Information Security Management System (ISMS) for banks and companies of Ukraine

General information
Today the audit of the ISMS is a necessary and demanded event. A number of organizations whose business is closely connected with the use of information technologies, for example, banks, oil, gas, energy and telecommunications companies, have become more active in conducting the audit of the ISMS.

The audit of the ISMS can be initiated by the management of the bank (company), (internal audit of the ISMS), counterparties (for example, the audit of the ISMS may be the client’s requirements or the clause in the Contract), and third party – supervisory bodies (NBU) (audits conducted by independent companies).

External audit of the ISMS provides an understanding that an ISMS is created, implemented, controlled and functioning in the bank or company under audit, which meets the requirements not only of ISO standards, but also regulatory documents of the National Bank of Ukraine and other regulatory bodies. External Audit of ISMS will provide an opportunity to assess the quality of ISMS on the following issues:

– a set of assets has been identified and implemented by ISMS asset management, the correctness of risk assessment,
– an evaluation of the effectiveness, monitoring and analysis of the functioning of the ISMS,
– support and improvement.
In addition, the external audit of the ISMS will provide an opinion on how much management has demonstrated support for processes and efforts related to planning. implementation, operation, control, maintenance and modernization of ISMS in accordance with the requirements of standards and regulations

Normative documents and decisions of the NBU

The Board of the National Bank of Ukraine adopted Resolution No. 474 of October 28, 2010, “On Recruiting Exchange Rates for Managing Information Security in the Banking System of Ukraine”

Following the publication of this Resolution, the following NBU standards come into force:

  • SOU N NBU 65.1 СУІБ 1.0: 2010 “Methodology for the zahistu in the banking sector.” Vimogi “(ISO / IEC 27001: 2005, MOd);
  • SOU N NBU 65.1 SUIB 2.0: 2010 “Methodology for the zahistu in banking regulations.” Regulations for the management of information security (ISO / IEC 27002: 2005, MOd).
  1. Decree No. 95 dated September 28, 2017r. About zastverdzhennya Provisions on the organization of measures to ensure information security in the banking industry of Ukraine;
  2. Decree 03.2007 No. 98 On the seizure of the Methodological Recommendations on the Welfare of Corporate Governance in the Banks of Ukraine;
  3. Proceedings 08.09.2008 N 271. About graslennya Methodical recommendations shodo planunuvannya in the banks of Ukraine after entering the vipadok vyiknennya neperedbacheniyh obstavin;
  4. Decree 07.2007 N 243. The rules of the technical zahistu information for the approval of banks, in some cases electronic documents are filed;
  5. Decree of 17.06.2004 No. 265. About zastverdzhennya Posozhnya about zabezpetchennya bezpernivnogo funktsionovannya informatsionnyh systems national bank of Ukraine in Ukraine;
  6. Decree number 329 Poslovnya about the procedure for formulating, zberivannya znischennya e-electronic archives from the NBU and banks of Ukraine;
  7. Decree 09.2006 N 357. About zastverdzhennya Pozdnjana about the order formvannya, zberigannya znischennya elektronnykh arhiviv from the National Bank of Ukraine and the banks of Ukraine;
  8. Decree No. 601 dated 12.09.2006. About zastverdzhennya Pozdnjana about the order formvannya, zberіglyannya that znischennya elektronnykh arhivіv from the National Bank of Ukraine and banks of Ukraine;
  9. Decree 02.2016 No. 63. About the regulation of the Rules of Organization of the Zahistu, the application of banks in Ukraine;

    Composition of the ISO series

    ISO / IEC 27001 до: 2013 Information security management systems.  Requirements- Система менеджменту інформаційною безпекою.  Вимоги. 
    ISO / IEC 27000 до: 2016 Information security management systems.  Overview and vocabulary – Система менеджменту інформаційної безпеки.  Огляд і термінологія.
    ISO / IEC 27002 до: 2013 Code of practice for information security management – Практичні правила щодо управління інформаційною безпекою.
    ISO / IEC 27003: 2010 Information Security Management Systems Implementation Guidance – Керівництво по впровадженню системи менеджменту інформаційною безпекою.
    ISO / IEC 27004: 2009 Information security management.  Measurement – Вимірювання ефективності системи менеджменту інформаційною безпекою.
    ISO / IEC 27005: 2011 Information security risk management – Управління ризиками інформаційної безпеки.
    ISO / IEC 27006 до: 2015 Requirements for bodies providing audit and certification of information security management systems – Вимоги до органів аудиту і сертифікації систем менеджменту інформаційною безпекою.
    ISO / IEC 27007: 2011 Guidelines for Information Security Management Systems auditing (FCD) – Керівництво для аудиту СМІБ.
    ISO / IEC 27008: 2011 Guidance for auditors on ISMS controls (DRAFT) – Керівництво по аудиту механізмів контролю СМІБ.
    ISO / IEC 27011: 2008 Information security management guidelines for telecommunications organizations based of  ISO/ IEC 27002 – Керівництво з управління інформаційною безпекою для телекомунікацій на основі ISO /IEC 27002.
    ISO / IEC 27799: 2008 Information security management in health using ISO / IEC 27002  – Керівництво з управління інформаційною безпекою для організацій охорони здоров’я на основі ISO / IEC 27002.

Switch The Language

    [rt_icon icon_name="icon-link-ext"] auditing services BAB

    [rt_icon icon_name="icon-link-ext"] accounting services BAB


    03038, Ukraine, Kyiv
    Nikolay Grinchenko str., 4


    +380 44-521-40-07


    [email protected]