Information security Law compliance review

The Law on Information Security and Bylaws defines the list of activities in which ICT systems are used of particular importance and an obligation has been established (Article 6 a of the Law) for all ICT system operators of particular importance to be signed into the records kept by the competent Ministry of Trade, Tourism and Telecommunications, as well as to implement 28 measures of protection of the information system (Article 7 of the Law). The operator of the ICT system is obliged to review the ICT system, i.e. to check the compliance of the applied safety measures with the Security Act, the safeguards prescribed by the Law on Information Security and the Regulation on Protection Measures, and that there is a report made at least once a year.

The review can be done independently or with the involvement of external experts.

The Decree determining the List of Activities in areas where activities of general interest are performed and in which information and communication systems are used of particular importance, defines activities in which ICT systems are used of particular importance.

The review assesses the adequacy of the level of information security through the verification of safeguards, procedures and responsibilities established by the Security Act, determining the endangerment or violation of information security resulting from the use of inappropriate procedures and technical means.

Article 7 of the Law defines 28 measures of protection of ICT systems of particular importance which are more closely regulated by the bylaw "Regulation on closer regulation of measures of protection of information and communication systems of particular importance" under which 119 control requirements can be identified.

Also, Article 8 of the Law defines the obligation of ICT operators of particular importance (hereinafter: ICT Operator) to enact the ICT System Security Act of particular importance and whose content is further regulated by the bylaw "The Regulation on Closer Content of the Information and Communication Security Act, a system of particular importance, the manner of verification and content of the information and communication systems security check report of particular importance" under which 9 control requirements can be identified. Article 9 of the Law defines the obligations of ICT operators in entrusting activities related to the ICT system of special importance to third parties, on which 2 control issues can be identified. Article 11 of the Law defines the obligations of the ICT operator in relation to reporting incidents, i.e. 2 control requirements. The total number of requests under the Law and by-laws is 134.


How can Deloitte help?

  • We assist clients in drafting and harmonizing the Information System Security Act in accordance with regulatory requirements
  • We help clients harmonize information system security management by conducting detailed GAP compliance analysis in relation to the specified safeguards and making recommendations for improvement
  • We are conducting a regular annual review of the implementation of safeguards in accordance with the


Why Deloitte?

Deloitte is a recognized leader in cybersecurity

  • Ranked #1 in the world in security consultancy services, 11th year in a row based on income from Gartner. (Source: Gartner, Gartner Market Share Security Consulting Services, 2021)
  • Named a global leader in cybersecurity response services Source: Forrester Research, The Forrester Wave ™ : Cybersecurity Incident Response Services, Q1 2022 by Jess Burn with Joseph Blankenship, Danielle Jessee, Peggy Dostie, published: March 28, 2022
  • Named leader in IDC's readiness services for incidents around the world. (Source: "IDC MarketScape: Worldwide Incident Readiness Services 2021 Vendor Assessment", from Craig Robinson и Christina Richmond, IDC # US46741420, November2021.)
  • Declared leader in Canadian security services. (Source IDC MarketScape: Canadian Security Services 2022 Vendor Assessment, from Yogesh Shivhare Мarch 2022, IDC #CA48060922)
  • Declared a global leader in cybersecurity consulting services by ALM for the sixth year in a row.


Dejan Perić

Dejan Perić

Director, Risk Advisory

Dejan, a BA in business management, is a Director in Deloitte’s Serbian Risk Advisory – IT Risk and Controls practice with more than 17 years of professional experience. He made his career by leading ... More

Borko Mijic

Borko Mijic


Borko is a Manager in Risk Advisory team in Serbia, he is responsible for advising clients on risk advisory matters including IT Regulatory and compliance Audits, IT Assessment, Business IT Support Sy... More