IQNet Newsletter n°6 - Information security management system and its certification in the Population Register Centre in Finland

Information security management system and its certification in the Population Register Centre in Finland

In the fall of 2002 the Population Register Centre in Finland received an information security system certificate issued by SFS-Certification. At the same time a quality certificate was also granted to the Certificate Service of the Centre. Until today information security system certificates have been issued to ten organisations out of which the Population Register Centre is the first and so far the only governmental office in Finland.

The information security and quality projects were started in the beginning of 2001. They have contributed greatly to the fulfilment of the development strategy of the centre, the vision of being the leading information centre. Because the Population Register Centre deals with personal data and issues electronic certificates, information security is naturally one of the cornerstones of the activity. Due to the certification the development and maintenance of information and data security is now better organized than before. As a result of the certification project there is now a well defined and coherent information security management system which is based on the standard BS 7799.

In the Population Register Centre the motto of the information security culture is that each employee is in a star role. With the words of the centre’s Director General Ritva Viljanen our firewall has the face of the employee, it is a “human firewall”. Personnel which up to the highest management is committed to information security is an excellent capital, even a competitive asset. Also outwardly this is a proof of the trustworthiness of the operations and a message of a wish to act as an example for other governmental central offices in information security matters.

The certification project

To start the work towards the certificate, an information security committee was created in the beginning of 2001. As the project commenced the management approved of an information security policy and defined information security objectives. Then the project created an action plan, documented the applications and procedures, defined the information security management system, carried out a risk assessment and defined a risk management plan, selected the necessary controls and prepared a Statement of Applicability. Finally, plans for monitoring and continual improvement were defined. The role of the centre’s management side by side with the project group and the Information Security Manager was essential in the different phases of the project.

Since the employees are a central part in the implementation and keeping up of the information security, continual education and rehearsal of matters is a must. A great deal of effort has been put on information security instructions. All essential instructions can be found in the intranet. The certification process had to do with everybody and during the project many of our everyday procedures had to be enhanced.

Continual improvement of information security

The Population Register Centre will adopt the new specification standard BS 7799-2:2002 in the follow-up audit of spring 2004. The new standard stresses the importance of continual improvement. The risks are reviewed and assessed yearly. The standard expects a clear link between the controls selected due to risk assessment and the Statement of Applicability. The management responsibility of information security is emphasized more than before.

Eeva Parviainen
Director System Certification
SFS