-
CyberSeal -
the seal of qualityThe CyberSeal confirms that an IT service provider implements appropriate technical and organizational measures to guarantee its customers adequate protection against cyber risks. The CyberSeal contributes to increasing the cyber resilience of Swiss SMEs.
Benefit now from up to CHF 150 discount on the CyberSeal Audit
Who is the Swiss CyberSeal for?
IT service providers with their registered office and customer base in Switzerland can receive the CyberSeal if they assume overall or partial responsibility for the setup and operation of IT and/or configure and provide cloud solutions (e.g., Microsoft 365) on behalf of SME customers.
CyberSeal
Added value for the IT service provider

Reduction of implementation, operational and security risks

Cybercrime awareness and establishment of a common language

Fulfillment of minimum IT security requirements creates trust

Better market position and advantages in insurance contracts
Added value for the end customer

Reduction of risks regarding cyberattacks

Fewer incidents, faster remediation and lower costs in the event of an incident

Independent quality seal simplifies the choice of IT service provider

Stronger focus on core business
The CyberSeal auditing-process
The process follows a three-year cycle. In year one, a full CyberSeal audit is carried out. In years two and three, a maintenance audit is carried out for quality control. In year four the process is repeated with a full audit.
(1) Interest
In case of interest, the IT service provider registers by means of a form. He receives the current CyberSeal checklist. An appointment for the audit is arranged.
(2) Self-declaration
He will be asked to complete and submit a self-declaration for each item on that checklist, as appropriate.
(3) Audit
The auditor checks the check points in the interview and at the console (in-depth on-site inspection). The auditor will only address self-declation questions if clarification is required.
(4) Feedback
If no major deviations have occurred, the CyberSeal Seal of approval is handed over together with the audit report.
(5) Implementation
Measures to eliminate deviations and to process indications shall be implemented within one year. This is checked in the maintenance audit.
(6) Maintenance
In years two and three after the audit, a maintenance audit is performed by self-declaration. The checklist is to be submitted updated. The auditor reviews the information and discusses any changes to the standard by telephone.
CyberSeal - Contents of the standard
IT service providers have a direct impact on the cyber resilience of SMEs. It is therefore imperative that IT service providers can demonstrate basic competencies in the following areas:
-
Organization: e.g. Documentation, Aufgabenteilung, Ausbildung
-
Technology: e.g. data protection, authorizations, backup
-
Processes: e.g. Change und incident management, monitoring
The detailed audit checkpoints and processes are based on the valid CyberSeal Audit Manual of the Alliance Digital Security Switzerland (German and French only).

What is being tested
The CyberSeal checklist (German) defines the requirements for the IT service provider and is the defined standard for the seal of approval. The precise specifications are intended to promote the uniformity of the audit. Based on a declaration of the IT service provider by means of the current checklist, the auditor obtains an initial picture. The checklist is divided into 26 chapters.
Important documents at a glance
The CyberSeal audit requirements are reviewed annually and aligned with new threat conditions. The following documents are part of the CyberSeal Standard and will be submitted at the time of audit registration.

CyberSeal Audit Report
The report describes the results of the pass or fail audit. The report identifies major and minor deviations as well as notes and recommendations for cybersecurity improvement.

CyberSeal Audit Manual
The manual describes the application of the CyberSeal checklist, the terms used, and the audit process. It also explains the requirements and how to deal with possible deviations.
CyberSeal Audit Manual (German)

CyberSeal Checklist
This is the comprehensive checklist with the specific questions for conducting the CyberSeal audit. After the audit, the audit report is issued along with the filled-in checklist.
Dealing with deviations, indications and recommendations
Major Deviation, preventing CyberSeal
Failure to meet an Audit Manual requirement for a Priority One item on the checklist will result in a Major Deviation.
Dealing with major deviations
The IT service provider has 3 months to correct the major deviation. After expiry of the deadline, the auditor assesses the rectification. Additional costs of CHF 600 are incurred for this review. If the major deviation is insufficiently resolved, no CyberSeal is issued and the process must be restarted.
Minor Deviation
If a requirement is only partially fulfilled for a checklist item designated with priority one, this results in a minor deviation
Dealing with minor deviations
The minor deviation must be handled by the IT service provider until the next sustainment audit. Then the deviation will be audited. A clearly identifiable improvement must have been implemented. Incomplete fulfillment of the requirement can be declared again as a minor deviation for the next audit/maintenance audit.
Notes and Recommendatoins
Notes are findings of the auditor that can contribute to an improvement of the cybersecurity of the IT service provider and its customers.
The IT service provider decides for itself whether and how the notes are implemented. The auditor will discuss an implementation in the next maintenance audit.
The Costs
The CyberSeal quality seal is valid for 3 years. It includes a comprehensive audit in year 1 worth CHF 3'700, followed by an annual maintenance audit in years two and three worth CHF 600 each.
CyberSeal Audit
Certified IT-Service Provider
Maintenance Audit
- Telephone call in years two and three for the maintenance audit
- One-hour discussion (online or by phone) of progress based on self-declaration and current threats
- Update regarding current cyber risks
- Review of self-declaration