This checklist is aimed at Swiss SMEs and is intended to help them increase information security in their company.
The checklist is divided into two areas:
- Organisational measures that increase or ensure information security
- Technical measures that increase or ensure the security of the IT infrastructure
Technical measures play a major role in ensuring information security. Nevertheless, these have to be supplemented by organisational measures. Especially in the case of cost- and/or personnel-intensive measures, every company has to weigh up the costs of the measures against the risks that arise if they are not implemented. Non-implemented measures result in so-called residual risks. Therefore, senior management has to decide whether to bear the residual risks or to provide resources to further minimise the risks. Although the technical risks of IT systems constitute an important part of information security, a company should not limit its focus to these risks or even name the IT division as the sole risk carrier. Responsibility for risk management, the classification and ranking of information, as well as any graduated expenses for security measures made available are core tasks of senior management.