Audit of public administration information systems

Company KOLAS s.r.o. offers you services related to ensuring the fulfilment of requirements set by the operator of public administration information systems. 

These are mainly the following activities:

  • monitoring and confirmation of compliance (GAP analysis, audit),
  • setting up information security, information security management processes,
  • designing safety measures to reduce the risk,
  • application of the proposed safety measures,
  • measuring the effectiveness and efficiency of their deployment and maintenance in practice.

In addition to the desired compliance with legislation, the benefit and added value is a real and demonstrable improvement in the overall security and protection of information and information assets. Our approaches are based on long-standing experience in various sectors and areas of information and cyber security.

In addition to the audit or the actual setting up of IB/KB processes and the solution of security measures, we can help with the mandatorily required function of an information and cyber security manager in the form of an external consultant - either directly, or in the form of its support or professional coaching.


The Law on ITVS (ZoITVS) and related decrees oblige operators of public administration information systems to set up and put into practice processes in the area of information security management.

Related legislation: 

  • Act No. 95/2019 on information technology in public administration
  • Decree No. 78/2020 Z. z., on standards for public administration information technology
  • Decree No 85/2020 Z. z., on project management
  • Decree No. 179/2020 Z. z., which establishes the method of categorization and content of security measures of information technologies of public administration 

Decree 179/2020 establishes 3 categories of security measures according to which the operator of the public administration information system is to apply security measures:

  1. small villages and towns up to 6000, 
  2. towns and cities over 6,000, all large cities except regional towns, 
  3. regional towns, local authorities, ministries, government offices, the Supreme Court, TASR, NS, NCZI, etc.

The most common tasks that need to be addressed to comply with the above legislation:

  • Set up processes (process safety - guidelines, policies, strategies)
  • Put the above processes and proposed safety measures into practice 
  • Introduce risk management for processes and technologies handling DO - both automated and non-automated (from monitoring in the network - network elements, security elements, on the workstation, to monitoring in the network - network elements, security elements, on the workstation. stations and servers through penetration and technology tests, physical and object security) 
  • Introduce incident management 
  • Establish documented backup and business continuity processes
  • Introduce control and audit activities (internal audit, external audit)
  • Introduce an information security manager function (can be outsourced or consultancy support for the MIB is possible)
  • Introduce supplier relationship management
  • Establish training and education processes
  • Introduce safety measures according to the relevant decree - within the given category