SSF 1101 ed. 2 SSF Cybersecurity Basic Level Basic IT Security

Product information

Target demographic: Small to medium size organisations, manufacturers, retailers and installers.

Cybersecurity involves the protection of systems, networks, and programs from digital attacks, damages, and unauthorized access. This includes technical and organizational measures as well as behavioral strategies to preserve information, data, and technical resources against threats that may arise in cyberspace. Employees’ digital identities constitute key elements to the organization’s most sensitive information and are therefore often targets for cyberattacks aimed at compromising permissions

This norm contains basic and concrete requirements to be met by small and medium-sized organizations to obtain certification according to SSF 1101 – SSF Cybersecurity Basic Level – fundamental IT security. The scope of the certification can be limited to a certain organizational part and/or a technical function – i.e., one or more systems or processes.

An important background to the new edition is, among other things, the upcoming NIS2 directive, which is to be implemented in Swedish legislation 2024.

What´s new in the second edition?

• Backups MUST be checked regularly
• The organization MUST identify the suppliers whose IT services are critical to the organization’s operations. Examples of IT services are listed in Appendix A.
• The organization MUST ensure that the suppliers whose IT services are critical to the organization’s operations have basic cybersecurity. Comment: it is up to the organization HOW they ensure this.
• The supplier’s level of cybersecurity MUST be ensured through self-declaration, accreditations, certificates, or equivalent. Comment: the level can be verified in different ways, certification not a requirement, but certification according to SSF 1101 is a simple and cost-effective way to demonstrate a basic level for a supplier.
• In all cases where it is technically possible, Multi-Factor Authentication (MFA) SHOULD be used for user authentication.
• Training in Cybersecurity does not refer to MSB DISA, but it is up to each organization which method they choose to meet the requirements for training. The extent of the training is stated in the norm.

References

The following publications include requirements which, in part or in full, constitute requirements in this norm.  Only the listed edition applies in the case of dated references. The latest edition of the publication, including any published interpretations and additions, applies in the case of undated references.

– SS-EN ISO/IEC 17021 Conformity assessment – Requirements for bodies providing audit and certification of management systems

– SS-EN ISO/IEC 17024 Conformity assessment – General requirements for bodies that certify persons

SSF 1101 Edition 2 SSF Cybersecurity Basic level – Basic IT security

• Language: English.
• Dated: SSF 1101 edition 2 is valid from 6 December 2023. SSF 1101 edition 1 will be suspended on 31 December 2024.
• Our digital versions of norms and standards can only be purchased if you have a valid Swedish organization number and phone number