Assessment, accreditation and guidance

NCSA-FI’s statutory obligation is to provide assessment and accreditation services. In addition, we provide information security guidance for governmental organisations and critical infrastructure providers.

Assessment and accreditation

NCSA-FI’s duty to assess and accredit the security of information systems arises from the Act on International Information Security Obligations, Act on Background Checks and the Act on the Assessment of the Information Security of Public Authorities' Information Systems and Telecommunications Arrangements.

As for international classified data, NCSA-FI is the national Security Accreditation Authority (SAA), Crypto Approval Authority (CAA), National TEMPEST Authority, and Crypto Distribution Authority (CDA) (or National Distribution Authority, NDA), which is the authority responsible for the distribution of crypto material.

Assessment and accreditation of information systems

Government organisations acquire accreditation service for information systems that are required by international information security obligations (for example processing of EU or NATO information) to have SAA approval. We also provide accreditation for information systems of companies in the process of seeking facility security clearance.

Assessment service is available for information systems governed by government authorities and for systems which government authorities are planning to acquire and on which a government authority has filed a request for accreditation with us. Moreover, we examine, at the Ministry of Finance's request, the general level of information security of information systems or data communications arrangements governed by central authorities.

Further information is available in the guideline on assessment and accreditation process of information systems. List of accredited information security inspection bodies.

Accredited information security inspection bodies

Application for accreditation as an information security inspection bod

Assessment and accreditation of security products

We provide assessment and accreditation for security products meant for protecting national and international classified information. A key focus area is the assessment and accreditation of encryption products. Further information is available in the guideline on assessment and accreditation of encryption products.

More information:

We also provide assessment and accreditation for other security product groups, such as gateway and data destruction products within the limits of available resources. We charge a workload-based fee for such assessment and accreditation services.

Information security guidance for governmental organisations and critical infrastructure providers

The aim is to prepare organisations for threats in the cyber domain and support clients in securing their operations and systems.
There are two types of information security guidance. One focuses on guidance related to protecting classified information. The other is guidance on more general cyber security issues in society.

We provide guidance on protecting classified information primarily to the clients acquiring our assessment and accreditation services for information system security. The guidance ensures that clients have sufficient understanding of the applicable interpretative practice and decision-making practices. We also support clients in allocating resources to the most critical protections with regard to security.

The advice service can support clients, for instance, by assessing information systems on a concept level or assessing security of new technologies. We also support clients in situations where the assessment or accreditation service has detected challenging deficiencies in the protection of an information system, which require rectification.

Guidance on protecting classified information requires that the customer organisation has a justified need to process national or international classified information. Use of the advice service does not guarantee that the product undergoing the assessment and accreditation process will meet all the protection requirements imposed on it. The final evaluation of how well a product complies with the applicable requirements is made during the assessment and accreditation process.

Guidance on cyber security in society aims to support Finnish organisations in implementing cyber security. We offer an opportunity to discuss, for instance, threats posed to organisations and their services, which in practice means risks observed in Finland and abroad as well as most efficient protection methods. The advice service can be customised according to the client's needs to for example the organisation’s management or technical specialists. We can also support organisations in developing requirement criteria, compiling roadmaps for information security and in other projects for developing cyber security in the organisation and/or in society.

Enquiries

Page was last updated