Into Security

Reliable cybersecurity audits and certifications 

Into Certification Oy is certification body and information security inspection body no. S064 accredited by FINAS Finnish Accreditation Service, accreditation requirements SFS-EN ISO/IEC 17021-1:2015 and ISO/IEC 27006-1:2024. Competence areas: ISO/IEC 27001:2013, ISO/IEC 27001:2022, ISO 9001:2015 and Katakri 2020 security classification levels IV and III. We are also an approved PCI QSA company (Payment Card Industry Qualified Security Assessor). Information regarding our areas of competence and accreditations can be found here: 

FINAS Accreditation Service
Approved cybersecurity inspection bodies

Our services as an accredited information security inspection body 

Our services include various audits and certifications of information security management systems, including some the following:  

  • Certification of information security management systems based on the ISO/IEC 27001 standard – we are a certification body accredited by FINAS for the ISO/IEC 27001:2013 and ISO/IEC 27001:2022 scopes with the identifier S064 
  • National security audit criteria Katakri 2020 assessments, for which we have been accredited and approved for security classifications TLIV and TLIII  
  • Security audits of social and healthcare information systems and welfare applications in accordance with the Customer Data Act
  • Findata – Audits in accordance with the Secondary Use Act (Toisiolaki)
  • PCI DSS audits
  • Compliance assessment required by law and the eIDAS regulation for providers of strong electronic authentication services 

Learn more about Into Certification Oy’s service description
Read more about our other information security services here

01

Why certification? 

With certification, the organization can reliably demonstrate to its current and future customers that it has implemented sufficient procedures related to information security in relation to its operations, is committed to the ongoing maintenance of information security, and takes the protection of customer and partner data seriously. 

Often the need for certification arises from customer requirements, many organizations require certification from all key players in their own digital value chain.

02

ISO 27001 customer benefits 

  • Brings data protection operations to the forefront 
  • A well-known way to indicate the level of information security in a company 
  • Creates a culture of secure operations for the customer 
  • Protects the reputation of the client company

ISO 27001 certification process 

A well-planned and executed first certification significantly eases the monitoring in later years and saves costs. The ISO 27001 certification process is followed, as applicable, in the assessment of other frameworks. 

The ISO 27001 certification process proceeds as follows:

  1. Certification application. The process begins with the organization’s application
  2. Planning. Preliminary planning and preparation for certification
  3. Compliance of the management system. Assessing the compliance of the system with the ISO 27001 standard along with the documentation required by the standard
  4. Operations of the management system. The practical implementation of the system is assessed
  5. Reporting and certification decision. A decision on certification is made based on the results of the audit

Ongoing surveillance activities:

  • Annual surveillance audit
  • Recertification audit periodically (typically every 3 years)

The process includes continuous monitoring measures that ensure the maintenance of compliance.

The process for appeals and complaints

All complaints and appeals will be handled in accordance with the following principles:

Processing responsibility

  • The certification officer, such as the CEO, does not handle complaints regarding certification decisions, as they are responsible for making them
  • External quality assurance handles complaints to ensure independence

Handling process

  • Notification of the completion of the handling process
  • The receipt of the appeal will be confirmed to the appellant
  • Collecting the necessary additional information for the handling of complaint or appeal
  • Making the necessary decisions and corrective actions
  • Informing the customer about decisions and actions

Quality assurance

  • Previous similar complaints will be taken into account in the process
  • All complaints, appeals, and related decisions will be documented
  • The handling of complaints does not lead to discriminatory actions against the customer

Public Information

Into Certification provides the following information upon request unless there is a justified reason not to provide the information:

  • Name of the certified customer
  • Scope of certification and geographical location
  • Standard/criteria used in certification
  • Certification status

Restrictions:

  • A complete customer list will not be provided
  • Queries containing information from multiple companies will not be answered
  • The availability of information may be restricted at the customer’s request (e.g. for security reasons)

This public data policy ensures transparency while considering the information security needs of our customers.

Neutrality policy

Into Certification is committed to act impartially and independently in all its assessment activities. We ensure impartiality through the following principles:

  • Our certification business is separated from the operations of our parent company to the extent necessary to ensure independence
  • We do not offer consulting services for the systems we have evaluated
  • We do not certify systems in the design or implementation of which we have participated
  • Our assessment personnel are committed to disclose any potential conflicts of interest
  • Assessment decisions are made based on objectively collected evidence

Our impartiality is being monitored by FINAS’ accreditation and Traficom’s approval. We also regularly monitor and evaluate our operations to identify potential impartiality risks.

Our customers can trust that our assessments and decisions are always based on impartial and professional consideration.

Reliable, employee owned company 

Into Certification Oy is a subsidiary of Into Security Oy, which operates as an information security inspection body approved by Traficom. The approval of inspection bodies is based on the Act on Information Security Inspection Bodies.

We meet the competency requirements set for inspection bodies regarding independence and staff expertise, as well as the security requirements related to the handling of customer data, and physical facilities.

Contact us

We help you find the best solutions to your security challenges. Get in touch to discuss your organisation’s needs and objectives.

Contact us