NCII Cybersecurity Compliance
Two Obligations. One Partner. Complete Coverage.
Under Malaysia's Cyber Security Act 2024 (Act 854), organisations designated as National Critical Information Infrastructure (NCII) entities face a dual obligation: comply with mandatory cybersecurity requirements, and submit to independent external audits directed by NACSA. Failure on either front carries regulatory consequences.
AKATI Sekurity delivers both services — compliance implementation and NACSA-directed audit — under one roof. Whether you need annual risk assessments, Code of Practice alignment, 24/7 monitoring, or a qualified external audit team approved by the NACSA Chief Executive, we have you covered.
Two Requirements. Both Mandatory.
NCII entities must satisfy two distinct regulatory obligations under Act 854. AKATI Sekurity is qualified to deliver both — ensuring complete coverage with a single engagement partner.
Comply with Act 854
Implement the cybersecurity measures, risk assessments, incident response capabilities, and Code of Practice alignment mandated by the Cyber Security Act 2024.
- Annual cybersecurity risk assessments
- Penetration testing on critical systems
- Code of Practice alignment (ISO 27001, NIST)
- Incident response readiness & NACSA reporting
- Employee security awareness training
- 24/7 SOC monitoring & threat detection
External Audit per NACSA Direction No.8
Submit to an independent cybersecurity audit conducted by NACSA-approved auditors, covering compliance with Act 854, its Regulations, Directives, and sector-specific Guidelines.
- Audit at least once every two years (or more frequently as directed)
- Auditor must be approved by NACSA Chief Executive
- Mandatory compliance-based and risk-based audit approaches
- Optional control-based, technical testing, and inspection approaches
- Audit report submitted to NACSA within 30 days
- Covers Act 854, Regulations, Directives, Code of Practice, and Guidelines
Cybersecurity Compliance Services
These are the services your organisation needs to implement and maintain compliance with Act 854's cybersecurity requirements — from annual risk assessments to 24/7 protection.
Risk Assessments & Compliance Audits
Identify weaknesses across your network, systems, and operations. Perform penetration testing on critical systems, prepare NACSA-ready compliance reports, and provide prioritised remediation guidance.
- Cybersecurity risk assessment across IT and OT environments
- Penetration testing (VAPT) on critical infrastructure systems
- Compliance report prepared to NACSA's audit requirements
- Remediation guidance with prioritised action plan
- Mandatory for NCII organisations to submit to NACSA
Code of Practice Alignment
Align your cybersecurity policies with ISO 27001, NIST, and Malaysia's Cybersecurity Code of Practice. Review access controls, firewalls, and security policies. Conduct employee awareness training.
- Policy alignment with ISO 27001, NIST, and sector-specific Codes of Practice
- Access control, firewall, and security policy review
- Employee security awareness training (phishing, social engineering)
- Customised cybersecurity guidelines for manufacturing and industrial operations
- Gap analysis against Act 854's Code of Practice requirements
24/7 SOC Monitoring & Threat Detection
Continuous monitoring of your IT infrastructure, OT systems, and network security. AI-driven threat intelligence blocks attacks before they impact operations. Real-time alerts and weekly reports.
- 24/7 monitoring of IT infrastructure, OT systems, and network security
- Detection and response to unauthorised access, malware, and suspicious activity
- AI-driven threat intelligence with automated blocking
- Real-time alerts and weekly security reports on attempted intrusions
- Regulatory requirement for NCII organisations to maintain proactive security
Incident Response & Breach Handling
Immediate cyber breach investigation and containment. Forensic analysis, legal and regulatory reporting to NACSA, and system restoration after ransomware or data leaks.
- Immediate breach investigation, containment, and eradication
- Digital forensic analysis to determine attack root cause
- Mandatory NACSA incident reporting assistance
- Compromised system restoration and data recovery
- Post-incident review and security hardening recommendations
NACSA-Directed External Audit
Under Direction No.8, NCII entities must engage approved auditors to conduct cybersecurity audits covering five mandatory audit approaches. AKATI Sekurity is qualified to perform these assessments.
What the Audit Covers
The audit verifies compliance of NCII entities and their infrastructure with Act 854, its Regulations, Chief Executive's Instructions, Code of Practice, and sector-specific Guidelines.
