✔ Data stored in EU   ✔ Fast verification process   ✔ Safe and secure (ISO)

EN / NL
Blogs

Government tenders and audits: can you demonstrate who has access to critical infrastructure?

Government tenders in the industry and energy sectors are imposing increasingly strict requirements on security, continuity and reliability. Not only for systems and processes, but also for people. Access to critical infrastructure such as production sites, energy networks and technical installations is increasingly becoming a central focus of audits.

Where organisations previously relied on policies and procedures, auditors now expect something different: demonstrable evidence. The question is no longer whether rules exist, but whether you can show that they work in practice.

This leads to an uncomfortable and recurring question: can you demonstrate, at any moment, who has or had access to your critical infrastructure and why?

employee finishing screening

Why access to critical infrastructure is increasingly part of audits

Government tenders and audits increasingly require demonstrable control over who has access to critical infrastructure. Not just on paper, but in day-to-day operations.

Public and semi-public projects in industry and energy continue to grow in scale. With that growth comes increased responsibility to show that vital processes, installations and systems are protected against both internal and external risks. Critical infrastructure extends beyond IT alone. It also includes physical locations, operational technology and roles that directly affect safety and continuity.

The focus is increasingly shifting from trust to accountability.

 

 

What auditors really want to see today

Audits related to government tenders have changed fundamentally in recent years. Where the focus once lay on the existence of procedures, attention is now on how those procedures function in practice.

Auditors want to see not only that access is controlled, but also who had access to critical locations, systems or functions, on what basis that access was granted, whether this assessment is reviewed periodically and how this is demonstrably documented.

This explicitly includes temporary staff, contractors and external parties. A reality on which organisations in the industry and energy sectors are increasingly dependent.

In sectors where safety, continuity and public interest come together, such as organisations comparable to Vattenfall, Brabant Water and Eneco, it is no longer sufficient to refer to contracts or general guidelines. What matters is whether you can consistently and demonstrably show that only reliable individuals are granted access to critical parts of the operation.

This is precisely where many organisations encounter difficulties in practice.

 

From procedure to proof

Policy documents are not evidence. Auditors are looking for traceability over time. Decisions must be reproducible and based on documented criteria, not on assumptions or informal explanations.

 

Why “we have documented it” is no longer sufficient

In practice, access information is often fragmented across systems, departments and files. Overviews are maintained manually and are rarely up to date. As a result, organisations lack a central and reliable overview of who had access to critical infrastructure and when.

 

 

industry and energy sector
industry and energy sector

The greatest vulnerability: external access and temporary staff


The greatest audit risk arises with contractors, temporary workers and external suppliers.

Due to ongoing shortages of technical staff, organisations increasingly rely on external parties. Multiple partners may operate simultaneously within a single project or location. Access is often granted quickly to avoid operational delays, while control and periodic reassessment frequently lag behind.

 

 

Legislation and tender requirements: what is implicitly expected of organisations

Legislation and regulations do not always explicitly mandate screening, but they do implicitly require demonstrable reliability of individuals in critical roles.

Organisations must be able to show that access to critical functions is based on predefined reliability requirements and that this assessment is current and repeatable. Demonstrating this is increasingly becoming part of audits and tender requirements.

 

Concrete audit criterion (example)

Can you substantiate that individuals with access to critical infrastructure have been assessed for reliability and that this assessment is repeated periodically?

 

 

The question that returns in every audit

Can you demonstrate today who had access to your critical infrastructure over the past twelve months, and why?

Is this insight centrally available? Is it up to date? And does this also apply to temporary staff and external parties?

 

 

Why this often fails in practice

The issue is rarely unwillingness, but rather the absence of a structural approach to screening and reassessment.

Screening is often treated as a one-off step at the start of employment. Insufficient distinction is made between critical and non-critical roles, and access is not linked to demonstrable reliability. This creates vulnerabilities that only become visible during an audit.

 

 

Looking ahead

In the next articles, we will take a deeper look at insider risk, critical roles and how organisations can structure this in a sustainable way without slowing down operations.

Critical infrastructure is under increasing pressure