Newsletter Anmeldung

Bleiben Sie mit dem Newsletter immer up to date.

Request
arrow-to-top
HomeConsultancyInformation securityFederal Act on Information Security in the Confederation (FAISC)
Reto Steinmann
Head of Consulting
request

The new Information Security Act of the Federation concerns (almost) everybody

On 8 November 2023, the Federal Council brought the Information Security Act (FAISC) and its four implementing ordinances into force on 1 January 2024. The four ordinances are:

The operators of critical infrastructures, i.e. infrastructures that are essential for the functioning of society, the economy and the state, play a special role here. In addition to the federal and cantonal authorities and the state security organisations, this concerns the sectors

  • Information Security Ordinance (ISO)
  • Ordinance on Security Checks on Persons (VPSP)
  • Ordinance on the Company Security Procedure (VBSV)
  • Ordinance on Federal Identity Management Systems and Directory Services (IAMV)

The Information Security Act (FAISC) replaces the following ordinances:

  • Cyber Risks Ordinance (CyRV from 27 May 2020)
  • Information Protection Ordinance (IPO from 4 July 2007)

 

Obligation to report cyber attacks on critical infrastructures (Source VBS)

On 29 September 2023, Parliament passed an amendment to the Information Security Act (FAISC), which introduces a reporting obligation for cyberattacks on critical infrastructure.
This reporting obligation is not yet in force, as implementing provisions must be drawn up to implement this change. The Federal Council is expected to conduct a consultation on this in the first half of 2024. Planning is currently geared towards the reporting obligation coming into force from 1 January 2025.

 

The Information Security Act (FAISC) at a glance

The aim of the Act is, on the one hand, the secure processing of information for which the Confederation is responsible, and, on the other hand, the secure use of the Confederation’s IT resources. The FAISC obliges not only the federal authorities, but also cantonal authorities and private-law companies that support the Confederation in the fulfilment of its tasks.

 

Key areas of the new ISG

Not least due to the rapid pace of technological development, the FAISC does not specify any detailed measures. It merely creates a formal legal framework on the basis of which the federal authorities specify information security as uniformly as possible at ordinance and directive level. The FAISC addresses the following topics in particular:

  • Information security
  • Risk management
  • Cooperation with third parties
  • Information security breaches (incident management)
  • Classification of information
  • IT security (incl. OT security)
  • Personnel measures
  • Physical protection
  • Identity management systems (identity and access management IAM)
  • Personal security checks
  • Operational security procedures (awarding security-sensitive contracts to external partners)
  • Operation of critical infrastructures

 

Significance for operators of critical infrastructures

The operators of critical infrastructures, i.e. infrastructures that are essential for the functioning of society, the economy and the state, play a special role here. In addition to the federal and cantonal authorities and state security organisations, this concerns the following sectors

  • Energy and drinking water supply
  • Waste disposal
  • Finance
  • Healthcare
  • Information and communication
  • Food and drink
  • Transport and traffic
  • Safety and security

and thus large parts of the private sector in our country.

 

The Information Security Ordinance (ISO) at a glance

The Information Security Ordinance (ISO) regulates the tasks, responsibilities and competences for ensuring information security. Based on the FAISC, it defines a security organisation for the Federal Council, the departments and the administrative units. A distinction is made between responsible and mandated roles with regard to information security of the Federal Council, the departments and the administrative units as well as the Federal Information Security Unit, which is part of the new State Secretariat for Security Policy (Sepos) of the DDPS. In addition, the Federal Office for Cybersecurity (BACS), formerly the National Cyber Security Centre (NCSC), which will also be located within the DDPS, will be launched on 1 January 2024.

The ISO regulates the core areas of the FAISC defined above in detail. A particular focus was placed on the management of information security and minimum requirements were defined in the following areas:

  • Development and operation of an information security management system (ISMS)
  • Maintaining the statutory basis and contractual obligations
  • Inventory of assets
  • Risk management
  • Co-operation with third parties
  • Training and sensitisation
  • Incident management
  • Controls and audits
  • Reporting

The most important point is the establishment of an information security management system (ISMS). If the ISMS is set up in accordance with the internationally recognised ISO 27001:2022 standard, the other topics mentioned above are addressed directly in the implementation of the standard.

 

Transitional deadlines

The ISO defines the following transition periods:

  • By 31 December 2024: Creation of the classification catalogue
  • By 31 December 2025: Conduct protection needs analysis and classification of IT in accordance with new legislation
  • By 31 December 2026: Development ISMS

 

Information Security Act: Advice and support

If you are wondering whether your company is affected by the provisions of the new FAISC, you have come to the right place.

An overview of our services:

  1. Advice on all aspects of the FAISC: We closely follow the developments of the FAISC in order to provide you with the best possible advice.
  2. Setting up an information security management system (ISMS): We have extensive experience in setting up and operating ISMSs in accordance with ISO 27001:2022, including at federal level. We can support you as a project manager, with an entire project team or as a consultant and coach.
  3. Development and training of security organisations: We train the role holders of security organisations so that they can perform their tasks.
  4. Reporting obligations: We help you to develop a system for recognising incidents and clarify which reporting obligations you are subject to. This is always in coordination with other legal requirements such as the Data Protection Act.
  5. Contract management: Advice and support in drawing up contracts with third parties that take information security aspects into account.
  6. Synergies and process optimisation: We create interfaces with other regulations or areas of integral security (data protection, IT security, business continuity and crisis management, physical security). Our goal: to standardise and optimise processes and exploit synergies.

 

Please get in touch with us!

We are at your disposal for all questions relating to the FAISC. Simply send your enquiries directly to us – we will provide you with comprehensive and competent advice.

Reto Steinmann
Head of Consulting
request

Non-binding enquiry

© Swiss Infosec AG 2024