Preface
Management Summary
Digitalisation demands defensive action
This Minimum ICT Standard serves as a recommendation and
potential guide to improving ICT resilience. It is aimed in particular
at operators of critical infrastructures, but is essentially applicable
to any business or organisation, and is freely available.
Increasing levels of IT penetration and networking in almost all
areas of life opens up both economic and social potential that
a highly developed and industrialised nation like Switzerland
cannot fail to act upon. At the same time, however, increasing
digitalisation also gives rise to new threats to which we must
respond quickly and decisively. The particular danger of targeted
cyber attacks on IT infrastructures affects public-sector bodies,
operators of critical infrastructures, and other businesses or
organisations to the same degree.
These individual businesses and organisations have a fundamental responsibility to protect themselves. However, wherever the
functioning of critical infrastructures is affected the state also
has a responsibility, based on its remit as laid down in the Federal
Constitution, and on the National Economic Supply Act. This
Minimum ICT Standard is an expression of the responsibility of
the state to protect its citizens, its economy, and its institutions
and public administrations.
The Minimum ICT Standard comes into play in those areas in
which a modern society can least afford outages: in those ICT
systems that are important to the functioning of critical infrastructures. It is recommended that operators of critical infrastructures apply this Minimum ICT Standard or comparable
requirements (e.g. ISO, Cobit, etc.). This document nonetheless
offers any interested business or organisation a guide and specific
instructions for action to improve its own ICT resilience.
The Minimum ICT Standard is aimed in particular at ICT officers
and members of the senior management of the operators of
critical infrastructures.
This document is structured into three sections:
1. Background information: this part serves as a reference
work and is intended to give readers a basic knowledge
of ICT security.
2. Framework: the ‘Framework’ section gives users a set of
specific activities to implement. These are structured under
five headings: ‘Identify’, ‘Protect’, ‘Detect’, ‘Respond’ and
‘Restore’. A total of 106 activities are set out here.
3. Assessment: businesses and organisations can use the
‘Assessment’ section and the associated scoring tool in
Excel to evaluate their progress with implementing the
measures, or have this progress audited by an external
company. The findings can be used as a basis for benchmarking across organisations.
Minimum ICT standard 2018
2