The Act on Information Security, as mandated by the Law on Information Security (“Official Gazette of RS”, No. 6/2016, 94/2017, and 77/2019), regulates security measures against risks in information and communication systems. It also stipulates the responsibilities of legal entities in managing and using information and communication systems, designates competent authorities for implementing security measures, coordinates between security entities, and monitors the proper implementation of prescribed security measures.
During the planning and implementation of security measures for ICT systems, organizations are obliged to adhere to the following principles:
- Risk management principle – The selection and level of implementation of measures are based on risk assessment, the need for risk prevention, and mitigation of consequences of recognized risks, including all types of emergency situations.
- Comprehensive protection principle – Measures are applied at all organizational, physical, and technical levels, as well as throughout the entire life cycle of ICT systems.
- Expertise and best practices principle – Measures are implemented in accordance with professional and scientific knowledge and experience in the field of information security.
- Awareness and competency principle – All individuals whose actions effectively or potentially impact information security should be aware of risks and hold appropriate knowledge and skills.
Furthermore, in the case of processing personal data while exercising responsibilities and fulfilling obligations under this Information Security Act, organizations must comply with regulations governing personal data protection. Therefore, a rational approach is to align compliance with both laws within a unified project that encompasses requirements from both closely related areas. The Information Security Act represents an organizational-technical measure in the process of implementing policies related to the Protection of Personal Data and GDPR.
Organizations are legally obligated to propose and implement security measures, particularly principles, methods, and procedures for achieving and maintaining an adequate level of system security, as well as authorities and responsibilities regarding the security and resources of ICT systems of distinct significance.
ICT system operators are required by law to independently or with the engagement of external experts conduct an annual compliance assessment of applied ICT system measures and provide written reports to confirm compliance.
DPO SUPPORT develops comprehensive documentation in the domain of information security following preliminary analysis and consultations with the organization’s management, thereby achieving clear project definition and efficient implementation.
Contact us for optimal solutions.