52. Azerbaijan 59.74

52nd National Cyber Security Index
40th Global Cybersecurity Index
65th ICT Development Index
76th Networked Readiness Index
Population 9.7million
Area (km2) 86.6thousand
GDP per capita ($) 17.9thousand
NCSI FULFILMENT PERCENTAGE
NCSI DEVELOPMENT TIMELINE 3 years All data
RANKING TIMELINE
NCSI Update Data source
24 Jan 2023 Cooperation partner
17 Mar 2020 Public data collection

Version 24 Jan 2023

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 0/5 0%
    0
    5 0%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 0
      0
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence
    • 5.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 6/6 100%
    6
    6 100%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

      The subjects of critical information infrastructure  also includes operators of essential services.

      See, the new chapter (Chapter V-I. Security of critical information infrastructure) added to the law on May 27, 2022.

      According to the Law critical information infrastructure is defined as a set of information systems, automated management systems and information-communication networks that provide activity in the field of public administration, defense, health care, financial markets, energy, transport, information technology, telecommunications, water supply or ecology, and whose functionality can cause significant damage to the interests of the state, society and citizens.

      According to the Article 20-1.1, the security of the critical information infrastructure is ensured by determining the requirements for the security of that infrastructure (which is further elaborated by Article 20-4), assessing compliance with these requirements and eliminating identified inconsistencies, applying the information security management system corresponding to those requirements, as well as monitoring the state of ensuring the security of the critical information infrastructure.

      20-5.2. The subject of critical information infrastructure ensures the security of the critical information infrastructure belonging to it in accordance with the general and special requirements for the security of the infrastructure.
      Note, there are also new relevant definitions added to the Law (See, Article 2).

    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence

      See, the new chapter (Chapter V-I. Security of critical information infrastructure) added to the law on May 27, 2022.

      According to the Article 20-5.2. The subject of critical information infrastructure must ensure the security of the critical information infrastructure belonging to it in accordance with the general and special requirements for the security of the infrastructure.

      Also, see

      20-4.1. General requirements for the security of critical information infrastructure are determined by the body (institution) determined by the relevant executive authority.

      20-4.2. Special requirements for the security of critical information infrastructure are determined by the subject of critical information infrastructure in accordance with the purpose of critical information infrastructure and its operational characteristics and are placed in the register of critical information infrastructure objects.

    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      The State Security Service of the Republic of Azerbaijan performs the functions of the competent authority in the field of ensuring the security of critical information infrastructure and the fight against cyber threats. 

      In relation to state bodies, public legal entities created on behalf of the state, legal entities owned by the state, the State Security Service of the Republic of Azerbaijan performs those functions jointly with the State Service of Special Communication and Information Security of the Republic of Azerbaijan.

    • 6.4. Regular monitoring of security measures 1
      1
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence

      20-6.8. In order to ensure compliance with the requirements for the security of critical information infrastructure, as well as to organize the operation of the information security management system in accordance with the requirements, the subjects of the critical information infrastructure must conduct external audits by the cyber security service provider no less than once a year, and its results must be submitted to the [superviosory authority].

  • 7. E-identification and trust services 7/9 78%
    7
    9 78%
  • 8. Protection of personal data 1/4 25%
    1
    4 25%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
Information Disclaimer

The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.

What can I do to improve my country's data in NCSI?

Become a data contributor Update a specific indicator with evidence data

CONTRIBUTORS

Elvin Balajanov
Azerbaijan Cybersecurity Organizations Association
Faig Farmanov
Ministry of Transport, Communications and High Technologies, Cyber Security Service / CERT.AZ
Bahar Asgarova
Intern at e-Governance Academy