Nixu Certification Ltd.

Information Security Inspection Body

Nixu Certification Oy is an independent subsidiary of Nixu Corporation, acting as an official Information Security Inspection Body approved by the Finnish Communications Regulatory Authority. Nixu Certification Oy is a certification body S047 accredited by FINAS Finnish Accreditation Service, accreditation requirement SFS-EN ISO/IEC 17021-1:2015 (ISO/IEC 27006:2015 AMD 2020).

The following official security inspections belong to Nixu Certification Oy’s services: VAHTI Guidelines by the Government Information Security Management Board (verification of the requirements of the Information Security Decree), Katakri and Kanta information system audits. At the moment, our qualification area covers official inspections of protective level IV and III. 

Nixu Certification Oy also provides the conformity assessments required by legislation and the eIDAS Regulation for the providers of strong electronic identification services.

As an accredited certification body, we provide information security management system certifications based on the standard ISO/IEC 27001. We are also able to assess your organization’s operations against standards such as ISO/IEC 27017 (cloud services) and ISO/IEC 27018 (personally identifiable information).

Nixu Certification Oy is the only Finnish company that provides CSA STAR audits. CSA STAR is a certification for the providers of cloud services based on Cloud Controls Matrix developed by Cloud Security Alliance.

Together with our parent company Nixu Corporation, we also provide PCI DSS, PCI PA-DSS, PCI 3DS and Mirrorlink audits. We have the widest choice of information security audits in Finland.

Competence

Nixu Certification Oy’s operations are supervised by Finnish authorities. We meet strict requirements concerning our premises, handling of customer data, skills and methodologies. Our operations have been assessed against ISO/IEC 17021, ISO/IEC 27006 and Katakri 2020 (protection level II).

Independence

One of the key principles concerning the operations of an inspection body is independence. Nixu Certification Oy’s management and inspectors are committed to the principles listed below. In addition, Nixu Corporation is committed not to interfere with Nixu Certification Oy’s inspections or any of the related processes.

  • Nixu Certification Oy is independent and impartial in all its operations. Our assessment is based solely on a systematic, transparent inspection process and the competence and professional expertise of our inspectors.
  • The result of the assessment is based solely on how well the assessed organization meets the assessment criteria.
  • In every assignment, we evaluate possible risks to our independence and act to minimize such risks.
  • Our independence is supervised by a specific independence committee that we have appointed and that inspects our operations every year. 
  • As an inspection body, we do not certify or inspect anything that would jeopardize our independence in an uncontrollable manner.
  •  As an inspection body, we do not certify or inspect other inspection bodies.
  • As an inspection body, we do not perform internal audits to our certified customers. 
  • The services of Nixu Corporation and Nixu Certification Oy are not associated for marketing or other purposes.

The audit process

The ISO 27001 audit process follows the approach specified in standards ISO 17021 and ISO 27006. Where applicable, this approach is also followed in VAHTI and Katakri audits.

Below is an illustration of the overall lifecycle of a certification process:

Audit Process

The actual certification audit is performed in two stages:

 

Stage 1 Documentation and interviews

0. Auditing team appointment
1. Kick-off meeting and certification scope definition
2. Documentation review
3. Management interviews
4. Identification of other factors that affect certification
5. Second Stage planning
6. (Resolving of non-conformities identified in Stage 1)

Stage 2 Verification

7. Verification of processes and activities against criteria
8. Verification of activities through objectives
9. (Resolving of non-conformities identified in Stage 2)

Certification

10. Preparation for certification decision
11. Making of certification decision
12. Certification monitoring (ongoing surveillance activities)

 

The certification process

After an approved audit, Nixu Certification Oy may issue a certificate to the customer.  The principal auditor makes a proposal on whether the certificate may be issued. The certification decision (favorable or unfavorable) is made by the Managing Director of Nixu Certification Oy or his/her deputy. The certification must be renewed before the validity of the certificate expires. The continued validity of the certificate also requires regular follow-up audits.

If the conditions for certification no longer exist, the certificate may be suspended for a specified time or canceled altogether. The certificate may be reinstated when the conditions are restored. It is also possible to limit the scope of the certificate.

The right to refuse certification

Nixu Certification Oy, like other certification bodies, has the right to refuse certification, even if the conditions for certification, as such, were met. This is exceptional and may be considered principally in situations where the branch of activity, ethics of operations, or other apparent reasons are considered to be grave enough to warrant a refusal of certification. If we decide to exercise our right to refuse certification, we inform the applicant at the earliest possible opportunity and provide reasons for our decision.

