The Act on Information Management in Public Administration (906/2019) lays down obligations relating to information security measures that apply to information management units and authorities as well as to private individuals or corporations or to corporations subject to public law other than those serving as authorities insofar as they perform public administrative tasks. The Act also lays down provisions on a minimum level for information security measures and on an obligation for organisations to monitor the state of the data security of their operating environment and ensure the data security of their datasets and information systems over their entire lifecycle. Organisations shall determine the material risks related to data processing and scale their data security measures in accordance with a risk assessment. With respect to procurement, organisations shall ensure that appropriate data security measures have been implemented in the information system to be acquired.

The recommendation issued by the Information Management Board describes the assessment criteria for information security in public administration (Julkri) and provides instructions for using them. The assessment criteria support the development and assessment of information security in public administration as a whole. The criteria can be used to assess the fulfilment of the information security requirements laid down in the Information Management Act, Security Classification Decree and partly also in the General Data Protection Regulation.

The Information Management Board approved the collection of recommendations on 11 May 2022.

Publication was updated on 15th February 2023, p. 59.