Section 21

Notwithstanding subsection (1), the national critical information infrastructure entity may implement any alternative measures, standards and processes if the national critical information infrastructure entity proves to the satisfaction of the Chief

Executive that the alternative measures, standards and processes provide equal or higher level of protection to the national critical information infrastructure owned or operated by the national critical information infrastructure entity.

A national critical information infrastructure entity may, in addition to the measures, standards and processes referred to in subsection (1) or (2), establish and implement the measures, standards and processes on cyber security based on internationally recognized standards or framework.

Where a national critical information infrastructure entity implements measures, standards and processes to ensure the cyber security of the national critical information infrastructure owned or operated by the national critical information infrastructure entity as required under any other written law, the national critical information infrastructure entity shall be deemed to have complied with this section provided that such measures, standards and processes are not in contravention with the code of practice.

Any national critical information infrastructure entity which contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or to both.

Cyber Security 25

Duty to conduct cyber security risk assessment and audit