Implement ISG & NIS2 with ISMS according to ISO 27001: 6 key industries in focus

The Information Security Act (ISG) is an important step towards strengthening cyber resilience. The ISG obliges federal authorities, third parties and operators of critical infrastructure to establish an information security management system (ISMS) and to report cyber attacks within 24 hours if they endanger the organization's ability to function and lead to serious consequences.

These regulations affect critical infrastructures such as hospitals, energy suppliers, transportation companies, many other sectors and federal authorities. The introduction of an ISMS in accordance with the international standard ISO/IEC 27001:2022 is recommended as best practice in order to meet the legal requirements and at the same time strengthen the trust of customers and partners.

Rail & Transportation -
Cybersecurity in rail transport

The CySec Rail Directive of the Federal Office of Transport (FOT) requires all railroad companies to introduce an ISMS. The directive is based on ISO 27001 and focuses on the protection of control, signaling and communication systems.

For Swiss companies operating in the EU or working with EU partners, the EU's NIS2 Directive also applies. This stipulates that operators of critical transport infrastructures must introduce an ISMS and report cyber incidents within 24 hours.

The core requirements:

• Risk management to protect signal boxes, signaling systems and train control systems from cyber attacks.
• Supply chain security for Systematic review of the cyber security of suppliers and service providers.
• Proof of compliance through ISO 27001 or IEC 62443.
• Emergency plans! Development and regular review of emergency plans for cyber emergencies.

Healthcare sector -
Protection of patient data and systems

The Information Security Act (ISG) stipulates that hospitals, pharmacies and nursing homes must introduce an ISMS. Cyberattacks that jeopardize functionality or lead to data leakage must be reported to the Federal Office for Cyber Security (BACS) within 24 hours.

The core requirements:

• Risk management, conducting protection needs assessments for patient data, IT systems and medical devices.
• Mandatory reporting! Establish clear processes for the 24-hour reporting obligation to the BACS.
• Introduction of an ISMS in accordance with ISO 27001:2022 to meet compliance requirements and strengthen the trust of patients and partners
• Training and regular sensitization of employees to cyber security risks.

Operational Technology (OT) -
Security for industrialcontrol systems

The EU's NIS2 Directive and the Swiss ISG require the introduction of an ISMS for operators of critical OT systems, e.g. in energy supply, water treatment, etc. There is a 24-hour reporting obligation for cyber attacks.

The international standard IEC 62443 serves as a reference for the security of industrial control systems and is recognized in Switzerland and the EU.

The core requirements:

• OT security measures to protect control networks through access controls and regular security audits.
• Integration of OT security into the higher-level ISMS (e.g. in accordance with ISO 27001:2022).
• Mandatory reporting! 24-hour mandatory reporting of cyberattacks on OT systems.
• Documentation! Seamless logging of all security incidents and measures.

Critical infrastructures -
Energy, water, finance and digital infrastructure

The EU's NIS2 Directive and the Swiss ISG require operators of critical infrastructure to introduce an ISMS, carry out regular audits and report cyber incidents within 24 hours. The requirements apply to 18 critical sectors, including energy, water and digital infrastructure.

The core requirements:

• Risk management, identification and assessment of risks to availability, integrity and confidentiality.
• Certification according to ISO 27001:2022 or industry standards such as IEC 62443 for OT.
• Supply chain security, systematic review of the cyber security of partners and suppliers.
• Continuous improvement and regular review and adjustment of security measures.
  

Banks, insurance companies and public administrations: High standards for sensitive data

FINMA requires clear risk management guidelines for banks and insurance companies. The ISG obliges all federal authorities to introduce an ISMS and to report cyber attacks.

The core requirements:

• Risk management to protect customer data, financial transactions and official information.
• An ISMS in accordance with ISO 27001:2022 is recommended to demonstrate compliance with FINMA and ISG.
• 24-hour reporting obligation!
• Internal guidelines! Development and implementation of internal security guidelines.
  

ISMS according to ISO 27001:2022 as a strategic necessity

The requirements from ISG and NIS2 as well as the 24-hour reporting obligation are not only legal obligations, but also the key to a future-proof security strategy. An ISMS in accordance with ISO 27001:2022 is the gold standard and creates transparency, strengthens the trust of customers and partners and reduces supply chain risks in the long term. Those who combine information security (ISMS) and data protection (DSMS) in an integrated management system benefit from greater efficiency, clear processes and measurable compliance.

With InfoGuard as your partner, you gain both: legal certainty and resilience. Contact us, our specialists will support you in the successful implementation of the measures for the legal requirements and will further develop your security architecture together with you.

Image caption: Image generated with AI