ISO 27001 ensures trust and business continuity – CSC starts its 7th year of certified information security

CSC starts a new certification period with information security management. CSC started to develop security in compliance with the ISO 27001 standard already in 2013.  Now CSC has been awarded a new certificate which starts a new three year certificate period.

"Today, ensured security management covers our data centers, ICT platforms, PAS long-term preservation service and the Pouta IaaS. We have identified the ISO 27001 standard as the best and most mature international security framework to help us ensure the security of our services", says Mr. Urpo Kaila, Head of Security at CSC.

During the certification audit 36 members of CSC staff, ranging from directors and managers to experts, were interviewed.

"The standard helps us to define organization-wide tasks related to confidentiality, integrity and availability of information", explains Mr. Tero Tuononen, Head of Administration at CSC.

"The certification helps us to show our ability to commit, maintain and develop the security of our services.  The certification requires that we have appropriate security-related processes.  All staff is committed to secure practices so we can deliver secure services to our customers", continues Mr. Kaila.

Mission: earn the trust of the customers 

For CSC, providing a good customer experience is the main reason to obtain the security management certification. Certified practices create the foundation for trustworthy services and ensuring business continuity. With the certification we can also show how we protect confidential and personal data.

"The objective of the certification is to develop secure and high-quality services for our customers", summarizes Mr. Kaila.

Sharing good security practices in the EU

CSC has been one of the early birds among European computing centers when it comes to developing security management based on an international standard. Now many of CSC's peers are also interested in security certification.  CSC has shared its experiences of the certification process and implementation with its peer centers.

CSC was also able to make use of the certificate as it successfully applied to host and manage the EuroHPC supercomputer in the Large Unified Modern Infrastructure (LUMI) consortium. The security standard played also an important role in the acquisition of CSC's new national supercomputer.

"I want to sincerely thank all our staff – management, supervisors and experts. You have earned us the ISO 27001 certificate.  Aiming for certification was a good and responsible decision", Mr. Kaila summarizes.

Audit supports continuous development

No non-conformities with the standard were noted in the Kiwa Inspecta audit report this spring. However, in addition to positive findings the audit report also included suggestions for improvement.

"The suggestions for improvement were excellent. Each year the auditor provides us with observations which are based on their long experience from the field. These observations help us to improve our services", says Head of Security Urpo Kaila.

In the report, CSC received praise for comprehensive service-specific continuity planning and its risk management.  CSC's Statement of Applicability help the management to focus on relevant issues. Systematic patching of vulnerabilities and regular vulnerability scans were also noted as positive findings in the report.

ISO/IEC 27001

The ISO 27001 certificate, a generally acknowledged data security standard, takes into account security management processes and technical and administrative requirements. The standard provides comprehensive requirements and recommendations for assessing and managing security risks. The data security management system can be used to protect things such as financial information, intellectual property, personal data of employees or information provided to the organization by customers or other parties.