Eesti infoturbe standardi (E-ITS) nõuete kirjeldamine riigihangetes

Abstract

Estonia, one of the world's most digitally dependent countries, confronts significantly greater repercussions from cyber threats compared to many other nations. In response to this pressing challenge, the Estonian government has introduced the new Estonian Information Security Standard (E-ITS), aimed at bolstering information security management across enterprises of varying scales. The obligation to implement the standard applies to all organizations within the scope of the Cyber Security Act, effective from January 2023. A considerable proportion of these entities no longer maintain their own IT infrastructure and procure IT services from external service providers. However, the introduction of the standard has created a conundrum where procurement processes still make reference to previously applicable ISKE system, indicating the complexities and challenges of the transition period. On the other hand, there exists an issue pertaining to the vagueness in the technical specifications of procurements, resulting in ambiguity regarding the party responsible for implementing security measures. The aim of the master's thesis was to provide one possible approach to help procurers define the technical requirements for information security measures in ICT service procurements. The compendium of checklists developed during the master's thesis helps procurers define information security measures aligned with their organization's security policies, which can be requested from service providers within the scope of the services procured, thereby providing methodological support for drafting technical specifications in public procurements.