ICT Minimum Standards for Cybersecurity: Empowered by GRC Software

Downtime from a cyberattack can quickly become costly: according to a recent Splunk study, each minute of downtime costs an average of $9,000 — adding up to over half a million dollars per hour. This level of financial impact can put companies at existential risk, particularly when essential infrastructure like energy supply chains is affected.

In Switzerland, since July 1, 2024, power producers, network operators, and electricity service providers are now required by the new Electricity Supply Ordinance (StromVV) to meet the ICT Minimum Standard (Information and Communication Technology) for cybersecurity.

This blog post outlines the necessary steps to achieve the ICT Minimum Standard and showcases how the GRC suite ADOGRC supports the implementation of these guidelines to strengthen cyber resilience.

An organization’s ICT security strategy must focus on protecting critical ICT resources essential to business processes.

ICT security and related measures are often approached from a functional perspective. However, before implementation, clear organizational rules, processes, metrics, and structures need to be established, addressing questions like:

• What actions are being taken?
• How are they implemented?
• Who is responsible?
• How will the measures be evaluated?

Establishing a comprehensive security within the company is essential, defining clear roles, responsibilities, and competencies.

This foundation enables a multi-layered approach that supports coordinated security measures (“Defense-in-Depth”).

Tip: Check out the free webinar on success factors for implementing NIS-2 and DORA.

The ICT Minimum Standard aligns with the internationally recognized National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), providing a proven, scalable approach to managing and mitigating cyber risks.

Successfully implementing the ICT Minimum Standard requires systematic steps across five main areas, elaborated based on criteria in the assessment tool from the Federal Office for National Economic Supply:

Identify

Organizations should carefully identify and prioritize key assets and associated risks to manage cybersecurity effectively. Comprehensive inventory and assessment of all systems and data provide a foundation for informed decision-making and clear role assignments. Structured governance and risk management strategies support regulatory compliance and strengthen defenses against cyber and supply chain risks.

Protect

Protecting sensitive data and critical infrastructure requires a comprehensive security strategy that integrates technical and organizational measures. Effective identity management and access controls restrict access to systems and data to authorized individuals, while regular training strengthens security awareness among employees and partners. Clear policies, supported by protective technologies, ensure the confidentiality, integrity, and availability of information. Routine maintenance of ICT systems further enhances reliability and resilience, creating a robust defense against potential threats.

Detect

Early identification of cybersecurity incidents is essential to minimize potential damage. Continuous monitoring across the technology infrastructure enables swift detection of anomalies and security events, allowing for prompt impact assessment. Regular checks of systems and processes further enhance incident detection and strengthen security measures. Well-defined processes and guidelines for identifying cybersecurity incidents should be consistently maintained and tested to ensure rapid response and minimize risks effectively.

Respond

A swift, coordinated response to security incidents is critical to contain and minimize their impact. Effective response planning establishes the processes and procedures needed to address cyber incidents promptly. Actions should be coordinated with both internal and external parties, including law enforcement when necessary. Beyond containment and mitigation, thorough incident analysis is essential. Understanding the impact and conducting forensic analyses drive continuous improvement, strengthening the organization’s response capabilities.

Recover

Restoring systems and data quickly after an incident is essential to resume normal operations. Recovery plans should be thoughtfully implemented and regularly updated, drawing on insights from past incidents to strengthen the strategy. Emphasizing positive public perception helps rebuild trust and reputation. Coordinated recovery efforts must be closely aligned with both internal and external partners, including leadership and management teams, to ensure transparency and effective communication.

Integrating cybersecurity framework with specialized Governance, Risk, and Compliance (GRC) tool is essential for strengthening an organization’s risk management and streamlining regulatory compliance. Modern GRC solutions simplify and automate many processes within these frameworks, enhancing cybersecurity measures and reducing errors. By providing a centralized platform for monitoring all activities, you can leverage key benefits such as:

• Transparency, Consistency, and Accuracy: Systematic collection and processing of information help minimize errors and ensure high-quality reports and content.
• Automated Workflows and Notifications: GRC tools monitor risk portfolios and control catalogs, providing alerts on new, specific tasks.
• Involvement of Relevant Stakeholders: Active participation from all stakeholders ensures that various perspectives inform decisions, fostering a compliance culture and heightened risk awareness throughout the organization.

Our GRC suite ADOGRC fully supports the NIST Cybersecurity Framework (CSF) 2.0, thereby enabling the implementation of the ICT Minimum Standard with a comprehensive approach to managing cybersecurity risks.

ADOGRC optimizes risk portfolio management and control execution. By linking cybersecurity risks with assets, organizations gain valuable insights for informed decision-making. Pre-configured workflows and automated processes further ensure seamless task distribution within operations.

Example Scenario 1: An exemplary Business Impact Analysis in ADOGRC answers critical questions like: Which processes are business-critical? What ICT resources are needed, and how dependent are critical processes on these resources? What are the impacts of interruptions, and at what downtime threshold do they become critical?

Example Scenario 3: Information Network of a Risk. This scenario illustrates the context of a risk, using the example of “unauthorized access.” The visualization provides a comprehensive overview of the cyber risk and the associated ICT assets. Which controls mitigate this risk, and in which processes are they implemented?

Nowadays, companies face significant cyber risks that can have severe consequences, particularly in critical infrastructure sectors. Compliance with ICT minimum standards, such as those required for power providers in Switzerland, is essential. As cyber threats continue to escalate, these standards may soon extend to other industries as well.

The GRC suite ADOGRC provides a comprehensive solution to support companies in effectively implementing these requirements. With automated workflows, real-time analytics, and a centralized platform for managing cyber risks, ADOGRC helps coordinate security measures efficiently and strengthens resilience.

Are you interested in implementing ICT minimum standards with ADOGRC? Or would you like to learn more about how ADOGRC can enhance your cyber resilience? Don’t hesitate to contact us with questions or to arrange a personal consultation.