CyberSeal-certified IT service providers demonstrably implement high technical and organizational standards — strengthening the cyber resilience of Swiss SMEs.
The CyberSeal is available to IT service providers based in Switzerland with a Swiss client base who assume full or partial responsibility for the setup and operation of IT systems on behalf of SME clients and/or configure and provide cloud solutions (e.g., Microsoft 365).
The CyberSeal certification cycle spans three years. In the first year, a comprehensive on-site audit is conducted. In years two and three, annual surveillance audits ensure ongoing quality assurance and compliance with the standard. From year four onward, the cycle begins again with a full re-certification audit.
Apply for the Audit
IT service providers register via the application form and receive the current CyberSeal checklist. An audit date is then scheduled.
Self-Declaration
The IT service provider completes the sections of the checklist marked for self-declaration and submits the documentation for review.
On-Site Audit
The auditor reviews the in-depth control points on site through interviews and system inspections (including console reviews where applicable).
Certification
If no major non-conformities are identified, the CyberSeal certificate and the audit report are issued.
Implementation of Non-Conformities
Any identified non-conformities and recommendations must be addressed within one year. Implementation is verified during the next surveillance audit.
Surveillance Audits
In years two and three, the self-declaration is updated, a remote review is conducted by the auditor, and any updates to the standard are discussed.
The Audit Manual explains the application of the checklist, defines key terms, describes the audit process, and outlines the handling of non-conformities. It is updated annually to reflect the evolving threat landscape.
The checklist defines the mandatory requirements for IT service providers. It constitutes the binding standard for the seal of approval and serves as the basis for both the self-declaration and the audit.
The audit report documents the results of the audit, identifies major and minor non-conformities, and includes observations and recommendations for improving IT security.
Non-Conformities and Observations
During the audit, major non-conformities, minor non-conformities, or observations may be identified. The handling of these findings is clearly defined: major non-conformities result in the denial of certification, minor non-conformities must be remedied within a specified timeframe, and observations serve as guidance for voluntary improvement.
Major Non-Conformity – No CyberSeal Issued
A major non-conformity exists when a Priority 1 requirement is not fulfilled. In such cases, the CyberSeal certification cannot be granted.
The IT service provider has three months to remedy the non-conformity. A follow-up review by the auditor is then conducted. An additional fee of CHF 600 applies.
If the corrective action is insufficient, the entire certification process must be restarted.
Minor Non-Conformity
A minor non-conformity exists when a Priority 1 requirement is only partially fulfilled. The issue must be resolved by the next surveillance audit. If the implementation remains insufficient, the non-conformity may be raised again.
Observations and Recommendations
Observations are findings that are not certification-relevant but may contribute to improving IT security — both for the IT service provider and its clients.
Implementation is voluntary; however, progress is reviewed and discussed at the next surveillance audit.
Fee Overview
The CyberSeal seal of approval is valid for three years. The certification cycle consists of one initial audit and two surveillance audits. From year four onward, the cycle begins again with a discounted re-certification audit.
CyberSeal Audit Certified IT service provider
CHF 4'900.- (escl. VAT)
Validity: 3 years
Includes the initial audit and two surveillance audits.
Scope of services:
On-site audit in the first year
Concise CyberSeal checklist
Comprehensive audit report including identified vulnerabilities and recommendations
Issuance of the CyberSeal seal of approval
Surveillance Audits - included
Period: Years 2 & 3
Annual request for updated self-declaration
Remote review conducted by the auditor
Update on developments in the threat landscape and revisions to the standard
