Overview of the Federal Information Security Act

With the Information Security Act* (Informationssicherheitsgesetz, ISG) coming into force on January 1, 2024, new standards for securing information and infrastructure were set in Switzerland. The law brings comprehensive innovation in the field of cybersecurity and strengthens the security of information and infrastructure at various levels, as well as cyber resilience in general. The ISG applies to both government authorities and private companies that are significant for the security of the federation. A particular focus is on operators of critical infrastructure. This article provides an overview of the main changes and requirements that the ISG brings.

*Unfortunately, the article is only available in German, French and Italian.

Objective of the Information Security Act (ISG)

The ISG aims to sustainably improve cybersecurity in Switzerland. By raising security standards, the law particularly seeks to strengthen resilience against cyberattacks and the ability to respond to security incidents. The implementation of specific security requirements and the introduction of strict reporting obligations are also intended to ensure transparency and efficiency in cybersecurity.

Who is Affected by the Information Security Act (ISG)?

The law applies not only to all federal authorities and organizations, but also to cantons, national and international partners, as well as private companies that support the federation in fulfilling its obligations.

However, operators of critical infrastructure are also particularly affected. This refers to operators of infrastructures whose failure or disruption would have a significant impact on national security or the economic and/or social welfare of Switzerland.

In short, it affects:

• All federal authorities and organizations as well as cantonal authorities
• Private companies working on behalf of the federation or subject to its security requirements
• Operators of critical infrastructure in the areas of:
  • Energy
  • Supply
  • Waste management
  • Information and Communication
  • Food
  • Finance
  • Health
  • Transport

Regulations and Supplementary Provisions

The ISG outlines regulations related to Information Security Management Systems (ISMS), reporting obligations, and general rules concerning cybersecurity. In addition to the main regulatory framework, the ISG is supported by four supplementary regulations that establish specific rules and requirements:

• Information Security Ordinance (Informationssicherheitsverordnung, ISV): The ISV replaces previous regulations and requires federal offices to implement an Information Security Management System (ISMS) to ensure the protection of classified information as well as IT security; cantons must meet equivalent standards if they access federal data.
• Ordinance on Personnel Security Checks (Verordnung über die Personensicherheitsprüfungen, VPSP): The VPSP regulates personnel security checks to assess security-related risks posed by individuals in sensitive security roles and expands the scope of collected data, while remaining limited to genuinely security-critical activities.
• Ordinance on the Operational Safety Procedure (Verordnung über das Betriebssicherheitsverfahren, VBSV): The VBSV replaces the old Confidentiality Protection Ordinance and ensures that security-sensitive contracts are only awarded to trustworthy companies that can be audited during the execution of the contract.
• Ordinance on Identity Management Systems and Directory Services of the Federal Government (Verordnung über Identitätsverwaltungs-Systeme und Verzeichnisdienste des Bundes, IAMV): The IAMV is being adjusted to enable a unified login service for e-government services at all federal levels.

These regulations are an important step in implementing the Information Security Act in practice. They establish a clear framework for affected organizations to ensure that they process sensitive information securely and adequately protect their IT infrastructures.

Requirements for Affected Parties

All authorities, organizations, and companies subject to the Information Security Act (ISG) must meet extensive requirements due to the comprehensive nature of the law and its implementation regulations. The multitude of measures and provisions makes it challenging to keep track. Below are some of the essential points that need to be considered:

• Information Security Management System (ISMS): Affected authorities, organizations, and companies are obligated to introduce, implement, and maintain an ISMS. This system serves for the systematic identification, assessment, and treatment of information security risks. It ensures that security measures are regularly reviewed and improved. The ISMS must also be reviewed every three years.

• Documented Guidelines: Affected authorities, organizations, and companies must have written, documented guidelines for handling information security and risks.

• Security Procedures to Ensure Information Security: For every deployed and relevant IT resource, there must be a security procedure in place to ensure information security. Each IT resource must be assigned a security level (basic protection, high protection, very high protection), which corresponds to minimum requirements for security measures.

• Inventory of Protected Assets: It is necessary to maintain a complete inventory of protected assets, which is created based on protection needs analyses. This inventory must also include the risk assessment for each protected asset, the assigned responsibilities, and the results of periodic audits.

• Risk Assessment and Measures: An ongoing and verifiable risk assessment is necessary. This serves to identify and evaluate threats and vulnerabilities in order to protect information from unauthorized access, loss, disruption, or misuse. Based on this assessment, companies must take appropriate measures to minimize the identified risks. These measures should be regularly reviewed and adjusted as needed.

• Regular Training and Awareness: Employees must undergo regular training and awareness programs to develop a strong understanding of information security. These training sessions should cover topics such as the secure handling of sensitive information, appropriate behavior in the event of a suspected security incident, and compliance with security policies.

• Planning of Assessments and Audits: Affected authorities, organizations, and companies must plan and conduct regular assessments and audits to verify compliance with information security requirements.

The points mentioned are just a subset of the requirements that are binding for affected authorities, organizations, and companies under the Information Security Act (ISG) and its regulations. Further information can be found in the press release* and the linked documents from the federal government.

*Unfortunately, the press release is only available in German, French and Italian.

Mandatory Reporting of Cyberattacks on Critical Infrastructures

The Information Security Act (ISG) requires operators of critical infrastructures to report cyberattacks. This reporting obligation enables authorities to respond more quickly to security incidents and take appropriate measures. For affected companies, this means they must establish an efficient reporting system and define clear internal communication channels to act swiftly in case of an emergency.

Future Developments and Outlook

The Information Security Act (ISG) is expected to evolve in the coming years to address the growing threat landscape in the digital realm. Future adjustments and additional regulations may be designed to meet the specific needs of various industries, enhancing their security and resilience. For companies, this means that ongoing monitoring and adaptation to new standards will be necessary to remain compliant in the long term and ensure comprehensive protection.

Consultation and Support from Oneconsult

Leveraging our extensive experience with government agencies and operators of critical infrastructure, we are well-positioned to assist you in fulfilling the requirements of the Information Security Act (ISG).

• Site Analysis: Oneconsult supports you in assessing the current situation and developing a plan to meet the requirements of the Information Security Act (ISG) and its associated regulations.
• Establishment of an Information Security Management System (ISMS): Oneconsult can assist you in building an ISMS or reviewing and improving your existing ISMS.
• Planning and Conducting Security Tests and Audits: Our Penetration Testing Services cover a wide range, including application testing, network/security infrastructure testing, client/server infrastructure testing, cloud security testing, and IoT & OT security testing.
• Risk Assessment and Measures: With professional Vulnerability Management, you can better identify, evaluate, and address vulnerabilities in IT systems.
• Implementation of Processes: Our cybersecurity consultants and coordinators support you in implementing processes to ensure legally compliant and secure implementation of processes within your operations.
• Training and Awareness: Our Cybersecurity Academy is your trusted partner for comprehensive IT security training.