CyberSeal

CyberSeal -
the seal of quality

The CyberSeal confirms that an IT service provider implements appropriate technical and organizational measures to guarantee its customers adequate protection against cyber risks. The CyberSeal contributes to increasing the cyber resilience of Swiss SMEs.

Who is the Swiss CyberSeal for?

IT service providers with their registered office and customer base in Switzerland can receive the CyberSeal if they assume overall or partial responsibility for the setup and operation of IT and/or configure and provide cloud solutions (e.g., Microsoft 365) on behalf of SME customers.

Added value for the IT service provider

Reduction of implementation, operational and security risks

Grafik zur IT-Diensleister-Sensibilisierung

Cybercrime awareness and establishment of a common language

Fulfillment of minimum IT security requirements creates trust

Better market position and advantages in insurance contracts

Added value for the end customer

Reduction of risks regarding cyberattacks

Fewer incidents, faster remediation and lower costs in the event of an incident

Independent quality seal simplifies the choice of IT service provider

Stronger focus on core business

CyberSeal - Contents of the standard

IT service providers have a direct impact on the cyber resilience of SMEs. It is therefore imperative that IT service providers can demonstrate basic competencies in the following areas:

Organization: e.g. Documentation, Aufgabenteilung, Ausbildung
Technology: e.g. data protection, authorizations, backup
Processes: e.g. Change und incident management, monitoring

The detailed audit checkpoints and processes are based on the valid CyberSeal Audit Manual of the Alliance Digital Security Switzerland (German and French only).

Terms and conditions for testing and use (German)

The CyberSeal auditing-process

The process runs through a three-year cycle. A comprehensive CyberSeal audit is carried out in year one. In years two and three, a maintenance audit is carried out for quality control purposes. In year four, the process is repeated again with a comprehensive audit.

(1) Interest

In case of interest, the IT service provider registers by means of a form. He receives the current CyberSeal checklist. An appointment for the audit is arranged.

(2) Self-declaration

He will be asked to complete and submit a self-declaration for each item on that checklist, as appropriate.

(3) Audit

The auditor checks the check points in the interview and at the console (in-depth on-site inspection). The auditor will only address self-declation questions if clarification is required.

(4) Feedback

If no major deviations have occurred, the CyberSeal Seal of approval is handed over together with the audit report.

(5) Implementation

Measures to eliminate deviations and to process indications shall be implemented within one year. This is checked in the maintenance audit.

(6) Maintenance

In years two and three after the audit, a maintenance audit is performed by self-declaration. The checklist is to be submitted updated. The auditor reviews the information and discusses any changes to the standard by telephone.

CyberSeal Audit Manual

The CyberSeal audit requirements are reviewed annually and compared with the new threat situation. The manual describes the application of the CyberSeal checklist, the terms used and the audit process. It also explains the requirements and how to deal with possible deviations.

CyberSeal Checklist

The CyberSeal checklist defines the requirements for the IT service provider and is the defined standard for the seal of approval. The precise specifications are intended to promote the uniformity of the audit. For the self-declaration, the IT service provider is provided with the current checklist, which is divided into 26 chapters.

CyberSeal Audit Report

The IT service provider receives this report after the audit. The report describes the results of the passed or failed audit. The report shows major and minor deviations as well as tips and recommendations for improving cybersecurity.

Dealing with deviations, indications and recommendations

Major Deviation: no CyberSeal

A major deviation exists if a requirement is not fulfilled for an item on the checklist that is marked with priority 1.

Dealing with major deviations
The IT service provider has 3 months to rectify the major non-conformity. At the end of this period, the auditor assesses the rectification. An additional fee of CHF 600 is charged for this review. If the main non-conformity is not remedied sufficiently, no CyberSeal is issued and the process must be restarted.

Minor Deviation

If a requirement is only partially fulfilled for an item on the checklist with priority 1, this results in a minor deviation.

Dealing with minor deviations
The minor deviation must be dealt with by the IT service provider by the next maintenance audit. The deviation is then reviewed. A clearly recognizable improvement must have been implemented. Incomplete fulfillment of the requirement can be declared again as a minor deviation for the next audit / maintenance audit.

Notes and Recommendatoins

Notes are findings by the auditor that can improve the cyber security of the IT service provider and its customers.

The IT service provider itself decides whether and how the notes are implemented. The auditor will discuss the implementation of the notes as part of the next maintenance audit.

The Costs

The CyberSeal quality seal is valid for 3 years. The first year includes a full audit worth CHF 3,700, the second and third years include an annual maintenance audit worth CHF 600 each.

Comprehensive audit in the first year at the customer's site
Compact CyberSeal checklist
Detailed documentation of the results
List of vulnerabilities and recommendations
Maintenance audits in the first two years included

CHF 4'900 excl. VAT

Maintenance Audit

Telephone call in years two and three for the maintenance audit
One-hour discussion (online or by phone) of progress based on self-declaration and current threats
Update regarding current cyber risks
Review of self-declaration

CyberSeal - the seal of quality