Actionable steps to prepare for a NERC CIP audit

Reading Time: 3 minutes

Failing an NERC CIP audit can lead to a hefty fine

The North American Electric Reliability Corporation (NERC) has been the governing body of the North American electric grid since 1996. One of the many things NERC does is to require all electric utilities to comply with the CIP (Critical Infrastructure Protection) standards.

CIP standards require organizations to protect their systems and data from unauthorized access, to provide for recovery from cyber attacks, and to be able to demonstrate compliance to NERC auditors.

CIP audits are an important part of maintaining NERC (North American Electric Reliability Corporation) compliance, and organizations that fail to pass these audits may be subject to hefty fines. The biggest challenge in clearing a CIP audit is to ensure that all NERC compliance requirements are fully understood.

We have shared important tips to prepare for the NERC CIP audit hassle-free.

Have a look.

Understand What You Need To Do

There are two basic standards from NERC you need to understand. These are:

CIP-001-4: Assessment
CIP-002-4: Protection

Moreover, to ensure compliance, the auditor will check evidence provided by the Facility Operator. This will typically involve reviewing the Facility Operator’s records and performing walk-through inspections of the facility. The auditor will also look for evidence that the operator has correctly implemented the requirements in the relevant standard.

Check Your Reliability Standard Audit Worksheets (RSAWs)

NERC CIP Audit involves many unique audit documents, each serving a different purpose. One of these, the Reliability Standard Audit Worksheet (RSAW), is used to help auditors prepare for their annual visits.

Unlike the documents used in the pre-assessment phase of an audit (e.g., qualification of auditor, audit planning, etc.,), the RSAW greatly helps the auditors assess whether you’re compliant with the CIP Standards or not.

Pay Attention To The Information Security Program Documentation

As part of the NERC compliance audit program, audit teams review documentation to ensure compliance. One of the areas that are typically reviewed is Information Security Documentation. The audit team will first look at a summary of the information security program, including the security objectives and policies.

If the audit team identifies gaps or weaknesses in the program documentation, they will request additional documentation to be provided. The request is written in a non-confrontational manner and is used to ensure that the program documentation is clear and compliant with NERC regulations.

Mock Audit Interviews

Audit interviews help operators achieve the highest level of cyber resilience. A NERC CIP audit is a review of the security controls implemented by the operator. The objectives of the audit include:

The evaluation of controls in place.
The verification of compliance.
The detection and prevention of cyber incidents.

For example, If you are an SME working on a Cyber Incident Response Plan (CIRP), you might be asked by your auditor to walk through the entire process. A good way to prepare for this is to make yourself a flowchart that starts with the top-level CIP objective and works its way down to incident response procedures.

When your auditor asks you to walk them through the CIRP, they will likely ask you questions in each of the following areas:

What is the Incident Response Plan (IRP)?
What is the purpose of the IRP?
How is the IRP organized?
How does the IRP relate to other

The better you are prepared with the answers, the quicker you will get your certifications renewed by the NERC.

Seek Professional Help

A NERC CIP Audit often involves many processes and tools. A lot of things can go wrong if you don’t follow the steps properly. It is always advisable to leverage expertise from professionals like Proven Compliance Solutions to ensure you do not get into legal issues with the audit.