Cybersecurity audits and reviews must be conducted by independent parties outside the cybersecurity function (e.g., Internal Audit function) to assess the compliance with the cybersecurity controls in the organization. Audits and reviews must be conducted independently, while ensuring that this does not result in a conflict of interest, as per the Generally Accepted Auditing Standard controls (GAAS), and related laws and regulations.

• Review and audit cybersecurity controls implementation at the organization by parties independent of the cybersecurity function, such as the internal audit department, or by third parties that cooperated with independently from the relevant cybersecurity function to achieve the principle of non-conflict of interests when reviewing the implementation of all cybersecurity requirements in the organization
• Perform the review periodically according to a documented and approved plan for review and based on a period specified in the policy (e.g., review must be conducted annually), in order to ensure that the organization's cybersecurity controls are effectively implemented and operate in accordance with the regulatory policies and procedures of the organization, the national laws and regulations approved by NCA, and the international requirements approved by the organization.

• Cybersecurity Review and Audit Template.
• Cybersecurity Review and Audit Log Template.

• A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
• Approved plan to review and audit the implementation of cybersecurity controls
• Audit reports (by the internal audit department or an independent external auditor) on all cybersecurity requirements of the organization