Information security is at the heart of the Incomes Register’s operating culture


The Incomes Register is a system that stores income and personal data concerning millions of Finnish individual taxpayers. Because such data could be misused if it fell into the wrong hands, the Incomes Register has focused on maintaining a high level of information security since the beginning of its data registration activity. We build in the security features as we develop the different stages of the register.

This means that account is taken of data protection, access control and incident management in all our work relating to the incomes information system. Our objective is to safeguard the confidentiality, integrity and availability of all data saved in the register.

We created our information security practices in accordance with ISO/IEC 27001, an international standard.  The ISO/IEC 27001 standard includes internationally tested best practices of information security for 14 different security domains. The standardisation is a framework to keep our information security management systematic and to maintain its continuity. 

‒ Managing information security in a standardised way allows us to use efficient and documented processes and other tools that provide a wide coverage regarding information security. The standardised approach also ensures that we can improve our activities on an ongoing basis, says Terhi Holmström, Head of the Incomes Register Unit.

Doubly audited management model

Adherence to the management model for information security is audited every year. This is done in accordance with the Incomes Register’s internal audit plan.

An external auditor with a mandate from the ISO and the IEC conducts additional audits every three years focusing on the management model: an external audit was first carried out in 2019, the Incomes Register’s first year of activity. A follow-up external audit was carried out in 2022. Both audits confirmed that the Incomes Register’s information security practices are in compliance with the standard. Accordingly, the Incomes Register obtained a certification for its information security.

‒ Our information security practices continue to be certified. This shows that we have succeeded in creating an operating culture that requires us to evaluate all matters relating to information security fully and also prompts us to take action if problems are detected, Terhi Holmström adds.

Page last updated 9/6/2022