Audits, Certifications and Technology Due Diligence

KPMG IT Certification Ltd. operates as a certification body and is an officially recognized cybersecurity assessment body approved by the Finnish Transport and Communications Agency Traficom. The operations of KPMG IT Certification Ltd. meet the competence requirements set for assessment bodies regarding independence and staff expertise, as well as the security requirements related to physical premises and the handling of customer information.

Our information processing level is approved for Security Class II, and our operations are under continuous supervision by authorities.

You can find our up-to-date certificates and information about our areas of competence on the FINAS accreditation service website.

Many audits can only be conducted by an approved cybersecurity assessment body. Achieving and maintaining this status requires significant efforts and brings credibility to audit needs that do not require assessment body status.

Organizations' stakeholders are placing increasingly stringent demands on cybersecurity, business continuity, the high quality of products and services, and the security of personal and customer data.

Internationally recognized ISO standards help define key requirements, best practices, and related controls, and assist in scaling them to a risk management level that is sufficient. For example, the NIS2 directive directly or indirectly requires ISO certification for cybersecurity. With official ISO certifications, organizations can demonstrate to their customers and stakeholders that they meet the standards' requirements, manage risks and changes in the operating environment, and continuously develop their operations.

ISO 27001 and ISO 9001 certifications

KPMG IT Certification Ltd. conducts certifications of cybersecurity management systems based on the ISO/IEC 27001 standard, enabling organizations to reliably demonstrate to current and future customers that they have implemented adequate cybersecurity procedures, are committed to maintaining cybersecurity continuously, and take the protection of customer and partner information seriously.

We also conduct ISO/IEC 27701 certifications, which is an extension of the ISO 27001 standard concerning data protection. It helps organizations create systems that support compliance with the European Union's General Data Protection Regulation (GDPR) and other data protection requirements, although as a global standard, it does not directly address GDPR.

Additionally, we conduct ISO 9001:2015 certifications for quality management systems in IT service management, IT service delivery, and application development sectors. Certification can also be carried out as part of an integrated management system certification together with, for example, the ISO 27001 certificate. We can also conduct ISO 22301 certifications related to business continuity management.

Katakri is an audit tool used by authorities to assess an organization's ability to protect confidential information held by the authority.

Katakri can be used as an audit tool to evaluate a company's security arrangements in corporate security assessments and in the security assessments of authorities' information systems. It can also be used to assist in other security work and its development for companies, communities, and authorities.

The use of Katakri aims to ensure that the target organization has adequate security arrangements to prevent the disclosure of confidential information held by the authority in all environments where the information is processed.

KPMG IT Certification Ltd. conducts official security assessments as an approved cybersecurity assessment body based on the national security assessment criteria (Katakri 2020 and Katakri 2015).

We conduct assessments based on the Katakri criteria for both public and private sector clients across its three areas (T-security management, F-physical security, and I-technical cybersecurity).

Our competence area covers assessments for Security Class IV (TL IV) and Security Class III (confidential). Based on the assessment, we can issue an official assessment body certificate to the organization if no deviations from the criteria are found. With the certificate, the organization can demonstrate compliance with requirements to authorities, stakeholders, and customers.

The Secondary Use Act and Customer Data Act require information systems to meet cybersecurity requirements, which are demonstrated through certification. This certification can be obtained by undergoing a cybersecurity assessment conducted by an assessment body in accordance with the regulations set by THL (Finnish Institute for Health and Welfare) and Findata.

Kanta audit

As an official assessment body, we conduct cybersecurity assessments required by the Customer Data Act (784/2021) for customer and patient information systems. Our assessments are carried out according to the requirements set by the Finnish Institute for Health and Welfare's regulation 5/2021. We conduct cybersecurity assessments for all Class A systems, taking into account the characteristics and risk levels of the systems. KPMG has been performing Kanta audits since 2015, leveraging our experience to offer a smooth certification process for our clients.

Findata audit

Secure operating environments are information systems defined in the Secondary Use Act (552/2019) for conducting medical research, which must undergo a cybersecurity assessment before registration. We conduct assessments for secure operating environments according to Findata's regulation (1/2022), also considering operations abroad and cloud solution models.

Customers and other stakeholders are placing increasingly stringent cybersecurity requirements on service organizations year after year, while the cybersecurity environment is simultaneously becoming more complex. For example, cybersecurity risks in subcontracting networks can affect the core business of an organization through complex production chains. Many organizations therefore want to monitor compliance with various cybersecurity requirements through surveys or audits.

A service organization can demonstrate its level of cybersecurity or control environment to multiple parties with a single ISAE assurance report. The assurance report is typically limited to a specific service package, and the assurance criteria used in the report are tailored to the customer.

