Compliance and certification

Joonatan Henriksson

Joonatan Henriksson

Head of Digital Business

Whether you are building a space station or a digital platform, you might need to show that you have considered the associated cybersecurity risks well beforehand, and acted to mitigate them. Our certification services help you prove this.

Together, Nixu Corporation and its independent subsidiary Nixu Certification Ltd. provide a wide variety of information security and privacy services.

Our experienced consultants have real-life experience in challenging information security management and technical auditing tasks, so in addition to a cost-effective audit, we can support the fixing of the possible findings.

We also work with many local and global organizations in designing the industry auditing requirements. We for example participate in the EU-SEC program for developing a framework for cloud security.

Our ever-increasing variety of security assessments ranges from country specific criteria to standards based on ISO/IEC audits and cloud, payment systems, identity assurance and car systems assessments, including, but not limited to:

  • Certification of electronic identification and trust services (eIDAS)
  • ISO/IEC 27001
  • ISO/IEC 27017 (Cloud security)
  • ISO/IEC 27018 (Personal Information security) standards
  • Kantara IAF (Identity Assurance Framework)
  • Mirrorlink car system
  • PCI Onsite Assessment       
  • PCI PA-DSS Services
  • PCI P2PE


Need help with certification?

Visit Nixu Certification Ltd. to learn more


Privacy Consulting

The Personal Data Act and EU’s forthcoming General Data Protection Regulation (GDPR) define that organizations have an obligation to protect personal information against unauthorized use.
With Nixu's privacy services, you can ensure that personal information is handled according to laws and regulations, while minimizing information-related risks. Nixu can also help you to prepare a privacy policy as well as descriptions of file. 

PCI Onsite Assessment

PCI Onsite assessment is the assessment service for all parties that store, process or transmit cardholder data. We have experience in assessing different organization types such as large retail chains, small cafés, global service providers, payment gateways, airlines and banks. We don’t only assess, but help the customer in achieving and maintaining compliance as well.

The service is designed to be effective and cause minimal disruptions to the organization’s day-to-day operations. The assessment is divided into phases: Scoping, Documentation Review, Technical Tests and Site Visits, Interview and Observation sessions, Reporting and Closeout meeting. Each phase is carefully designed to guarantee a successful assessment with minimal disruptions.

User Data Protection, Privacy and GDPR

We help you to protect your data; in use, in transit or at rest. Whether you gather data directly from the end-users (given data) or indirectly by using profiling tools, sensors and devices (collected data) you must do it in a transparent and privacy ensuring way. When analyzing the collected data, whether on-premise or in cloud, you need to ensure only correct parties have access to it and the results. With the help of our experts in privacy jurisdiction, identity and access management and cloud security, you can be assured that the privacy requirements are taken into account.

The Finnish government’s information security levels

The national requirements for information security levels constitute a tool which helps different parties meet the requirements of national information security acts. These requirements apply to the Finnish state administration and its service providers.

Nixu has piloted and provided definitions for the Finnish government's information security levels and ICT contingency planning requirements. We have performed information security level audits for the state administration and formulated operational plans for achieving desired security. With regard to the private sector, we have incorporated the information security level requirements into our customers' compliance management systems.

Privacy by Design

Our Privacy by Design service aims at introducing privacy-related actions and controls as part of your product development and maintenance process. Our goal is to make your teams self-sufficient, by transferring skills and methods such as privacy impact assessments, and creating privacy requirements for your development teams. Additionally, we will support your legal with contractual reviews and work with your business to help you differentiate on your market via privacy. To ensure success, our tech-savvy privacy lawyers and security experts will be part of your team or advise you as needed.

Collaborator security audit

The Collaborator Security Audit Service provides customers possibility to verify that security status of their partners and collaborators does not create unacceptable risks, the contractual requirements for security are followed and that the processes and security governance of collaborators is sound and according to industry best practices. Nixu auditor will identify business critical assets, which are exposed to collaborators, and either verifies that contractually agreed security controls are protecting these assets or that the assets are protected based on industry best practices.

PCI PA-DSS Services

PA-DSS services are intended for all vendors that develop payment applications. We can help in preparing for the validation, in remediating the non-conformities and in performing the actual validation. The PA-DSS validation service results in a validated payment application that is listed on PCI Security Standards Council’s web page. In addition, we provide a PA-DSS Preparation service that includes training, gap-analysis and a roadmap for achieving the validation. We also provide ongoing support as part of the Nixu Catalyst compliance management and support service.

PCI Preparation

PCI Preparation service is the initial step to PCI compliance. We train customer’s key personnel to understand PCI and its requirements. We focus on minimizing the customer’s PCI environment so that compliance can be achieved more cost effectively. The most important outcome of the service is a roadmap that contains clear tasks to be performed in order to become compliant. For each task, a cost estimate is provided and responsibilities defined. The roadmap can be further refined to become a project plan.

The next step after the PCI Preparation phase is usually remediation phase. We support this phase, and help ensure that compliance can be maintained also after the assessment.

  • White paper: GDPR and reporting obligation in data security breach
  • Joonatan Henriksson

    Joonatan Henriksson

    Head of Digital Business

Related blogs