Cybersecurity standards: ISO 27001, NIST, ANSSI and Swiss ICT Minimum Standard

Full comparison of the 4 cybersecurity frameworks for Swiss SMEs: ISO 27001, NIST CSF, ANSSI and ICT Minimum Standard. Differences, costs and compliance implementation.

Four frameworks, one shared goal: protecting your business

Several reference frameworks structure cybersecurity worldwide. For a Swiss SME, four are particularly relevant: ISO 27001 (certifiable international standard, 93 controls, 70,000+ certified organisations), the NIST CSF (voluntary US framework, 5 functions, free of charge), the ANSSI framework (French-speaking reference, 42 hygiene measures) and the Swiss ICT Minimum Standard (recommended by FOEE for critical infrastructures).

Each has its strengths: international certification, flexibility, French-speaking pragmatism or Swiss grounding. The table below helps you choose the framework best suited to your situation. At Bexxo, we have been supporting Swiss SMEs since 2003 in achieving compliance with these frameworks.

Comparative table of the 4 cybersecurity standards

CriterionISO 27001NIST CSFANSSIICT Min. Standard (CH)
TypeCertifiable standardVoluntary frameworkGovernment recommendationsSwiss federal standard
BodyISO / IECNIST (USA)ANSSI (France)FOEE (Switzerland)
Structure93 controls (Annex A)5 functions, 23 categories42 hygiene measures + EBIOS RM106 measures based on NIST
CertificationYes (third-party audit)No (self-assessment)ANSSI security visaNo (self-assessment)
Estimated costCHF 10,000 – 50,000FreeFree (public guides)Free
RenewalEvery 3 yearsOngoingOngoingOngoing
FlexibilityStrict frameworkHighly adaptablePragmaticAdaptable by sector
Ideal targetSMEs seeking certificationSMEs starting in cyberFrench-speaking SMEsCritical infrastructures CH
Swiss relevanceRecognised by nFADPRecommended by NCSCFrench-speaking referenceRecommended by FOEE
Latest versionISO 27001:2022CSF 2.0 (Feb. 2024)Hygiene guide v2 (2017)Version 2023

These four frameworks are complementary. The Swiss ICT Minimum Standard and NIST CSF are the best starting points for a Swiss SME. ANSSI guides bring a pragmatism valued in French-speaking contexts. ISO 27001 is the ideal choice for obtaining internationally recognised certification. At Bexxo, we combine these frameworks according to your context.

What is the NIST CSF?

The NIST Cybersecurity Framework provides voluntary guidelines for managing and reducing cybersecurity risks. These recommendations are adaptable to the diverse needs of organisations, regardless of their size and sector. Unlike ISO 27001, NIST requirements are flexible and designed to evolve with the organisation.

The 5 functions of the NIST CSF

The Framework Core is built on 5 core functions, divided into 23 categories:

  1. Identify — Understand the organisation's assets, risks and governance
  2. Protect — Implement protection measures (access control, training, encryption)
  3. Detect — Deploy security incident detection capabilities
  4. Respond — Plan and execute the response to detected incidents
  5. Recover — Restore services and draw lessons from the incident
A score from 0 to 4 (Implementation Tiers) is assigned to each function, enabling measurement of the organisation's cybersecurity maturity and prioritisation of improvements.

Who is the NIST CSF for?

The NIST CSF is aimed at any organisation wishing to structure its cybersecurity approach without a large initial investment. It is the ideal starting point for Swiss SMEs that do not yet have a formal framework. The NCSC (National Cyber Security Centre) recommends this framework as a basis for Swiss organisations.

What is ISO 27001?

ISO 27001 is an international standard that defines best practices for information security management systems (ISMS). It enables organisations to demonstrate their approach to data security and confidentiality through a certification verifiable by an accredited third-party auditor. More than 70,000 companies worldwide are certified (ISO Survey 2023).

The 93 controls of ISO 27001:2022

The 2022 version of ISO 27001 defines 93 controls divided into 4 categories in Annex A:

  • Organisational controls (37) — Policies, roles, asset management, supplier relationships
  • People controls (8) — Staff selection, awareness, training
  • Physical controls (14) — Security perimeter, equipment, surveillance
  • Technological controls (34) — Authentication, encryption, logging, secure development
An accredited third-party auditor assesses compliance. Certification is valid for 3 years with annual surveillance audits.

ISO 27001 certification cost and process

The cost of ISO 27001 certification for a Swiss SME is between CHF 10,000 and 50,000, depending on the size of the organisation and the complexity of its scope. The process includes: gap analysis, ISMS implementation, internal audit, then certification audit by an accredited body. At Bexxo, we support SMEs through every step of this process, from the initial analysis to obtaining certification.

