Information Security Act: Federal Council sends ordinances for consultation
The new Information Security Act (ISG) affects many public authorities and private-law companies and is intended to create a uniform, formal legal framework for information security.
For the Information Security Act (ISG) to come into force, three Regulations and another ordinance will be partially revised. At its meeting on August 24, 2022, the Federal Council has now opened the consultation process. opens. The ISG and the implementing regulations are scheduled to come into force in mid-2023.
Three new ordinances and one partial revision
Information Security Regulation (ISV)The new ISV combines, supplements and replaces two previous ordinances, the Cyber Risks Ordinance and the Information Protection Ordinance. It applies primarily to the federal administration and the armed forces. The planned changes to the previous law concern, for example, the provision for the implementation of an information security management system, the introduction of an accreditation obligation for IT resources, the increase of the classification threshold for classified information as well as the introduction of an internationally customary aftercare in the context of personal security. Furthermore, the heads of offices of the federal administration are obliged to new tasks, competences and responsibilities in the area of information security.
Ordinance on Personal Security Testing (VPSP)This summarizes the implementing provisions for the various personal security checks. It replaces the ordinance on personal security examinations, the ordinance on personal security examinations in the area of nuclear installations and all previous departmental ordinances on personal security examinations. The purpose of the personal security examinations is to assess whether there is a risk to the information security of the Confederation if a person performs a security-sensitive activity within the scope of his or her function. Under the new law, these audits are to be reduced to the minimum required to identify significant risks to the federal government. This means that significantly fewer audits are to be carried out in the future. This will be achieved, among other things, by the aforementioned increase in the thresholds for classification under the ISV.
Ordinance on the Operational Safety Procedure (VBSV)It regulates the details of the new operational security procedure introduced by the ISG and replaces the previous Secret Security Ordinance, which was restricted to military classified contracts. The operational security procedure is applicable to all security-sensitive contracts awarded by the federal government. This affects contracts in which information classified as confidential or secret is processed or IT resources with a high or very high level of protection are operated or managed.
In addition, the entry into force of the ISG requires adjustments to the Ordinance on Federal Identity Management Systems and Directory Services (IAMV)The partial revision includes in particular an extension of the scope of application to the administrative units of the decentralized federal administration, insofar as these have access to IT systems of the central federal administration.
The consultation procedure will last until November 24, 2022. An additional reporting obligation for cyber attacks on critical infrastructures requires an ISG revision. This is also currently underway under the leadership of the Federal Department of Finance. The consultation procedure for the ISG revision lasted until April 14, 2022.
Source: the Federal Council
