FAQ : Standards
Can several frameworks be combined (ISO, NIST, ANSSI, ICT)?
Yes, these frameworks are complementary. At Bexxo, we recommend a progressive approach: start with the Swiss ICT Standard or the ANSSI guide, structure with the NIST CSF, then aim for ISO 27001 certification. Each step reinforces the previous one without starting from scratch.
Does the nFADP require a specific standard?
No, the nFADP (new Swiss Data Protection Act) does not impose any specific standard. It requires 'appropriate technical and organisational measures'. ISO 27001, NIST CSF or the Swiss ICT Standard are the most recognised frameworks for demonstrating this compliance in the event of an FDPIC inspection.
How does Bexxo support you in complying with these standards?
We conduct a comprehensive assessment of your situation, identify any discrepancies, and propose a concrete action plan to align your practices with the required standards.
How long does it take to obtain ISO 27001 certification?
On average 6 to 12 months for a Swiss SME, depending on existing maturity. The process includes the gap analysis (1-2 months), ISMS implementation (3-6 months), internal audit (1 month) and certification audit (1-2 months). Bexxo supports its clients throughout this journey.
How much does ISO 27001 certification cost for an SME?
Between CHF 10,000 and 50,000 for a Swiss SME, depending on size and complexity. This cost includes preparation (gap analysis, ISMS implementation) and the certification audit by an accredited body. Renewal every 3 years generally costs 30 to 50% of the initial cost.
Is ISO 27001 mandatory in Switzerland?
No, ISO 27001 is not legally mandatory in Switzerland. However, the nFADP requires appropriate technical and organisational measures to protect data. ISO 27001 provides the most recognised framework for demonstrating this compliance. Some sectors (finance, healthcare) require it contractually.
Is the ANSSI guide applicable in Switzerland?
Yes. Although ANSSI is the French authority, its 42 IT hygiene measures are universal and particularly relevant for French-speaking Swiss SMEs. The guide is free, pragmatic and compatible with NIST CSF and ISO 27001. It is an excellent starting point for companies in French-speaking Switzerland.
What are the 5 functions of the NIST CSF?
The 5 functions of the NIST Cybersecurity Framework are: Identify (understand assets and risks), Protect (access controls, encryption), Detect (monitoring, alerts), Respond (intervention plan, communication) and Recover (restoration, lessons learned). Each function is assessed on a score from 0 to 4.
What are the essential cybersecurity standards?
Key standards include ISO 27001, NIST, nLPD, GDPR, and PCI-DSS. They provide robust frameworks for securing your systems and ensuring data protection.
What is EBIOS Risk Manager?
EBIOS Risk Manager is the ANSSI risk analysis method, structured in 5 workshops: scoping, risk sources, strategic scenarios, operational scenarios and treatment. Adopted by French government bodies and many French-speaking companies, it identifies the most realistic threats and prioritises security investments.
What is the Swiss ICT Minimum Standard?
The ICT Minimum Standard is a framework developed by FOEE (Federal Office for National Economic Supply) in collaboration with the NCSC. It defines 106 measures based on the NIST CSF, adapted to the Swiss context. Free and available in French, German and Italian, it includes an Excel self-assessment tool.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 defines the requirements for an information security management system (ISMS) and enables certification. ISO 27002 is a guide to best practices that details the implementation of the 93 controls in Annex A. In short: 27001 says 'what to do', 27002 says 'how to do it'.