ISVS Certification:
Comprehensive protection of information systems for CIS organisations

Information security is not merely a technical task but a fundamental component of the strategic management of any modern organisation. For the countries of the Commonwealth of Independent States (CIS), such as Kazakhstan, Uzbekistan and Kyrgyzstan, as well as for countries with similar regulatory approaches, such as Georgia, information protection requirements are becoming increasingly stringent. Against the backdrop of growing cyber threats and the complexity of digital infrastructures, ISVS certification has become a key element for organisations in ensuring robust information security and compliance with regulatory requirements.

What is ISVS Certification

ISVS (Departmental Information Systems) certification is a regulated process of officially confirming that information systems (IS) comply with established state or industry security requirements. The term “departmental significance” highlights the particular importance of these systems for performing governmental functions, delivering public services, or supporting critical sectors of the economy.

The certification process is not just a formal check, but a comprehensive audit that includes:

1. In-depth analysis of the IS architecture: Examination of the network topology, hardware and software in use, data flows and mechanisms for component interaction.
2. Assessment of organisational and administrative documentation: Review of security policies, instructions, access regulations, business continuity and disaster recovery plans.
3. Technical audit and penetration testing: Identification of vulnerabilities in system configurations, network equipment and applications; simulation of attacks to verify real levels of protection.
4. Analysis of the Information Security Management System (ISMS): Evaluation of access control processes, incident, change and update management, and backup procedures.
5. Verification of personnel competence and training levels: Assessment of staff awareness of information security issues and the presence of designated responsible persons.
6. Physical security: Evaluation of measures to protect server rooms, equipment and communication channels from unauthorised physical access.
7. Development of a threat model and attacker model: Identification of relevant threats for the specific IS and potential attack vectors.
8. Preparation of recommendations: Delivery of a detailed plan for eliminating identified non-conformities and enhancing the overall level of security.
9. Preparation of reporting documentation and issuance of the Certificate of Conformity: An official conclusion on whether the information system complies with security requirements, along with a list of conditions under which the certificate is valid.

Why organisations need ISVS Certification

Obtaining an ISVS certificate is not only a demonstration of commitment to high information security standards but also a critically important step for many organisations.

• Compliance with legal and regulatory requirements: In many CIS countries, operating government and certain commercial information systems without certification constitutes a direct breach of the law, which may result in fines, suspension of activities and other sanctions.
• Enhanced trust from the state, citizens and partners: A certified system is regarded as more reliable, which is particularly important for public authorities, financial institutions and companies handling personal data or forming part of critical infrastructure.
• Reduced risks of cyber threats and financial losses: Proactive identification and elimination of vulnerabilities significantly lowers the likelihood of successful attacks, data leaks, financial fraud and reputational damage.
• Improved operational resilience and efficiency: Standardisation of information security processes, clear allocation of responsibilities and the existence of incident response plans contribute to the uninterrupted operation of information systems and reduced downtime in the event of failures.
• Eligibility for government procurement and projects: Possession of an ISVS certificate is often a mandatory requirement for IT service providers and solution vendors working with the public sector.
• Protection of intellectual property and trade secrets: Certification helps to implement controls that prevent unauthorised access and the leakage of confidential information.

Which organisations require ISVS certification as a critical necessity

Although requirements may vary slightly across jurisdictions, information systems subject to certification generally include:

• Government bodies at all levels.
• State-owned enterprises and institutions.
• Operators of critical information infrastructure (energy, transport, communications, finance, healthcare).
• Organisations processing large volumes of citizens’ personal data.
• Financial institutions managing state financial flows or subject to special regulation.
• Systems of interdepartmental electronic interaction.

