Information Security Inspection Body
Nixu Certification Oy is an independent subsidiary of Nixu Corporation, acting as an official Information Security Inspection Body approved by the Finnish Communications Regulatory Authority and accredited by the Finnish Accreditation Service.
The following official security inspections belong to Nixu Certification Oy’s services: VAHTI Guidelines by the Government Information Security Management Board (verification of the requirements of the Information Security Decree), Katakri 2015 and Kanta information system audits. At the moment, our qualification area covers official inspections of protective level IV.
Nixu Certification Oy also provides the conformity assessments required by legislation and the eIDAS Regulation for the providers of a strong identification service.
As an accredited body, we provide information security management system certifications based on the standard ISO/IEC 27001. We are also able to assess your organization’s operations against standards such as ISO/IEC 27017 (cloud services) and ISO/IEC 27018 (personally identifiable information).
Nixu Certification Oy is the only Finnish company that provides CSA STAR audits. CSA STAR is a certification for the providers of cloud services based on Cloud Controls Matrix developed by Cloud Security Alliance.
Together with our parent company Nixu Corporation, we also provide PCI DSS, PCI PA-DSS, PCI 3DS and Mirrorlink audits. We have the widest choice of information security audits in Finland.
Competence
Nixu Certification Oy’s operations are supervised by Finnish authorities. We meet strict requirements concerning our premises, handling of customer data, skills and methodologies. Our operations have been assessed against ISO/IEC 17021, ISO/IEC 27006 and Katakri 2015 (protective level III).
Independence
One of the key principles concerning the operations of an inspection body is independence. Nixu Certification Oy’s management and inspectors are committed to the principles listed below. In addition, Nixu Corporation is committed not to interfere with Nixu Certification Oy’s inspections or any of the related processes.
- Nixu Certification Oy is independent and impartial in all its operations. Our assessment is based solely on a systematic, transparent inspection process and the competence and professional expertise of our inspectors.
- The result of the assessment is based solely on how well the assessed organization meets the assessment criteria.
- In every assignment, we evaluate possible risks to our independence and act to minimize such risks.
- Our independence is supervised by a specific independence committee that we have appointed and that inspects our operations every year.
- As an inspection body, we do not certify or inspect anything that would jeopardize our independence in an uncontrollable manner.
- As an inspection body, we do not certify or inspect other inspection bodies.
- As an inspection body, we do not perform internal audits to our certified customers.
- The services of Nixu Corporation and Nixu Certification Oy are not associated for marketing or other purposes.
The audit process
The ISO 27001 audit process follows the approach specified in standards ISO 17021 and ISO 27006. Where applicable, this approach is also followed in VAHTI and Katakri audits.
Below is an illustration of the overall lifecycle of a certification process:
The actual certification audit is performed in two stages:
Stage 1 Documentation and interviews
0. Auditing team appointment
1. Kick-off meeting and certification scope definition
2. Documentation review
3. Management interviews
4. Identification of other factors that affect certification
5. Second Stage planning
6. (Resolving of non-conformities identified in Stage 1)
Stage 2 Verification
7. Verification of processes and activities against criteria
8. Verification of activities through objectives
9. (Resolving of non-conformities identified in Stage 2)
Certification
10. Preparation for certification decision
11. Making of certification decision
12. Certification monitoring (ongoing surveillance activities)
The certification process
After an approved audit, Nixu Certification Oy may issue a certificate to the customer. The principal auditor makes a proposal on whether the certificate may be issued. The certification decision (favorable or unfavorable) is made by the Managing Director of Nixu Certification Oy or his/her deputy. The certification must be renewed before the validity of the certificate expires. The continued validity of the certificate also requires regular follow-up audits.
If the conditions for certification no longer exist, the certificate may be suspended for a specified time or canceled altogether. The certificate may be reinstated when the conditions are restored. It is also possible to limit the scope of the certificate.
The right to refuse certification
Nixu Certification Oy, like other certification bodies, has the right to refuse certification, even if the conditions for certification, as such, were met. This is exceptional and may be considered principally in situations where the branch of activity, ethics of operations, or other apparent reasons are considered to be grave enough to warrant a refusal of certification. If we decide to exercise our right to refuse certification, we inform the applicant at the earliest possible opportunity and provide reasons for our decision.
Rules on referring to a certificate
When referring to a certificate, it is recommended that the certification code provided by Nixu Certification Oy should be used. Where necessary, a reference to the certification may also be made in writing. When referring to a certificate, the reference should always indicate the name of the entity that obtained the certificate, the certifying body, the certification requirement, and a description of the certified areas.
A reference to the certification may be made if the certificate is valid and the certified entity meets the certification requirements. No reference to the certification may be made before the certification decision is made, and the reference must not be misleading. The certified entity is always responsible for referencing, and it must comply with the rules of Nixu Certification Oy.
A reference to the certification may only be made with respect to the certified activity. If all operations of an organization are not certified, a reference to the certification should clearly indicate which operations are certified. If the certified part changes, the organization must update all references to the certification to correspond to the changed situation.
Feedback, complaints and claims to revise a decision
In all its operations, Nixu Certification Oy strives for professional and fair conduct. If a customer of Nixu Certification Oy or other entity is of the opinion that our operations are not up to par, it can file a complaint or a claim to revise a decision, which will be handled according to the procedure illustrated below. We also welcome any free-form feedback on our operations. If you wish to give feedback or make a complaint or a claim to revise a decision, please contact Valtteri Peltomäki (valtteri.peltomaeki@dnv.com) for further instructions.
Complaints and claims to revise a decision are always handled by the Managing Director and a committee appointed by the Managing Director.
The procedure for handling claims to revise a decision: