Public Sector
Estonian Information Security Standard (E-ITS)
The first Estonian Information Security Standard (E-ITS) was completed in the spring of 2021 under the leadership of the State Information System Authority. It is an information security management system based on the principle of baseline security, oriented towards risk management. The standard is in compliance with the Estonian legal space, as well as with the internationally recognized standard ISO/IEC 27001. Albeit E-ITS is developed in Estonian, it is also available in English.
E-ITS offers ready-made sets of security controls (e.g. access and incident management, standard software, outsourcing, firewalls, etc.) to organizations using standard solutions. Baseline security allows the organization to reuse the best practices of information security and thereby save resources needed for the implementation of information security. For the part outside of standard security, E-ITS offers risk-based information security management so that the end result is a comprehensive solution based on the organization and its need for protection.
Who E-ITS is designed for?
E-ITS is designed primarily for public sector organisations, but it is also suitable for all other institutions regardless of their size and technology used. For public sector staff, the implementation of E-ITS must become a natural part of the work process. The E-ITS regulation came into force in January 2023.
E-ITS will completely replace ISKE by 2024.
What benefits can you expect from implementing E-ITS?
- You have understood the goals that are important to your organization and the processes needed to achieve them.
- You have an overview of the assets related to your processes and their real need for protection in the context of availability, integrity and confidentiality, and the need for protection against cyber threats.
- If information security is well organized and integrated into all processes, you can focus on your core business and you are always ready to respond adequately to attacks and other information security threats. In addition, you have the confidence that your institution is operating in compliance with regulations.
- You can prove the security and sustainability of your institution to your customers and partners with an auditor’s assessment.
- A well-thought-out and sustainable information security process ensures the continuity of your organisations’ services and a good reputation, as well as a competitive advantage among institutions of its kind.
- By implementing E-ITS, you also contribute to the secure operation of the Estonian e-state.
Important recommendations
- Analyse the information security goals of the institution together with the management – why does information security matter to you?
- Review your organization’s business processes, assign those responsible for the processes, identify assets related to business processes, find relevant security measures from the Estonian information security standard and apply them to each process.
- Implement risk management in the institution or, if you have already implemented risk management, include cybersecurity threats there as well.
- Monitor and regularly improve the operation of the institution’s information security management system.
- Plan the organization’s resources in the context of possible losses to eliminate the consequences or to prevent losses.
- Raise awareness among managers and employees about information security and train them regularly.
- Update information security management in case of significant changes and major incidents in the institution!
Information security and senior management
- The top manager is responsible for information security in the institution, because the top manager sees the organization as a whole, knows the organization’s goals and understands what can threaten the achievement of goals in the operation of business processes.
- The manager’s attitude determines whether the organization has enough resources for information security and whether information security is understandable, self-explanatory, popular and comprehensive for everyone in the organization.
- Expensive security solutions will not make an organization secure unless all employees contribute to the process. The supervision organized by the top manager is therefore important.
- In the event of incidents, the role of the senior manager is to provide relevant information to the public, including communicating with the media.
Additional information
- Materials related to E-ITS are available in Estonian in the portal eits.ria.ee, English translation of E-ITS can be found here.
- Information security management basic training for implementers of the Estonian information security standard is available as an e-course in Estonian in the Digiriigi Akadeemia platform