Security ensured – CSC achieved several security certifications

The reliability and safety of CSC’s core operations were assessed during the spring of 2025 through three major external audits. As a result of the audits, CSC updated and expanded several certifications, the most significant of which is the information security certification according to the latest version of the ISO/IEC 27001:2022 standard.

This is an internationally recognized standard that sets strict requirements for information security management systems. The latest version of the certification highlights the systematic nature of risk management, continuity planning and security capabilities throughout the organization. The certificate is rare even on an international scale among supercomputing centers. The certification strengthens the reputation of CSC as a reliable service provider and partner.

”The recognition shows that CSC has the capabilities to effectively protect its customers’ data and its own services in a rapidly changing digital environment. It also sends a strong message to our partners and customers that information security is a strategic priority for us,” says Teemu Kiviniemi, CSC’s Director of ICT Solutions.

Audits as part of continuous operations

CSC’s ISO 27001 certification applies to CSC’s information security management system and includes the following functions:

• Data center operations,
• ICT and computing platforms,
• IaaS cPouta and ePouta,
• Long-term storage of PAS, and SAPA platform,
• Eduuni and Tiimeri collaboration platforms,
• LUMI hosting,
• Funet network and Funet Miitti service and
• Secure remote operating environment (SPE4E).

CSC is committed to continuous improvement and an open, transparent safety culture. CSC’s information security policy is based on foresight, ensuring continuity and developing the competence of the personnel. The information security system is continuously assessed through internal and external audits, and development work is carried out in cooperation with customers, authorities and the research community.

”By safety management and following best international practices, we demonstrate that we are a reliable and safe operator. Through the audits, we prove this not only to ourselves, but also to our customers and partners, and we should be proud of these results,” says Urpo Kaila, CSC’s Cyber Contingency Manager in charge of audits and compliance.

Operations meet strict regulatory requirements

At the beginning of the year, CSC has also renewed its Katakri approval to cover safety management and physical safety in maintenance facilities as well as certain data center operations in Espoo and Kajaani. Katakri is an information security audit tool for authorities used to assess the target organization’s ability to protect confidential information. The Katakri audits also verify the technical implementations of security.

With the increase in cyber risks in the international security situation, the EU has also paid attention to the security of service providers and increased the related mandatory regulation. The EU Cybersecurity Directive (NIS 2), which came into force this spring, and the related Cybersecurity Act imposes significant obligations on covered operators with penalties. A large part of the demonstration of compliance can be covered by ISO 27001 certification.

”We are a major player under the NIS2 Directive, and thus the obligations of the Directive apply to a wide range of our services. With the new ISO certification, we are already operating responsibly and in accordance with regulatory requirements, so it will be easy for us to add other services to the ISO 27001 certification in the future as well,” says Antti Savolainen, CSC’s new Head of Security.

CSC’s Katakri audit was conducted by Nixu Certification Oy, an authority-approved assessment body. CSC’s ISO 27001 audit was carried out by Kiwa certificationti Oy.

Further information: Urpo Kaila, urpo.kaila(at)csc.fi