Institute for Standardization of Montenegro (ISME) is 11.05.2023. organized a round table on the topic: "Information security in the light of the application of the 27k standard". This event is organized within the IPA Project funded by the EU IPA Annual Action Program for 2020. and it is implemented by the EPRD consortium with the aim of supporting the development of further administrative capacity and the degree of compliance with the EU acquis in the area of competitiveness and innovation, especially in the areas of services, standardization, accreditation, competition and state aid. In this way, Montenegro is enabled to meet the key criteria for EU accession within the relevant negotiation chapters.
Mr. Lojze Kunčič, the leading verifier for the information security management system ISO/IEC 27001: 2013 (Republic of Slovenia), acted as the presenter.
The moderator at the round table was Zoran Glomazić, director of ISME, while representatives of the academic community were present as panelists: prof. Dr. Božo Krstajić (ETF), prof. Dr. Adis Balota (ISME/TK), prof. Dr. Ramo Šendelj (UDG), representatives of the regulator: Dušan Krkotić (MJU, CIRT), representatives of the economy: Nada Rakočević (PKCG) and Mladen Bukilić (ČICOM).
The aim of the round table was to raise awareness of the importance of the application of standards, with special reference to the application of standards from information security, in order to achieve a higher level of protection of information systems and data, realizing the importance of competitive advantages that the implementation of standards from the "27k family" can provide in all segments our society.
Bearing in mind the expressed need for continuous improvement of legal regulations in this area, the participants of the Round Table, both panelists and others present, agreed on their professional views, expecting understanding and engagement in their implementation.
These views are reflected in the recommendations that the regulatory framework is very important and provides a basis for raising the level of IT security. It is necessary for the regulator (state authorities responsible for regulations) to take care of the up-to-dateness of the regulations, which would provide a broad basis for the application of the best practices defined through standards and recommendations. Reference to standards, either directly or indirectly, should be in regulations lower than the law for easier monitoring and updating, and solutions from directives and standards should also be implemented through the legal regulations on personal data protection. Pointing out the importance of sustainable improvement of standards in this area, it is recommended that regulators, in the case of referencing standards, consult with the Institute for Standardization of Montenegro in order to ensure up-to-date monitoring of current standards and fulfill the legal obligation to maintain a register of regulations in which references are made to standards.
It is necessary to initiate activities so that, during the implementation of significant state projects, state authorities insist on the application of standards in their work processes, as well as the effort to ensure certain controls required by the standards through project solutions. This implies the need for state authorities to implement information security standards in their environment.
It is necessary to encourage universities to ensure that in the teaching programs at undergraduate, and especially at master's and specialist studies, there are units that would be dedicated to standards and the importance of standardization not only in the field of information security, bearing in mind that a huge number of decision makers have non-technical education which, according to the logic of things, they have less contact with the issue of standardization and the understanding of that process.
The participants of the Round Table unanimously pointed out that it is necessary to work on the development of awareness that information security is not only the responsibility of IT professionals, but of all employees, and above all of decision makers. In this context, it is necessary that all employees, and especially the organization's management, be aware and familiar with the risks that may appear on information assets that are in their domain of responsibility.
In order to sustainably protect the Montenegrin institutional, public and business system from possible future cyber attacks, it is recommended to establish better communication with the national body for incidents CIRT, in order to exchange information about attacks (examples of "bad practice"), in an environment of IT experts and professionals , in order to spread information and experiences and offer (seek) solutions in order to improve information security.
In terms of the recommendations mentioned so far, the importance of greater involvement of decision-makers at the institutional level to participate both personally and with management associates in educational/educational programs on standardization topics was highlighted in order to intensify the implementation of standards in institutional processes and so that Montenegro in a shorter period of time and in an adequate manner, implemented this very important obligation of harmonization with this very important system of EU values.
The participants of the Round Table highlighted the aforementioned Recommendations as very significant for the future of sustainable development of Montenegro in the IT field. The importance of this topic initiated by ISME as well as the success of organizing this round table with the support of IPA funds (EPRD consortium) is confirmed by the extremely high interest of representatives of the most important institutions in attending this event.