ISAE assurance reports are an internationally recognized way for service organizations to demonstrate their level of cybersecurity. ISAE reports can also be used to demonstrate compliance with ESG requirements. As a trusted and recognized audit firm, KPMG can act as a partner for all assurance report needs.

A service organization can demonstrate the compliance of its control environment for processes relevant to financial reporting to its customers and other stakeholders with an ISAE 3402 assurance report. ISAE 3402 assurance reports are typically used by organizations that provide financial management services.

An ISAE 3000 assurance report can demonstrate the secure service production of a specific service package or business area. The criteria used as the basis for the engagement can be chosen flexibly, but the most commonly selected criteria are the Trust Service Criteria 2017, which are well aligned with the SOC 2 standard commonly used in the United States. The ISAE 3000 standard is also suitable for verifying other types of information, such as information related to sustainable development and environmental reporting.

Additionally, we can act as an assurance partner for other third-party verification and audit needs (e.g., ISRS 4400 – Agreed-Upon Procedures standard).

An access management audit is a process that examines an organization's management of access permissions and ensures that access rights are granted and managed appropriately. The audit covers the processes of granting, modifying, and removing access permissions, as well as the functionality and compliance of the access management system with business rules and cybersecurity requirements.

An access management audit helps organizations ensure that access permissions are targeted, cybersecurity requirements are met, regulations are followed, and risks are minimized.

Current state audit provides visibility into access management

• Have the organization's internal policies and practices been followed in granting access permissions?
• Have access rights been granted "only" as needed?
• Have the modification and removal of access rights been carried out appropriately?
• Is the monitoring of access management systems properly organized, and what is the reporting capability?

Project assessments are independent evaluations of the project's status, risks, and practices. Assessments are conducted against the project's plans and contracts, as well as applicable standards and best practices. A project assessment can be carried out either during the project or after its completion. Continuous quality assurance of the project, for example as part of the steering group, typically lasts throughout the project's lifecycle.

Our Solutions

We offer superior industry-developed risk management that identifies threats that could prevent the successful delivery of the project and thereby achieving the desired business benefits. We will also adapt our risk management approach to our client's own risk framework if necessary.

Our risk management model is an important part of our project management methodology. It includes continuous identification and assessment of risks to minimize their potential negative impacts on the project.

Application and software development does not always produce the desired outcome. Software products may be developed with a large budget, yet they still contain security vulnerabilities. Poor security practices, unidentified vulnerabilities, or data protection deficiencies expose the application to data breaches, leaks, or malicious attacks. Especially in larger development projects, there are often compatibility issues (integrity & interoperability) that can lead to uncontrolled cost increases and significant schedule delays.

Quality Assurance and Auditing of Application Development

Quality assurance and auditing of application development help improve the quality level of application development and reduce its costs and risks.

Our Solutions

• We assess the quality level of the solution architecture and coding in the application development project, as well as the effectiveness of security practices and processes.
• We review the implementation of security-related components, such as identification, access management, and data protection.
• We help identify and correct potential weaknesses.
• We promote the advancement of a DevSecOps culture.
• We evaluate and optimize the automation and workflows of application development.
• We examine how security is integrated into the development process, such as the automation of security testing and vulnerability management.
• We improve project efficiency to accelerate release schedules (lead time).
• We ensure that security is considered at every stage.
• We identify and manage application vulnerabilities, helping to develop the skills of both the client and the client's supplier.
• We ensure that the application development process meets relevant security and data protection requirements and regulations.
• We ensure that necessary controls, documentation, and reporting processes are in place.

In the due diligence process, a thorough evaluation of the target is conducted. The assessment provides reliable information to support investment decisions or to estimate the correct price in a corporate transaction.

Technology due diligence helps stakeholders evaluate the target's technology assets, necessary integration actions, and intellectual property rights. During the process, key risks are identified, decision-making is supported, and post-transaction actions are planned. Technology due diligence ensures a comprehensive evaluation of technology-related aspects and helps mitigate risks associated with investments in or acquisitions of technology-focused companies. Identifying risks enables informed decision-making and the development of risk management strategies.

Our solutions

• Assessment of Technical Assets: We evaluate the quality, functionality, and value of technology assets. We compile a comprehensive analysis of the technology infrastructure, systems, software, and digital capabilities. The assessment helps potential investors or acquiring companies understand the technological strengths and weaknesses of the target company.

• Identification of Risks and Issues: We help identify potential risks, vulnerabilities, and issues related to the target company's technology environment. We assess software quality, cybersecurity vulnerabilities, privacy compliance, legacy systems, scalability challenges, technology debt, and dependence on critical resources or suppliers.

• Evaluation of Integration Actions and Costs: In mergers, acquisitions, or partnerships, it is crucial to understand the integration actions and associated costs. Technology due diligence provides information on the compatibility of systems, infrastructure, and software between the acquiring and target companies.