The ANSSI framework (France)

The ANSSI (National Agency for the Security of Information Systems) is the French authority on cybersecurity. Its IT Hygiene Guide defines 42 essential measures covering awareness, authentication, workstation security, network security and incident management. Published free of charge, it is the most pragmatic reference for French-speaking SMEs.

The 42 IT hygiene measures

The 42 ANSSI measures cover 10 domains:

  • Awareness — Train and empower users
  • Authentication — Password policy and MFA
  • Workstations — Updates, encryption, antivirus
  • Network — Segmentation, firewall, monitoring
  • Remote working — VPN, securing remote work
  • Administration — Privileged accounts, logging
  • Security maintenance — Monitoring, patches
  • Supervision — Incident detection, alerts
  • Incident management — Response plans, communication
  • Business continuity — Backups, BCP/BRP
This guide is an excellent complement to the NIST CSF and can serve as a foundation for an ISO 27001 approach.

EBIOS Risk Manager

ANSSI also offers EBIOS Risk Manager, a risk analysis method structured in 5 workshops, adopted by French government bodies and many French-speaking organisations. It identifies the most realistic threat scenarios and prioritises security measures. Comparable to the NIST risk assessment, EBIOS is particularly valued for its methodological rigour in French-speaking contexts.

The Swiss ICT Minimum Standard

The ICT Minimum Standard is a framework developed by the Federal Office for National Economic Supply (FOEE) in collaboration with the NCSC. Based on the NIST CSF, it defines 106 measures organised around the 5 NIST functions, adapted to the Swiss context. It is recommended for operators of critical infrastructures but applicable to any Swiss SME.

Why the ICT Standard is relevant for Swiss SMEs

The ICT Minimum Standard offers several advantages for Swiss SMEs:

  • Free and public — available in French, German and Italian on the FOEE website
  • Adapted to the Swiss context — incorporates nFADP requirements and NCSC recommendations
  • NIST-compatible — same 5-function structure, facilitating a transition to NIST CSF or ISO 27001
  • Self-assessment — includes an Excel assessment tool to measure maturity
At Bexxo, we use the ICT Minimum Standard as a baseline assessment for our Swiss SME audits, before recommending an upgrade to ISO 27001 compliance if needed.

Which framework should you choose for your SME?

Are you new to cybersecurity? Start with the Swiss ICT Minimum Standard (free, adapted to the local context) or the ANSSI guide (42 pragmatic measures). These two frameworks give you a solid foundation without any initial investment.

Do you want to structure your approach? The NIST CSF offers a flexible framework with measurable maturity levels (score 0-4). The NCSC recommends it for Swiss SMEs.

Are you aiming for certification? ISO 27001 is the only framework certifiable by a third-party auditor. It is a strong competitive advantage for SMEs handling sensitive data or working with large enterprises. At Bexxo, we often recommend a progressive approach: ICT Standard → NIST CSF → ISO 27001.

Request a compliance audit
Bexxo?

Why choose Bexxo?

I

Certified Expertise

CyberSafe Label certified and authorized to handle confidential data for federal institutions, our experts apply the highest security standards in the industry.

II

Personalized Support

We adapt our services to your specific needs, whether you are an SME or a large company.

III

Proactive Protection

We anticipate threats before they become a problem, thereby reducing risks and the impact of attacks.

Don't let your business be vulnerable to cyber threats. With Bexxo, secure your digital future today!

Frequently asked questions about cybersecurity standards

Is ISO 27001 mandatory in Switzerland?

No, ISO 27001 is not legally mandatory in Switzerland. However, the nFADP requires appropriate technical and organisational measures to protect data. ISO 27001 provides the most recognised framework for demonstrating this compliance. Some sectors (finance, healthcare) require it contractually.

How much does ISO 27001 certification cost for an SME?

Between CHF 10,000 and 50,000 for a Swiss SME, depending on size and complexity. This cost includes preparation (gap analysis, ISMS implementation) and the certification audit by an accredited body. Renewal every 3 years generally costs 30 to 50% of the initial cost.

Can several frameworks be combined (ISO, NIST, ANSSI, ICT)?

Yes, these frameworks are complementary. At Bexxo, we recommend a progressive approach: start with the Swiss ICT Standard or the ANSSI guide, structure with the NIST CSF, then aim for ISO 27001 certification. Each step reinforces the previous one without starting from scratch.

Is the ANSSI guide applicable in Switzerland?

