|
Article 6
|
In selecting audited agencies, the competent authority and government agencies (hereinafter collectively referred to as the “auditing agency”) shall take into comprehensive consideration the importance and sen-sitivity of their operations, the size and nature of their information and communication systems, the fre-quency and severity of cyber security incidents, the results of cyber security drills, the frequency and results of audits conducted in previous years by the competent authority, the government agencies that receive reports on the implementation of cyber security maintenance plans pursuant to Article 14 of the Act, the central competent authority in charge of the relevant sector, or other relevant agencies, and other factors relating to cyber security.<br/>The annual plan prescribed in Paragraph 5, Article 8 of the Act and the audit plan prescribed in Article 4 shall include at least the following content items:<br/>1. Audit basis.<br/>2. Purpose of audit.<br/>3. Scope of audit.<br/>4. Work schedule.<br/>5. Composition of the audit team.<br/>6. Duty of confidentiality.<br/>7. Principles for selecting audited agencies.<br/>8. Audit criteria.<br/>9. Audit methods and items.<br/>Where the auditing agency formulates the annual plan or audit plan referred to in the preceding Paragraph, it shall take into comprehensive consideration national cyber security policy, domestic and foreign cyber security trends, the contents and results of past audit plans, and any other factors relating to the proper allocation of audit resources or audit effectiveness.
|