Fingrid takes information security issues seriously, and as an indispensable part of its operations. As an energy company responsible for maintaining the security of supply, Fingrid has always preferred being one step ahead in matters regarding information security.
“For us, information security takes the highest priority. We are a security of supply company that keeps the lights on in the country and the electricity moving,” explains Fingrid’s CIO Kari Suominen.
Fingrid’s information security management system has now been audited to meet the requirements of the ISO 27001 standard, which indicates that the information security in the organisation is at a good level. As confirmation of this, Fingrid has been granted an information security management system certificate.
According to Suominen, a certificate does not have an intrinsic value as such, but it is an important tool in determining the level of information security.
Monitoring the criteria listed in the standard facilitates all activities in the company. For example, the transformation of the electrical system, which aims for carbon neutrality in Finland by 2035, requires continuous updating and automation of the systems.
“We now have a verified management model that meets the requirements. Our operations have been in line with the standard for a long time now, but as society continues to electrify and systems keep changing, it is important to be able to monitor that information security issues remain in order also in the future,” Suominen says.
In many EU countries, certification of information security is required from operators critical to security of supply, such as transmission system operators.
“Certification of information security may become a requirement in Finland as well, when harmonisation continues within the EU. Regulation and legislation may start to require an official way of dealing with these matters and also a confirmation of how this is done, i.e. a certificate. Now we are also ready for that.”
Bringing the service provider management model and ICT risk management up to date
Obtaining an information security certificate did not cause any major changes in Fingrid, as operations were largely already in line with the requirements. However, there were some smaller issues to rectify.
“During the process, we discovered the issues that still required improvement, and we were able to rectify them. ICT risk management required some improvements, which was really important to recognise,” Suominen says.
The service provider management model was also taken under review.
The service provider management model was also taken under review. A large company needs a wide range of partners, also in its critical functions. Fingrid uses external partners to maintain server systems and workstations, for example.
“Supply chain partners have a more in-depth access to Fingrid’s data, so it is important for us to verify their level of information security and also that the information security of their subcontractors meets our requirements. As a tool for this, we implemented a standard-based management model for service providers,” says Jyrki Pennanen, Information Security Manager.
A surprisingly smooth process
The information security certificate for Fingrid was implemented and issued by Nixu Certification Oy. The certification process started in August last year and, according to Pennanen, went surprisingly effortlessly, as the tasks related to certification mainly consisted of documenting the practices already in force at Fingrid.
“According to the auditor, the number of positive findings in the final report exceeded the number of deviations for the first time during his career,” Pennanen says with a satisfied smile on his face.
Jarkko Aula, a consultant atSecWed Oy, who participated in the process, praises the information security expertise of Fingrid’s employees.
According to him, the organisation’s management and staff were committed to the certification work right from the beginning, and things were handled together. If things were observed that required fixing, action was taken quickly.
“Fingrid embodies a special safety and information security culture.”
“Fingrid has a special safety and information security culture, which made the project smooth from the start. They are true professionals.”
Obtaining a certificate is an indication to external actors of the organisation’s will to keep on improving its information security.
“The certificate proves that Fingrid is serious in ensuring the company’s information security. Audits will continue to be organised also in the future to ensure that the level of information security remains in line with the requirements of the certificate,” Aula says.
A culture of openness is integral to information security
The information security certificate included an audit of 20 Fingrid employees from management to experts, but in reality, the certificate covers the entire operations of Fingrid.
Pennanen, Information Security Manager at Fingrid, boasts that Fingrid employees are pioneers in information security. It is in the nature of the work to remain vigilant and to quickly highlight any problems that pose a threat to information security.
A culture of openness is an integral part of information security.
“Personnel is the strongest link in information security! Our staff are constantly alert with regard to information security matters, and if any deviations are detected, they will be reported immediately. If a mistake occurs during work, it will be reported immediately and the matter can be rectified without delay,” Pennanen says.
Press release on the 27001 Information Security Certificate issued to Fingrid (in Finnish).