ISO 27001 Certification meets the increasing security requirements of ALMA customers

The international ISO/IEC 27001:2022 standard defines the requirements for an information security management system. Vitec ALMA has achieved ISO 27001 certification in cooperation with Into Security’s subsidiary, Into Certification. The certificate demonstrates that Vitec ALMA has established a systematic and comprehensive operating model that protects customer data and ensures continuous information security management.

"Many of our customers operate in sectors critical to national security. Recently, the importance of information security has increased even further due to the global situation and also because of the NIS2 directive," says Vitec ALMA’s Director of Product Development and Information Security Officer, Toni Penttilä.

NIS2 is an EU cybersecurity directive that applies to sectors essential to the functioning of society. In Finland, its requirements are incorporated into national legislation through the cybersecurity act.

"NIS2 sets strict requirements for our customers’ information security. ISO 27001 is Vitec ALMA’s response to that. With the certification, we can demonstrate and verify that we meet the information security requirements imposed by NIS2 on our customers and that they, in turn, require from us as part of the supply chain," Penttilä explains.

Vitec ALMA began transitioning to a SaaS delivery model in 2017. The company is now in the third phase of the transition from an On‑Premise solution to a cloud service.

"In the previous delivery model, responsibility for information security rested mainly with the customer. That is why our customers have managed information security at a very high level. They have conducted numerous information security audits on the ALMA software, which we have been able to use to support the product’s development."

In a cloud service model, information security responsibilities shift to the software provider, and security must also be considered in the software’s functionality and usability.

"In product development, we must ensure that ALMA can be used securely in all situations without compromising usability. Managing information security is demanding for our customers, and therefore we aim to ease this burden both through product‑development‑related solutions and through the ISO 27001certified information security management system," Penttilä says.

Certification transforms the company’s information security culture

ISO/IEC 27001:2022 certification does not apply to the ALMA software as a product; instead, it covers the entire information security management system of Vitec ALMA, which is used to maintain information security in the development, maintenance, support, and operational activities related to the ALMA software. In this way, the certified information security management system (ISMS) ensures the security of the software and its modules throughout their lifecycle.

The purpose of the certification is to guide and reshape the organization’s entire information security work and culture.

"This is not a oneoff exercise; the certification is based on continuous improvement and development. Managing information security means ongoing monitoring and assessing new risks. Therefore, certification requires that information security becomes part of the companys culture," says Ville Koskinen, the lead auditor for Vitec ALMAs certification from Into Certification Oy.

Because ISO 27001 certification concerns the creation of an information security management system, the company must examine its security from the perspective of risk management, processes, documentation, personnel competence, and operational practices.

"It requires continuous, longterm work in the form of training, communication, guidance, monitoring, and measurement. Certification creates a standard for this continuous work. It is good information security management," Koskinen notes.

Toni Penttilä emphasizes the importance of Vitec ALMA’s personnel in managing information security.

"We began developing our operations according to the standard already in 2020. The actual decision to pursue certification was made about a year ago. Our entire staff has played a significant role in achieving the certification."

"Information security involves a great deal of HRrelated work. We ensure that personnel have sufficient awareness, training, and competence regarding information security. Training plays a key role and includes, for example, security awareness training and secure software development training. Naturally, we can also train our customers in information security practices during implementation projects."

Finally, Penttilä highlights that certification is also a competitive advantage for Vitec ALMA.

"Only a few of our competitors have an information security management system that complies with the ISO 27001 standard. We can demonstrate that we take our customers’ information security seriously and openly show how we manage it."

Ville Koskinen also stresses the significance of certifying an information security management system.

"Many may say that they ‘follow the standard,’ but only certification can prove it."