Yes. Although ANSSI is the French authority, its 42 IT hygiene measures are universal and particularly relevant for French-speaking Swiss SMEs. The guide is free, pragmatic and compatible with NIST CSF and ISO 27001. It is an excellent starting point for companies in French-speaking Switzerland.

What is the Swiss ICT Minimum Standard?

The ICT Minimum Standard is a framework developed by FOEE (Federal Office for National Economic Supply) in collaboration with the NCSC. It defines 106 measures based on the NIST CSF, adapted to the Swiss context. Free and available in French, German and Italian, it includes an Excel self-assessment tool.

What are the 5 functions of the NIST CSF?

The 5 functions of the NIST Cybersecurity Framework are: Identify (understand assets and risks), Protect (access controls, encryption), Detect (monitoring, alerts), Respond (intervention plan, communication) and Recover (restoration, lessons learned). Each function is assessed on a score from 0 to 4.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 defines the requirements for an information security management system (ISMS) and enables certification. ISO 27002 is a guide to best practices that details the implementation of the 93 controls in Annex A. In short: 27001 says 'what to do', 27002 says 'how to do it'.

Does the nFADP require a specific standard?

No, the nFADP (new Swiss Data Protection Act) does not impose any specific standard. It requires 'appropriate technical and organisational measures'. ISO 27001, NIST CSF or the Swiss ICT Standard are the most recognised frameworks for demonstrating this compliance in the event of an FDPIC inspection.

How long does it take to obtain ISO 27001 certification?

On average 6 to 12 months for a Swiss SME, depending on existing maturity. The process includes the gap analysis (1-2 months), ISMS implementation (3-6 months), internal audit (1 month) and certification audit (1-2 months). Bexxo supports its clients throughout this journey.

What is EBIOS Risk Manager?

EBIOS Risk Manager is the ANSSI risk analysis method, structured in 5 workshops: scoping, risk sources, strategic scenarios, operational scenarios and treatment. Adopted by French government bodies and many French-speaking companies, it identifies the most realistic threats and prioritises security investments.
No, ISO 27001 is not legally mandatory in Switzerland. However, the nFADP requires appropriate technical and organisational measures to protect data. ISO 27001 provides the most recognised framework for demonstrating this compliance. Some sectors (finance, healthcare) require it contractually.
Between CHF 10,000 and 50,000 for a Swiss SME, depending on size and complexity. This cost includes preparation (gap analysis, ISMS implementation) and the certification audit by an accredited body. Renewal every 3 years generally costs 30 to 50% of the initial cost.
Yes, these frameworks are complementary. At Bexxo, we recommend a progressive approach: start with the Swiss ICT Standard or the ANSSI guide, structure with the NIST CSF, then aim for ISO 27001 certification. Each step reinforces the previous one without starting from scratch.
Yes. Although ANSSI is the French authority, its 42 IT hygiene measures are universal and particularly relevant for French-speaking Swiss SMEs. The guide is free, pragmatic and compatible with NIST CSF and ISO 27001. It is an excellent starting point for companies in French-speaking Switzerland.
The ICT Minimum Standard is a framework developed by FOEE (Federal Office for National Economic Supply) in collaboration with the NCSC. It defines 106 measures based on the NIST CSF, adapted to the Swiss context. Free and available in French, German and Italian, it includes an Excel self-assessment tool.
The 5 functions of the NIST Cybersecurity Framework are: Identify (understand assets and risks), Protect (access controls, encryption), Detect (monitoring, alerts), Respond (intervention plan, communication) and Recover (restoration, lessons learned). Each function is assessed on a score from 0 to 4.
ISO 27001 defines the requirements for an information security management system (ISMS) and enables certification. ISO 27002 is a guide to best practices that details the implementation of the 93 controls in Annex A. In short: 27001 says 'what to do', 27002 says 'how to do it'.
No, the nFADP (new Swiss Data Protection Act) does not impose any specific standard. It requires 'appropriate technical and organisational measures'. ISO 27001, NIST CSF or the Swiss ICT Standard are the most recognised frameworks for demonstrating this compliance in the event of an FDPIC inspection.
On average 6 to 12 months for a Swiss SME, depending on existing maturity. The process includes the gap analysis (1-2 months), ISMS implementation (3-6 months), internal audit (1 month) and certification audit (1-2 months). Bexxo supports its clients throughout this journey.
EBIOS Risk Manager is the ANSSI risk analysis method, structured in 5 workshops: scoping, risk sources, strategic scenarios, operational scenarios and treatment. Adopted by French government bodies and many French-speaking companies, it identifies the most realistic threats and prioritises security investments.
Discover how bexxo can secure your business. Don't hesitate to contact us for a personalized consultation today!
Contact us Chat with an expert