ISO/IEC 27001:2013 is an international standard of information security management. Achieving certification for ISO27001 demonstrates that an organization is following recognized best practice on keeping information assets secure through an appropriate information risk framework, known as an Information Security Management System (ISMS). After a successful certification, the organization will be audited against the standard every year by an accredited external third party.
At KPMG Finland, the certification was first obtained back in 2020 and since 2022, it has also covered our operations and physical offices in Estonia. Harri Pienimäki, KPMG Finland’s National IT Security Officer, has been closely involved in the process from the beginning. The first nudge towards the certification happened back in 2017 in connection with the GDPR (General Data Protection Regulation) legislation and, in 2018, the first concrete steps were taken, leading to the full certification being completed in 2020. KPMG is the first Big4 company in Finland to obtain the certificate.
“The certification shows that the organization is acting in accordance with the principles of the international standard and that this is verified annually by an independent external auditor. At KPMG Finland, we had long used the ISO27001 standard as the foundation of our information security practices, so it was an easy decision to formalize the processes we were already following and seek the official certification.
The standard itself is internationally known and is perceived as a baseline for sufficient information security management. The standard also enables different organizations to speak the same language and follow similar security protocols. The message it sends to our clients is clear; we are a reliable, externally audited actor that takes information security matters seriously and wants to continuously develop the entailed processes further, and above all, invest in information security. The benefits have been tangible; for example, we are in a position where we can usually meet or exceed our clients’ requirements related to information security. Furthermore, ISO27001 has helped us to proactively identify risks to our operations, which in turn has made us well prepared for unexpected situations such as COVID-19 or the war in Ukraine. This directly benefits our clients, as they can trust that KPMG’s operations can also continue under exceptional circumstances.
Obtaining the ISO27001 certification requires commitment, dedicated resources, and wide-ranging cooperation within an organization. Not every organization can invest in the required prerequisites and especially for smaller organizations, the process can be challenging. It is also important that the organization is ready and willing to open their internal procedures for inspection, accept the feedback received and work on it. Naturally, it is also possible to just follow the standard without obtaining the actual certification – however, the external validation via the annual auditing confirms that the actions taken are indeed the right ones. For KPMG Finland, our clients also have high expectations when it comes to our security protocols and standards, and in our industry, solid information security is a clear prerequisite for operating in the business. Furthermore, the standard applies to matters such as the safety and security of our own people, the most important stakeholder group we have.
In the future, the requirements for holding various certifications and attestation reports will most likely continue to grow as there is an increasing demand for transparency, especially from the viewpoint of quality, environmental impact, and corporate governance. For KPMG Finland, ISO/IEC 27001 continues to be our standard baseline for information security, supported and expanded by separate, more specific certifications focused on different areas of interest, such as business continuity and cloud security.”