On 17 July 2025, Chief Executive Direction No. 8 of the National Cyber Security Agency came into effect. It tells every National Critical Information Infrastructure entity in Malaysia what a cybersecurity audit under the Cyber Security Act 2024 has to look like: who is allowed to run it, how often it happens, and what it is measured against. The clock it starts is two years long. The bar it sets is higher than most boards have been told.

Section 22 of Act 854 already required the duty. The directive defines the standard. Read together, they describe an audit built to catch one specific failure: the organisation that holds the policy but cannot show the control behind it works.

The duty, and the period

Act 854 obliges every NCII entity to do two separate things within the prescribed period. First, conduct a cyber security risk assessment of the infrastructure it owns or operates, in line with its code of practice and the relevant directives. Second, cause an audit to be carried out, by an auditor approved by the NACSA Chief Executive, to determine the entity's compliance with the Act.

The cadence is not the same for both. Under the Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024, the risk assessment runs annually. The audit runs at least once every two years, counted from the date the entity was designated, or more frequently if the Chief Executive directs it in a particular case. The two-year figure is where the word biennial comes from, and it is the number boards tend to anchor on. It is also the number that does the most quiet damage, because two years is long enough for configurations to drift, staff to turn over, and a control that passed once to stop running without anyone noticing.

The two-year interval is not a grace period. It is the window in which a control that once worked stops working, unobserved.

What the audit measures against

CED No.8 sets the audit criteria explicitly. Compliance is assessed and verified against five things: Act 854 itself, the Regulations made under it, the Chief Executive's directives, the entity's Code of Practice, and the sector Guidelines. The directive's own definition of non-compliance is blunt: failure to comply with the specified audit criteria. There is no separate category for "documented but not operating." A control that exists on paper and nowhere else is a finding, not a partial pass.

That distinction is the whole point of the directive, and it is enforced through the way the audit is required to be conducted.

The three lenses

The directive mandates a combination of approaches. Two are compulsory. The rest are optional but available to the auditor, and an NACSA-approved auditor will reach for them where the mandatory two leave doubt.

The compliance-based approach is the first lens. It assesses the extent to which the entity's documentation and processes line up with the Act, the Regulations, the directives, the Code of Practice and the Guidelines. This is the paper layer. It answers one question: is it written down, and does what is written match what the law requires?

The risk-based approach is the second mandatory lens. It assesses the actual threats, vulnerabilities and impacts facing the specific infrastructure. This moves the audit off the document and onto the asset. It answers a different question: given what this system is and what could go wrong with it, are the right things being protected?

The optional lenses are where the gap closes. The control-based approach assesses whether security controls are functioning effectively, not merely present. The technical testing approach uses hands-on testing methods to detect real weaknesses in the infrastructure. The inspection and verification approach reviews documentation, interviews staff, and examines records to confirm whether controls are being adhered to and operating as planned. A fourth, the continuous improvement approach, applies even where no non-compliance is found, treating the audit as a tool for raising resilience rather than only catching failure.

Stacked in order, the lenses ask progressively harder questions. Is it written? What could go wrong? And then the one that decides the outcome: does the control actually stop it. The distance between a policy existing and an audit passing lives entirely in that final question.

The directive does not ask whether you have a policy. It asks whether the control behind it works, and it brings technical testing to find out.

Who is allowed to run it

The directive closes the obvious escape route, which is grading your own homework. Audits may only be conducted by an auditor approved by the Chief Executive under section 22(1)(b) of Act 854. The entity identifies the auditor, then submits the appointment for approval in writing at least thirty days before the audit. Once approved, the auditor signs a non-disclosure agreement with the entity before fieldwork begins.

The competence bar is specific. A chief auditor needs a Lead Auditor certification in cyber security, information security or IT from an accredited body, at least four years in the field and three years in auditing it. Each audit team must include at least one member with technical expertise in the sector being audited, so the people checking the controls understand the systems they are checking. After the audit, the entity submits the report to the Chief Executive within thirty days, with a copy to its sector lead. If the Chief Executive finds the report insufficient, the entity can be directed to rectify it within a set period.

What it costs to fail

This is where the audit stops being an IT matter. Section 22(7) of Act 854 makes contravening the duty to conduct the assessment or audit, or to submit the report, an offence carrying a fine of up to RM200,000, imprisonment of up to three years, or both. Ignoring a direction from the Chief Executive, including a direction to rectify an insufficient report, carries a fine of up to RM100,000 under section 22(8).

The exposure does not stop at the entity. Under section 58, where the offender is a company, a person who was a director, compliance officer, manager, secretary or otherwise responsible for management at the time can be charged alongside it, and is deemed guilty of the same offence and liable to the same penalty. The only way out is to prove the offence happened without their knowledge, or without their consent or connivance and that they exercised due diligence to prevent it.

That defence is built from evidence, and the audit is the evidence. A binder full of unimplemented policy will not discharge it. A documented programme of controls, tested and verified as operating, is exactly what due diligence looks like on the record.

What to do this quarter

1. Confirm your designation date and count forward. The two-year clock runs from designation, not from the day the topic reached your agenda. Know how much of it is already spent.

2. Map every control to the five audit criteria, then add one column. Mark each control as documented, then mark whether you hold evidence it is operating. The second column is the one the auditor grades.

3. Identify and submit your auditor early. Approval needs thirty days, the chief auditor needs a verifiable Lead Auditor certification, and the team needs a member who knows your sector. Confirm all three before you commit to a date.

4. Pre-test your highest-impact systems internally. Run a control-effectiveness and technical check before the formal audit, so findings surface where you can fix them rather than where they become a report to NACSA.

5. Brief the board on section 58 and name an owner. The due-diligence defence is a standing obligation, not a once-every-two-years exercise. Decide now who is accountable for keeping the evidence current.

The two-year interval reads as generous. It is the part of the mandate most likely to mislead, because it measures the distance between the document and the running system on the single day the audit happens. CED No.8 was written to find that distance. Section 58 decides who answers for it, and the answer is already personal.

Sources

• Cyber Security Act 2024 [Act 854], Laws of Malaysia, Attorney General's Chambers. https://lom.agc.gov.my/act-detail.php?language=BI&act=854

• Chief Executive Direction No. 8: Cyber Security-Related Audit for National Critical Information Infrastructure Entities (Arahan Ketua Eksekutif NACSA No. 8), National Cyber Security Agency. https://www.nacsa.gov.my/doc/Arahan%20KE%20NACSA%20No.%208.pdf

• Cyber Security (Period for Cyber Security Risk Assessment and Audit) Regulations 2024 [P.U.(A) 219/2024], National Cyber Security Agency. https://www.nacsa.gov.my/doc/CYBER%20SECURITY%20(PERIOD%20FOR%20CYBER%20SECURITY%20RISK%20ASSESSMENT%20AND%20AUDIT).pdf

• NACSA Legal: Cyber Security Act, Regulations and Directives. https://www.nacsa.gov.my/legal.php

Disclaimer

This article is provided for general information and does not constitute legal advice. Statutory references reflect Act 854 and Chief Executive Direction No. 8 as published by the National Cyber Security Agency and the Attorney General's Chambers at the time of writing. Obligations, penalties and audit requirements may be amended, and their application depends on an entity's specific designation and circumstances. Organisations should confirm current requirements against the primary sources and obtain independent legal advice before acting.