To obtain a cybersecurity label, the product or service must pass an inspection performed by a third party. The inspection checks that the product meets the requirements and documents the findings made by the inspecting body. The inspection may be carried out by an information security company approved by the NCSC-FI at Traficom. The Cybersecurity Label is issued by the NCSC-FI.

Assessment process

The company starts discussions with Traficom or an inspection body approved by Traficom.

  1. The company submits the statement of compliance and the product to the inspection body.
  2. Threat modelling is carried out with the inspection body.
  3. The inspection body creates a testing plan.
  4. Traficom approves the threat modelling and testing plan.
  5. The inspection body undertakes the testing in cooperation with the company.
  6. The inspection body submits the statement of compliance and test report to Traficom.
  7. Traficom reviews the testing and results.
  8. Proceed to the next steps in the application process.

Traficom makes the decision on granting the label.

Threat modelling and testing plan

Before the inspection, threat modelling is carried out on the product. Based on the exercise, an inspection plan is prepared and submitted to the NCSC-FI for review. Once the NCSC-FI has approved the plan, testing can be started with reasonable certainty that the tests carried out in accordance with the plan will result in the product meeting the requirements and being granted the Cybersecurity Label.

Information security inspection

The inspection body undertakes the inspection in accordance with the plan. The inspection report and statement of compliance are then sent to the NCSC-FI for review.

Granting the label

Once all the documents have been submitted, a meeting is held to review the inspection. If the inspection passes the review and all the necessary documents and information have been submitted in the correct form, the NCSC-FI grants the Cybersecurity Label.

Would you like to undertake Cybersecurity Label inspections?

The criteria set for external inspection bodies can be grouped into administrative and technical requirements. The objective of the requirements is to ensure that companies have sufficient capabilities and expertise to perform information security inspections and assess whether applicants meet the requirements of the Cybersecurity Label.

For more information, please contact the NCSC-FI at Traficom or email us at cybersecuritylabel@traficom.fi.

Administrative requirements

An inspection body must demonstrate its expertise in and knowledge of the administrative matters and requirements associated with the inspections. It must also understand and be committed to the target level of the inspections.

An inspection body must be politically, economically and administratively independent of the organisation commissioning the inspection or the manufacturer of the product/service being inspected. The inspection body must designate at least two persons with the necessary administrative and technical competence to carry out the tests required for the Cybersecurity Label.

Technical requirements

An inspection body must demonstrate its experience and capability of designing and conducting information security inspections. This can be done, for example, by providing references for past technical information security testing relevant to the inspections concerning the Cybersecurity Label.

Updated