Information security inspection bodies
With assessments carried out by inspection bodies, private companies can prove that their operations meet the requirements set for information security. This way, companies can prepare for international competitive bidding requiring security clearance from a competent security authority or prove to a national authority that their operations meet the required level of information security.
It is always the competent security authority that issues security clearances to companies and accredits information systems and telecommunications arrangements. However, the competent security authority can issue an accreditation based on an assessment carried out by an inspection body.
When assessing industrial security, information security requirements may be verified, for example, with the national security auditing criteria (KATAKRI).
In an information security audit, the inspection body:
- examines whether the operations meet the requirements set for information security;
- inspects the facilities of the organisation being assessed.
The assessment is based on a commission from the organisation to be assessed, specifying the information security assessment criteria used and the information security level sought.
When improving their information security or assessing their information systems, public authorities may use inspection bodies accredited by FICORA. From the beginning of June 2015, public authorities can only use the services of FICORA or an inspection body accredited by FICORA to assess the security of their information systems.
The assessment procedure is regulated by the act on the assessment of the information security of public authorities' information systems and telecommunications arrangements.
(Laki viranomaisten tietojärjestelmien ja tietoliikennejärjestelyjen tietoturvallisuuden arvioinnista, 1406/2011) (In finnish)
Compliance with the requirements laid down in the government decree on information security is verified based on the instructions issued by the Government Information Security Board (VAHTI).
Central government authorities must ensure that their information processing complies with the information security requirements laid down in the decree on information security, or the base-level requirements of information security, by 1 October 2013. If an authority classifies its secret documents, it also has to adhere to the decree's requirements concerning the processing of classified documents.
(Valtioneuvoston asetus tietoturvallisuudesta valtionhallinnossa, 681/2010)(In finnish)
- accredits information security inspection bodies;
- guides and monitors their activities.
The Finnish national accreditation body FINAS (Finnish Accreditation Service):
- assesses the independence of information security inspection bodies;
- assesses the competence of the bodies' personnel;
- is responsible for monitoring the bodies' competence.
(Laki tietoturvallisuuden arviointilaitoksista, 1405/2011)(In finnish)
FICORA issues further guidelines on the accreditation and operation of inspection bodies.