Management System Certification
Certification Steps
1 / Completing the application form
A copy of the organization’s certificates, permits, and special licenses must be submitted together with the application form. The organization must have prepared its documentation in accordance with the relevant standard and must have conducted an internal audit and a management review meeting.
2 / Providing a certification quotation based on the information in the application form
The quotation may be provided in multiple options based on Mongolian and international certification requests.
3 / Signing the certification agreement and carrying out the certification activities
Certification activities shall be carried out in accordance with the terms of the certification agreement, including initial, surveillance, and recertification audits. When necessary, the effectiveness of corrective actions for identified nonconformities shall be evaluated.
4 / Issuing the certificate
The certification certificate will be issued and handed over.
Certification Scheme
SECTOR
LAW ON CYBERSECURITY
Organizations with Critical Information Infrastructure
19.1. The following types of organizations are classified as operators of critical information infrastructure:
- Organizations with energy production, transmission, distribution, and control systems
- Organizations with clean water, wastewater, heating supply, centralized distribution, and control systems
- Secondary and tertiary level healthcare institutions
- Laboratories studying highly dangerous infectious diseases affecting humans or animals
- Manufacturers of pharmaceuticals, chemical toxic substances, or hazardous materials
- Banks and financial institutions operating integrated electronic payment, settlement, and transaction systems
- Telecommunications and IT service providers with natural monopoly or dominant market positions
- Organizations responsible for air, railway, waterway, and road transport regulation and control systems
- Fuel and petroleum importers, producers, and distributors
- Producers, storage operators, and distributors of strategic food supplies
- Emergency communication and command centers
- National public radio and television
- Organizations responsible for core and supporting information systems and national foundational databases
- Data centers, including branch and backup data center operators
- Organizations responsible for border checkpoint control systems
- Operators of strategically important mineral deposits
- Organizations responsible for integrated systems for registration, monitoring, and information management of passengers and vehicles crossing the state border
19.2. Organizations with critical information infrastructure shall have the following obligations:
- Implement standards related to ensuring information security
- Establish a unit or designate an official responsible for cybersecurity activities
- Conduct cybersecurity risk assessments annually, or partially whenever changes occur in information systems or networks, or upon request of the competent authority, and take appropriate measures based on the findings, recommendations, and requirements
- Undergo an information security audit every two years
19.3. If an organization has undergone an information security audit in accordance with international standards within the timeframe specified in this law, the audit report shall be considered as fulfilling the requirement under Article 19.2.6 to conduct an information security audit every two years.