- Compliance with Cyber Security Act 2024 (Act 854)
- Regulations under Act 854 (P.U.(A) 219–222/2024)
- Instructions of the Chief Executive of NACSA
- Code of Practice issued for the relevant NCII sector
- Sector-specific Guidelines issued by sector heads
- Audits at least once every two years from NCII designation date
Audit Approaches
Direction No.8 prescribes two mandatory approaches and four optional approaches. AKATI Sekurity's audit methodology integrates all six to deliver comprehensive assurance.
- Mandatory: Compliance-Based Approach — verifying adherence to Act 854, Regulations, Directives, and Codes of Practice
- Mandatory: Risk-Based Approach — assessing threats, vulnerabilities, and impacts on NCII entities
- Optional: Control-Based Approach — evaluating effectiveness of security controls in place
- Optional: Technical Testing-Based Approach — detecting security weaknesses through technical methods
- Optional: Inspection and Verification Approach — reviewing documentation, interviews, and records
- Optional: Continuous Improvement-Oriented Approach — improving systems even where no non-compliance found
Audit Implementation Procedure
NACSA prescribes a formal procedure for auditor appointment, engagement, and report submission. AKATI Sekurity manages this process end-to-end on your behalf.
- NCII entity identifies qualified auditors to carry out the audit
- Auditor information submitted to NACSA Chief Executive for approval (Appendix 1 or 2)
- Approval application submitted at least 30 days before audit commencement
- Approved auditor signs NDA with the NCII entity before conducting audit
- Auditor presents findings, obtains entity confirmation, and prepares audit report
- Audit report submitted to NACSA Chief Executive within 30 days of completion
Audit Report Requirements
The audit report must cover 11 mandatory sections as specified in Direction No.8 — from entity identification through to improvement opportunities and signed formulations.
- NCII entity information (name, address, contact details)
- Critical national information infrastructure inventory
- Audit date, period, objectives, scope, and approach
- Executive summary of findings, risks, and impact assessment
- Detailed audit findings with evidence and root cause analysis
- Improvement opportunities and remediation recommendations
- Formulation of compliance level — signed by chief auditor and NCII entity
Audit Timeline Obligations
Direction No.8 prescribes strict timelines for auditor approval, audit execution, and report submission. Missing these deadlines puts your NCII compliance at risk.
Pre-Audit Approval
Auditor appointment application must be submitted to NACSA Chief Executive at least 30 days before the audit is carried out.
Pre-Audit Agreement
Approved auditor must sign a Non-Disclosure Agreement with the NCII entity before conducting any audit activities.
Audit Frequency
Audits must be conducted at least once every two years from NCII designation, or at higher frequency as directed by NACSA.
Report Submission
Audit report must be submitted to NACSA Chief Executive within 30 days of audit completion, with a copy to the NCII sector head.
Choose Your Compliance Path
Whether you need annual compliance services, continuous protection, or both — AKATI Sekurity offers structured packages that cover Part A and Part B of your NCII obligations.
Annual Compliance
Regulatory compliance + external audit
- Cybersecurity risk assessment & audit
- Penetration testing (VAPT)
- Code of Practice alignment
- Employee security training
- NACSA-directed external cybersecurity audit
- Compliance report to NACSA within 30 days
Full Cyber Defence
Compliance + audit + 24/7 protection
- 24/7 Security Operations Centre (SOC)
- Continuous threat monitoring & alerts
- 24/7 incident response & recovery
- NACSA incident reporting assistance
- Monthly security posture reports
One Partner for Both Obligations
Most NCII entities will need to engage separate firms for compliance implementation and external audit. AKATI Sekurity is qualified to deliver both — reducing coordination overhead, cost, and risk.
Dual Capability
Compliance consulting and NACSA-directed audit under one roof. Single team, single evidence pack, zero coordination delays.
NCII Sector Expertise
Deep experience across finance, healthcare, telecommunications, energy, and government — the sectors most impacted by Act 854.
Certified & Independent
QSA, ASV, CREST, and ISO 27001 certified. Our auditors meet all qualification requirements specified in Direction No.8.
Minimal Disruption
Compliance and audit designed around your operational cycles. Critical infrastructure doesn't stop — and neither should your business during assessment.
Secure Your NCII Compliance
Act 854 is in effect. Direction No.8 is enforceable from 17 July 2025. If your organisation has been designated as NCII, the time to act is now. Contact AKATI Sekurity for a consultation covering both compliance and audit obligations.