Rules on referring to a certificate

When referring to a certificate, it is recommended that the certification code provided by Nixu Certification Oy should be used. Where necessary, a reference to the certification may also be made in writing. When referring to a certificate, the reference should always indicate the name of the entity that obtained the certificate, the certifying body, the certification requirement, and a description of the certified areas.

A reference to the certification may be made if the certificate is valid and the certified entity meets the certification requirements. No reference to the certification may be made before the certification decision is made, and the reference must not be misleading. The certified entity is always responsible for referencing, and it must comply with the rules of Nixu Certification Oy.

A reference to the certification may only be made with respect to the certified activity. If all operations of an organization are not certified, a reference to the certification should clearly indicate which operations are certified. If the certified part changes, the organization must update all references to the certification to correspond to the changed situation.

Feedback, complaints and claims to revise a decision

In all its operations, Nixu Certification Oy strives for professional and fair conduct. If a customer of Nixu Certification Oy or other entity is of the opinion that our operations are not up to par, it can file a complaint or a claim to revise a decision, which will be handled according to the procedure illustrated below. We also welcome any free-form feedback on our operations. If you wish to give feedback or make a complaint or a claim to revise a decision, please contact Valtteri Peltomäki (valtteri.peltomaeki@dnv.com) for further instructions.

Complaints and claims to revise a decision are always handled by the Managing Director and a committee appointed by the Managing Director.

The procedure for handling claims to revise a decision:

Complaint process

 

Services

Microsoft SSPA

Nixu is a Microsoft accredited security and data protection auditor. Microsoft Supplier Security and Privacy Assurance (SSPA) is a company program that sets the security and data protection requirements for all new suppliers, partners and subcontractors, which process Microsoft personal or confidential information. On behalf of Microsoft, Nixu conducts compliance assessments for new suppliers and subcontractors against the SSPA criteria.

COMPLIANCE ASSESSMENT OF IDENTIFICATION AND TRUST SERVICES

We also assess the compliance of identification and trust services. A legislative amendment that entered into force in 2016 requires all service providers providing strong electronic identification and electronic signatures to perform a compliance assessment and submit the assessment result to the Finnish Communications Regulatory Authority. The providers of identification devices, identification services and identification brokering services are all considered to be service providers. Requirements are largely based on the EU eIDAS regulation and commonly applied standards, such as ISO 27001.

ISO/IEC 27017 and ISO/IEC 27018

The best practices of cloud computing services are also described in standards ISO 27017 and ISO 27018. Officially, it is not possible to obtain a certification against these standards, but, in the context of the ISO 27001 certification, Nixu Certification Oy can provide the customer a statement of its compliance with these controls.

CSA STAR

Cloud Controls Matrix (CCM) developed by Cloud Security Alliance is a set of criteria aimed at providers of cloud computing services. The key principle is to provide users of cloud services transparency as well as assurance on the security of cloud service providers. CSA STAR certification can be obtained on top of ISO 27001 certification.

Katakri 2015

Katakri refers to the set of National Security Auditing Criteria that serve to evaluate an organization’s ability to protect classified information of authorities. Katakri is also used as a tool in conducting corporate security audits. Katakri consists of three subdivisions:

  • T: for security management
  • F: for physical security
  • I: for information assurance

While an official Katakri approval requires the assessment of all three subdivisions, an inspection body can issue a statement on an assessment that covers only a certain part of operations. 

Certification of electronic identification and trust services

Amendment of the Act on Strong Electronic Identification and Electronic Trust Services in Finnish legislation, put in force 1st of July 2016, requires service providers of strong electronic identification and signature to assess their compliance and deliver proof of compliance to the Finnish Communications Regulatory Authority (FICORA).

We are a certification authority approved by FICORA and provide customers with electronic identification and trust service assessments. We are an excellent partner for assessments, as we also have extensive experience on many other security frameworks.

ISO/IEC 27001 CERTIFICATION AUDITS

One of our services is ISO 27001 certification audits. The ISO 27001 certification is suitable for all organizations that care for their information security, particularly those that wish to prove to third parties that they are following secure practices. ISO 27001 focuses on the security management system. We also offer the opportunity to combine other frameworks – such as CSA STAR, VAHTI, Katakri and PCI – in the same inspection.

Related blogs