In a world where cybercriminals are the new bank robbers and digital data is the new gold, ICT resilience is becoming increasingly important for businesses. What is behind the ICT minimum standard and why is it relevant for Swiss IT managers, data protection officers and CISOs? Let's jump in.
The ICT (Information and Communication Technology) minimum standard sets out the basic security requirements that organisations should implement to protect their infrastructure from cyber threats. It is primarily aimed at operators of critical infrastructure, but is also a valuable guide for other companies to improve their cyber security. The minimum ICT standard is published by the Swiss Federal Office for National Economic Supply FONES.
In addition to the ICT minimum standard, the Federal Office for National Economic Supply has developed further in-specific standards with a higher level of (technical) detail. Operators of critical infrastructures are a the detailed i-specific standards in addition to the ICT minimum standard.
The ICT Minimum Standard is based on the NIST Cybersecurity Framework and covers five core areas: Identify, Protect, Detect, Respond and Recover. Each area provides the user with a series of specific measures. In total, there are 108 actions described to help organisations improve their overall ICT resilience. For example, in the 'Protect' area, the use of encryption technologies at file and network level could be implemented to protect sensitive data.
Organisations and companies can use the self-assessment and the associated evaluation tool (Excel) provided to assess the implementation status of the measures themselves relatively quickly or to have them verified by external companies (audit). The results can be used as a basis for cross-organisational benchmarking.
To simplify the review, integrated control sets are available in tools such as fortControl, which help companies evaluate their security measures. These systems can help to systematically check compliance with minimum ICT standards and make targeted adjustments without additional effort.
A concrete example: Suppose your organisation uses a network that spans several departments. The ICT minimum standard recommends segmenting this network in such a way that a potential attack cannot bring down the entire company. Or take encryption: the ICT minimum standard states that sensitive data - such as customer data or financial information - should be encrypted both in transit and at rest to prevent unauthorised access.
In essence, the ICT Minimum Standard is like a basic cybersecurity insurance policy: it ensures that the company is protected against the most common and dangerous threats without being unnecessarily complicated.
Cybersecurity is a dynamic field, and while the ICT Minimum Standard provides a solid foundation, it is only a first step. Continuous monitoring and adaptation are essential. The standard should be used as a starting point for the development of a more comprehensive Information Security Management System (ISMS). In addition to the ICT Minimum Standard, there are already several internationally recognised standards for ICT security, such as ISO 27001 and COBIT.
The ICT minimum standard is not intended to compete with existing standards, but to be compatible with them, albeit with a reduced scope. It is intended to facilitate entry into the field while ensuring a high level of protection. As the threat landscape is constantly changing, organisations should conduct regular risk assessments and continuously adapt their defence-in-depth strategies, which include a layered security architecture, to new threats.
The minimum ICT standard is like basic hiking gear: it protects against the biggest dangers, but without constant vigilance, your organisation can still end up in unsafe territory. A recent example is the data theft at Xplain. A massive security breach resulted in a large amount of sensitive Swiss government data ending up on the darknet. This incident highlights the importance of not only having security measures in place, but also of regularly reviewing and refining them - particularly through targeted training and awareness-raising for employees, and by continually reviewing and updating emergency plans.
In Switzerland, we know how to celebrate precision - be it in the manufacture of watches or in the production of cheese with perfect holes. The ICT minimum standard should be implemented with the same precision. It should not be viewed as "just enough", but rather as "no less than necessary".
The minimum ICT standard is the starting point upon which a comprehensive security approach can be built and extended with other compatible standards. Organisations should also invest in advanced security measures to protect themselves from increasingly sophisticated cyber threats.
While the ICT minimum standard is an important first step, it is not enough to implement it once. To ensure sustainable protection, organisations should set up an Information Security Management System (ISMS) that continuously monitors risks and adapts security measures accordingly. The ICT minimum standard provides the necessary foundation on which organisations can build to consolidate their cyber security strategy for the long term.