Previously, organisations could rely on policies and internal procedures. Today, auditors expect something different: documentation that demonstrates these procedures actually work in practice. The question is no longer whether rules exist, but whether the organisation can show that they are effective.
This raises a central question: can you demonstrate, at any time, who has or has had access to your critical infrastructure – and why?
Why access to critical infrastructure is part of audits
Public procurement and audits are placing increasing demands on clear control over who has access to critical infrastructure – not just on paper, but in day-to-day operations.
Within the industrial and energy sectors, public projects continue to grow in scale. With that growth comes a greater responsibility to demonstrate that vital processes, facilities, and systems are protected against both internal and external risks. Critical infrastructure is therefore not just about IT; it also includes physical locations, operational technology, and the roles that directly affect safety and operational continuity.
Auditing and control of critical functions
Audits in the industrial and energy sectors have changed fundamentally in recent years. Where the focus once was on the mere existence of procedures, attention is now on how they are applied in practice. The EU NIS2 Directive and the Swedish Security Protection Act require organisations to demonstrate to auditors that access to sensitive functions, systems, and environments is managed in a controlled and transparent manner.
Organisations in the industrial and energy sectors are increasingly reliant on temporary staff, contractors, and external parties, all of whom are also subject to access control and monitoring requirements. What truly matters is whether the organisation can consistently and clearly demonstrate that only trusted individuals are granted access to critical parts of the operation – including employees, contractors, and other external actors.
From Procedures to Continuous Controls
Having policy documents alone is no longer enough to demonstrate compliance. Auditors now expect traceability over time. Decisions about access must be clearly documented, showing how and why they were made. Assumptions or informal agreements are no longer sufficient.
“We have documented it” is no longer enough
In practice, access information is often fragmented across systems, departments, and files. Overviews are managed manually and are rarely up to date. As a result, organisations lack a central and reliable view of who has or had access to critical infrastructure and when.
The Greatest Vulnerability: External Parties and Temporary Staff
The highest audit risks often involve contractors, temporary workers, and external suppliers. Ongoing shortages of skilled personnel mean that organisations increasingly rely on external parties. Multiple actors may work simultaneously on the same project or at the same location. Access is frequently granted quickly to avoid operational delays, while control and regular reassessment often lag behind.
Legislation and Regulatory Expectations: What Organisations in Sweden Need to Demonstrate
Legislation and regulations do not always explicitly mandate checks, but they place clear requirements on reliability in critical roles and on ensuring that access to sensitive functions, systems, and environments is properly controlled.
In Sweden, this is primarily covered by:
Security Protection Act (SFS 2018:585) requires organisations handling security-sensitive operations to assess individuals who are granted access to sensitive functions, systems, or information. The requirements vary depending on the role or level of responsibility: higher access and greater responsibility generally require stricter checks. Assessments must be carried out not only at the start of employment but also when roles, responsibilities, or access levels change.
At the EU level, the NIS2 Directive increases requirements for risk management, governance, and accountability in organisations operating essential services. Organisations need to be able to show that access to systems, networks, and other critical infrastructure is controlled and documented over time.
Key Questions Organisations Need to Address
Organisations need to be able to answer central questions regarding access to critical infrastructure and the reliability of those with access – both internal staff and external parties. Key questions include:
- Which roles have access to critical functions, systems, and environments – and what reliability requirements apply to each role?
- How are access decisions documented, and how do we ensure these assessments are updated when roles, responsibilities, or access levels change?
- Is there a central and up-to-date overview of who has or had access in recent months?
- Are temporary staff, contractors, and other external parties included in the same access and reassessment requirements?
In practice, organisations rarely fail due to unwillingness. The issue is often the lack of a structured approach to assessment and follow-up. Background checks are frequently treated as a one-off step during recruitment, with insufficient differentiation between critical and non-critical roles. Access is not always linked to documented reliability, creating vulnerabilities that often only become visible during an audit.
Want to learn more?
Do you want to learn more about insider risk, critical roles, and how organisations can structure their processes sustainably without disrupting operations?