How a detailed ISVS information systems audit is conducted

The process of audit and subsequent certification can be broken down into the following key stages:

1. Initiation and preparatory stage:
   
   
   • Submission of an application for certification.
   • Defining the scope of the audit (which systems, components and processes will be assessed).
   • Collection and review of initial IS documentation (technical passports, regulations, policies).
   • Formation of a working group and approval of the work schedule.
2. Preliminary audit (optional but recommended):
   
   
   • Rapid assessment of the current state of the IS and its readiness for full certification.
   • Identification of obvious non-conformities and provision of recommendations for their prompt elimination.
3. Main audit (certification testing):
   
   
   • Document review: Verification of completeness and accuracy of organisational and administrative information security documentation.
   • Technical control: Vulnerability scanning, configuration analysis, testing of information security tools, and review of event logs.
   • Instrumental control and penetration tests (if necessary): Use of specialised software to identify hidden vulnerabilities and assess the actual level of protection.
   • Personnel interviews: Assessment of employees’ knowledge and skills in information security.
   • Site inspection: Verification of physical security of facilities.
4. Analysis of results and development of recommendations:
   
   
   • Systematisation of all identified vulnerabilities and non-conformities.
   • Risk assessment for each vulnerability.
   • Development of specific, actionable recommendations to address deficiencies and improve protection levels.
5. Preparation of reporting documentation:
   
   
   • Compilation of a technical report based on audit findings.
   • Development of programmes and methodologies for certification testing.
   • Preparation of test protocols.
   • Drafting of a Certificate of Conformity or a reasoned refusal.
6. Elimination of non-conformities (if required):
   
   
   • The organisation implements the recommended measures.
   • A follow-up inspection (control testing) is conducted to confirm that deficiencies have been resolved.
7. Issuance of the Certificate of Conformity:
   
   
   • If all checks are passed successfully, the authorised body or accredited company issues a Certificate of Conformity, usually valid for a limited period (e.g. 3–5 years).
8. Post-audit support and inspection control:
   
   
   • Ongoing consultancy during the operation of the certified system.
   • Periodic inspection audits to confirm that the system continues to meet security requirements throughout the validity period of the certificate.

Challenges in undergoing ISVS certification

Organisations seeking certification may face a number of challenges:

• High cost: Implementation of the required information security measures, along with auditor and consultancy fees, can be significant.
• Labour intensity: The process requires the involvement of IT specialists, security staff and management.
• Need to adjust business processes: In some cases, established workflows must be revised to meet requirements.
• Legacy systems: Older information systems can be difficult to modernise and align with current standards.
• Shortage of qualified staff: Organisations may lack in-house experts with the necessary experience in information security and certification.
• Dynamic threats and requirements: Standards and threats are constantly evolving, requiring regular system updates and continuous staff training.

Why organisations across the CIS choose LLP System Management

System Management has extensive experience and expertise in the field of ISVS information security. We provide comprehensive solutions tailored to the specific requirements of organisations in CIS countries.

Our key advantages:

• In-depth knowledge of national standards: We understand the specifics of legislation and regulatory requirements in Kazakhstan, Uzbekistan, Kyrgyzstan and other countries in the region.
• Certified specialists: Our team consists of professionals holding internationally and locally recognised certifications (CISSP, CISA, ISO 27001 Lead Auditor, etc.) and with hands-on experience working with government information systems.
• Individual and pragmatic approach: We do not simply follow templates — we develop solutions that best reflect each organisation’s scale, budget, industry specifics and level of information security maturity.
• Comprehensive end-to-end support: From initial analysis and roadmap development to the full implementation of technical and organisational measures, staff training, successful certification and ongoing support.
• Focus on real security, not just formal compliance: Our aim is not merely to obtain a “piece of paper” for you, but to genuinely enhance the protection level of your information system.
• Partnership with leading security solution providers: Assistance in selecting and implementing effective, certified information security tools.

How to start the certification process with System Management

If your organisation is required to undergo ISVS certification or aims to significantly improve its level of information security, contact us for an initial consultation. We will help you to:

1. Determine whether your information system falls under the mandatory certification requirements.
2. Carry out a preliminary rapid assessment of your current security status.
3. Develop a roadmap for preparing for certification.
4. Propose an optimal action plan and budget aligned with your goals and requirements.

Ensure the reliable protection of your information and compliance with regulatory requirements with System Management — your trusted expert partner in ISVS information security.