Security Service of Georgia shall submit the draft ordinance to the Government of Georgia for approval. The list shall be compiled according to the
following criteria: the gravity and scale of potential consequences resulting from the malfunction or the failure of an information system; the gravity of
expected economic losses for information system subjects and/or the State; the necessity of services delivered by the information system for the normal
functioning of society; the number of information system users; material standing of the subject concerned; and the amount of estimated costs incurred
as a result of the liabilities imposed by this Law.
3. This Law shall not apply to mass media, editorial offices of publishing houses, scientific, educational, religious, and public organisations, as well as to
political parties regardless of the importance of their activities to the national defence and/or economic security and to the maintenance of state
authority and/or public life.
4. Any legal person and public authority that is not a critical information system subject, may voluntarily assume the obligations deriving from this Law.
5. This Law shall not apply to any action permitted in advance by the consent of the critical information system subject that aims to test the information
security.
6. The provisions of this Law shall not affect the application of the norms provided for by the legislation of Georgia that governs freedom of information,
personal data processing, protection of state, commercial, and private secrets.
Law of Georgia No 1250 of 20 September 2013 – website, 1.10.2013
Law of Georgia No 1829 of 24 December 2013 – website, 28.12.2013
Law of Georgia No 3933 of 8 July 2015 – website, 15.7.2015
Chapter II - Organisation and Provision of Information Security
Article 4 - Rules for information security
1. A critical information system subject shall be obliged to adopt internal rules for information security that serve to enforce the provisions of this Law
and to define information security policy of the entity concerned.
2. Information security policy shall meet the minimum requirements for information security (based on the criticality classification of the critical
information system subject) that are defined by the Data Exchange Agency in accordance with the standards and requirements laid down by the
International Organisation for Standardisation (ISO) and the Information Systems Audit and Control Association (ISACA).
3. The critical information system subject shall submit internal rules for information security adopted pursuant to the first paragraph of this article to the
Data Exchange Agency for review. The Data Exchange Agency shall also be notified of any changes made to the internal rules for information security.
The Data Exchange Agency shall carry out a general analysis of the documents submitted in that manner and present recommendations for eliminating
any deficiencies identified.
4. In addition to the documents set forth under the third paragraph of this article, the Data Exchange Agency shall have no access to the information or
information assets of the critical information system subject, unless the critical information system subject voluntarily provides the Data Exchange
Agency with the access to the information and information assets.
Law of Georgia No 1829 of 24 December 2013 – website, 28.12.2013
Article 5 - Information Asset Management
1. Under the internal rules provided for by Article 4(1) of this Law, a critical information system subject shall take inventory of information systems to
keep record of all information assets. As a result, each information asset will be assigned the respective criticality class - confidential or for internal use.
All other information assets that do not require classification shall be considered open information.
2. The inventory of information assets will result in the description of all information assets according to their significance, value, current level of
security and protection.
3. While creating an information asset, the asset creator and/or the person responsible for the asset shall determine the respective criticality class.
4. The Data Exchange Agency shall, lay down the rules for the information asset management by a normative act, in particular, the rules for their
inventory, classification, availability, issuance (publication), change, and destruction, except for the rules by which the General Administrative Code of
Georgia defines the accessibility to public information.
Article 6 - Information security audit and information systems testing
1. By the consent of the critical information system subject, the Data Exchange Agency or a person or an organisation selected by the critical
information system subject from among the persons authorised by the Data Exchange Agency shall assess the compatibility of the internal rules for
information security (information security policy) with the minimum security standards established by the Data Exchange Agency (information security
audit). After the audit, a report shall be drawn up. The requirements laid down in the report shall be fulfilled.
2. The Data Exchange Agency shall lay down the rules for conducting the information security audit laid down in the first paragraph of this article by a
normative act.
http://www.matsne.gov.ge
14000000005001016807