27. April 2023: Mari Seeba Development of information security management standard and evaluation instrument, Estonian case
In Estonia, the baseline standard for information security management has been in use since 2003. It has been mandatory for many agencies since 2005. In 2020, the first standard called ISKE (InfoSüsteemide Kolmeastmeline Etalonturve) was replaced by a new standard for information security called E-ITS (Eesti Infoturbestandard). The number of implementers increased almost tenfold. With the creation of the new standard, there was a need to evaluate information security status of the organisation in compliance with E-ITS. Also, the organisations expected the possibility of comparison with other authorities in a way that would support the implementation of the new standard. There is also an urgent need to know which security areas need coordinated support from the NCSC-EE. A framework for security level evaluation (F4SLE) based on the E-ITS was first created, then a method of updating the content of the F4SLE on an annual basis in order to preserve the possibility of comparison with previous results. In addition, a tool proof-of-concept was created to support the F4SLE evaluation process. All this has been the content of Mari Seeba's research project, which she will introduce at the seminar.