.
When ordering an audit, you should take into account the auditor's qualifications, previous experience in a similar role and certificate(s) for auditing information security systems. These aspects are important in order to ensure high-quality and sustainable auditing within three years. This, in turn, will provide an assurance that the institution's information security management system is capable of protecting data against threats.
The KPMG audit team members have several internationally recognized information security and auditor certifications, including ISO 27001 Lead Auditor and CISA. These ensure the compliance of our auditors' qualifications with the requirements of the E-ITS auditing manual. In addition, the team has CISM and CRISC certifications, ensuring successful risk assessments.
ISO 27001 standard as an alternative to the implementation of E-ITS
According to the Cybersecurity Act, the requirement to implement E-ITS does not apply if the security measures implemented by the organisation (service provider) meet the requirements established by the international standard ISO/IEC 27001 , and a certificate of conformity has been submitted to the administrative supervisory authority (Information System Authority RIA).KPMG can assist your organisation in both E-ITS implementation and auditing
Turn threats into opportunities
Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.
KPMG Baltics OÜ
+372 626 8700itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
Võta meiega ühendust
${i18n('ask_more')}
HR assessment
HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.
${i18n('ask_more')}
Threat assessment
Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.
${i18n('ask_more')}
Maturity assessment
Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.