CYBERSECURITY LAW OF MONGOLIA: DEFINITION, IMPLEMENTATION, AND ITS IMPACT ON NATIONAL SECURITY
DOI:
https://doi.org/10.31435/ijitss.4(48).2025.4298Keywords:
Cybersecurity Law, Terminology, Audit, Risk AssessmentAbstract
The Cyber Security Law enacted in Mongolia in 2022 is the initial comprehensive legal framework aimed at safeguarding the cyber environment, yet there are uncertainties and deficiencies in its enforcement.
This study seeks to examine the terminology, risk assessment, and regulatory methodology for information security audits under the Mongolian Cyber Security Law, assess their impact on national security, and compare and evaluate them against international practices.
The analysis involved a review of relevant Mongolian laws, regulations from the Ministry of Electronic Development, and information from authorized entities, along with a quantitative and qualitative comparison of the implementation levels of information security audits and cybersecurity risk assessments.
Additionally, comparisons were made with international standards such as ISO/IEC 27001, ISO/IEC 27005, NIST SP 800-30, ENISA, and the cybersecurity practices of countries like Estonia, Singapore, and South Korea. While Mongolia has a foundational legal framework for cybersecurity, significant shortcomings persist in its execution. To address these issues, it is imperative to refine terminology, establish a national audit body, standardize risk assessment and audit methodologies in alignment with global standards, establish a centralized monitoring and inspection system, develop a national centralized platform, and enhance human resource capabilities. These measures are crucial for safeguarding national security and ensuring the resilience of Mongolia’s cyber environment.
References
Ministry of Digital Development. (2023). Regulations on selection, authorization, and registration of organizations providing information security audit and risk assessment services (Order No. A/46).
International Organization for Standardization. (2022). ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. ISO.
International Organization for Standardization. (2022). ISO/IEC 27005:2022 — Information security risk management. ISO.
National Institute of Standards and Technology. (2012). NIST Special Publication 800-30 Rev. 1: Guide for conducting risk assessments. NIST. https://doi.org/10.6028/NIST.SP.800-30r1
European Union Agency for Cybersecurity. (2020). Cybersecurity risk management guidelines. ENISA. https://www.enisa.europa.eu/publications/cybersecurity-risk-management-guidelines
Wiener, N. (1948). Cybernetics: Or control and communication in the animal and the machine. MIT Press.
State Great Khural of Mongolia. (2022). Law on cybersecurity. Ministry of Justice and Home Affairs.
Stallings, W. (2017). Effective cybersecurity: A guide to using best practices and standards. Addison-Wesley Professional.
Whitman, M., & Mattord, H. (2020). Principles of information security (6th ed.). Cengage Learning.
European Union Agency for Cybersecurity. (2019). Good practices for national cyber security strategies. ENISA. https://www.enisa.europa.eu/publications/good-practices-for-national-cyber-security-strategies
Kshetri, N. (2016). Cybersecurity management in developing countries. Springer. https://doi.org/10.1007/978-3-319-25535-6
Downloads
Published
Issue
Section
License
All articles are published in open-access and licensed under a Creative Commons Attribution 4.0 International License (CC BY 4.0). Hence, authors retain copyright to the content of the articles.
CC BY 4.0 License allows content to be copied, adapted, displayed, distributed, re-published or otherwise re-used for any purpose including for adaptation and commercial use provided the content is attributed.
How to Cite
