Internal Control regulations regarding ICT safety and security can pose a specific challenge for the safety and security managers in electric power supply network companies because of the complexity of the ICt systems. It is difficult to establish a complete system description of these complex systems.(Rundmo,1996), which can make it hard to identify successful attacks and their consequences and develop comprehensive defense for all the relevant threats. The scale and complexity of the AMI and smart Grid , along with its increased connectivity and automation, will make risk regulation of this area particularly challenging. These high complexity systems have tight coupling of their components and processed. the fast paced technological change, the invisibility of the material processes, the lack of overview, and the problems in sense making, contribute to a sense of uncertainty, uncontrollability, and unpredictability regarding the risk problems connected to there ICT systems. Most of the network companies lack expert knowledge in this area, which increases the need for more detailed prescriptive regulations.