Trust Center

Many of Netum’s customers handle critical and confidential information, including organisations in healthcare, ICT and application services, as well as the public sector. To ensure a high level of information and cybersecurity in our operations, we are certified against the internationally recognised ISO/IEC 27001 information security standard.

Netum’s certificate has been maintained continuously for over two decades, demonstrating our long-term and systematic approach to developing information security and maintaining an information security management system that meets the requirements of the standard.

This provides a strong foundation for managing other security frameworks, requirement models, and regulatory obligations, such as Finland’s public sector frameworks Julkri and Katakri. The effectiveness and compliance of our information security management system are also reviewed annually by an external auditor.

The certificate is valid until 3 September 2028.

An important addition to the ISO/IEC 27001 certificate is a national Facility Security Clearance (FSC) certificate granted to Netum, which is an indication of the assessment carried out by the competent authority of the reliability of Netum’s responsible persons, the security arrangements of the premises and the suitability of the data processing environment for the processing of classified information to level confidential (TL III).

The national Facility Security Clearance (FSC) certificate is valid until 30 November 2029. We will provide a certificate upon request.

Many of Netum’s customers are also considered essential or important entities under the NIS2 Directive and Finland’s national Cybersecurity Act (124/2025). Netum itself falls within this category as well.

We therefore ensure that our own operations comply with the requirements of the NIS2 Directive and the Finnish Cybersecurity Act.

Netum’s security operations cover the requirements of the ISO/IEC 27001 information security standard as well as organizational, personnel, physical, and technological security controls. They also address the requirements of the Katakri criteria and other applicable legislation related to security. Netum has a group-level information security policy and data protection policy that define the principles, responsibilities, and implementation requirements related to information security, data protection, and the processing of personal data across the entire group.

A summary of the security operations can be provided upon request.

For Netum, trust and security form the foundation of our operations. We follow the principles of Privacy by Design and by Default, ensuring that personal data is handled securely, lawfully, and transparently throughout its entire lifecycle.

Our Privacy Statement provides more detailed information about our data protection practices, including what data we collect and how we use personal data in our operations.

At Netum, the principles of risk management are continuous, systematic, and preventive activities to identify, assess, and manage risks, and, when risks materialise, to manage them effectively. Risk management is carried out throughout the Group, and we aim to identify and manage information security risks related to all our business operations.

We prepare for potential information security incidents in advance and have procedures in place to investigate them. We ensure that our personnel have sufficient information security expertise, produce secure services and products, and ensure our customers’ satisfaction with Netum’s high level of information security.

Netum Group Plc’s Board of Directors confirms the principles of risk management and assesses the adequacy and appropriateness of risk management. The principles and operations of risk management are based on an information security management system in accordance with the ISO/IEC 27001 standard, and the suitability and effectiveness of risk management practices are also assessed annually by an external auditor.

Netum only uses suppliers or subcontractors that meet Netum’s and customers’ safety requirements. Netum’s security requirements have been incorporated into Netum’s contract templates, and customer requirements are included in the agreements signed with the supplier. Compliance and implementation of the requirements are monitored throughout the life cycle of the projects.

Netum has defined ethical principles that apply to all employees. Through ethical practices, we are committed to ensuring that our work environment and operating culture are as safe, responsible and respectful as possible, both now and in the future.

Through the Code of Conduct for suppliers, we also aim to ensure that its partners and subcontractors respect Netum’s Code of Conduct and act sustainably. Supplier Code of Conduct is provided in Finnish only.

Our first sustainability report, based on the CSRD framework, brings together the key principles, impacts, and practices of Netum’s sustainability work. The report is included in our 2025 Annual report and is available on pages 27–68.

We encourage our customers, partners, and employees to report any suspected misconduct or actions that are inconsistent with our values. Netum has a Whistleblowing channel through which you can anonymously report suspected misconduct.

Reports can be submitted in Finnish or English via the WhistleB service.