Information security inspection bodies

FICORA guides and monitors information security inspection bodies that provide public authorities and private companies reliable and independent information security assessment services.

Inspection bodies contribute to promoting industrial security

With assessments carried out by inspection bodies, private companies can prove that their operations meet the requirements set for information security. This way, companies can prepare for international competitive bidding requiring security clearance from a competent security authority or prove to a national authority that their operations meet the required level of information security.

It is always the competent security authority that issues security clearances to companies and accredits information systems and telecommunications arrangements. However, the competent security authority can issue an accreditation based on an assessment carried out by an inspection body.

When assessing industrial security, information security requirements may be verified, for example, with the national security auditing criteria (KATAKRI).

National security auditing criteria (KATAKRI)

Assessment procedure

In an information security audit, the inspection body:

  • examines whether the operations meet the requirements set for information security;
  • inspects the facilities of the organisation being assessed.

The assessment is based on a commission from the organisation to be assessed, specifying the information security assessment criteria used and the information security level sought.

Assessment of authorities' information security

When improving their information security or assessing their information systems, public authorities may use inspection bodies accredited by FICORA. From the beginning of June 2015, public authorities can only use the services of FICORA or an inspection body accredited by FICORA to assess the security of their information systems.

The assessment procedure is regulated by the act on the assessment of the information security of public authorities' information systems and telecommunications arrangements.

The act on the assessment of the information security of public authorities' information systems and telecommunications arrangements (in Finnish).

Compliance with the requirements laid down in the government decree on information security is verified based on the instructions issued by the Government Information Security Board (VAHTI).

Government Information Security Board VAHTI (In finnish)

Central government authorities must ensure that their information processing complies with the information security requirements laid down in the decree on information security, or the base-level requirements of information security, by 1 October 2013. If an authority classifies its secret documents, it also has to adhere to the decree's requirements concerning the processing of classified documents.

The government decree on information security in central government (In finnish).

Guidance and monitoring of inspection bodies

FICORA:

  • accredits information security inspection bodies;
  • guides and monitors their activities.

The Finnish national accreditation body FINAS (Finnish Accreditation Service):

  • assesses the independence of information security inspection bodies;
  • assesses the competence of the bodies' personnel;
  • is responsible for monitoring the bodies' competence.

FINAS
The act on information security inspection bodies (in Finnish)

FICORA's guidelines for information security inspection bodies (in Finnish)

FICORA issues further guidelines on the accreditation and operation of inspection bodies.

Key words: Information security , NCSA-FI

Updated 30.05.2017

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248