You can trust us

Smartvatten is certified according to ISO/IEC 27001:2022, the leading international standard for information security management. This certification demonstrates that our information security controls are risk‑based, audited, and continuously improved.

• Information security is managed systematically, not ad‑hoc

• Risks are identified, assessed, and treated in a structured way

• Controls are audited by an independent external auditor

• Security is embedded in daily operations and decision‑making

Our ISO/IEC 27001:2022 certification is valid for the following scope: Information systems used in providing water measuring systems design, manufacturing and sales in accordance with the statement of applicability (SOA) version 2.0, dated 17.9.2025.

The scope covers Smartvatten sites in Finland as well as its European subsidiary locations. Certification scope and locations are reviewed and maintained as part of our management system.

ISO 27001 certification is not a one‑time exercise. We maintain it through:

• internal audits

• management reviews

• corrective actions and improvements

• regular external surveillance and recertification audits

The Statement of Applicability (SoA) is a core ISO 27001 document that explains which security controls we apply and why.

The SoA:

• lists the ISO 27001 Annex A security controls

• defines which controls are applicable to Smartvatten

• explains why controls are included or excluded

• documents the implementation status of applicable controls

In practice, it links our risk assessment to the controls we implement.

• Demonstrates a risk‑based approach, not checkbox compliance

• Provides auditors and stakeholders transparency into control selection

• Ensures controls remain aligned with business and regulatory needs

For security reasons, the full SoA is treated as controlled documentation. However, we can provide appropriate assurance information to customers and partners as part of due‑diligence or security assessments.

• CEO

  • Approves the Information Security Policy

  • Holds overall accountability for information security

• Information Security Manager

  • Develops, maintains, and monitors the ISMS

  • Oversees risk management and control effectiveness

• Information Security Committee

  • Provides cross‑functional oversight

  • Aligns security activities with business objectives

Information security objectives, risks, and performance are reviewed regularly as part of management processes, ensuring security remains aligned with Smartvatten’s strategy and operations.

• Business continuity

Maintain availability of essential services during disruptions

• Secure business development

Enable growth, innovation, and partnerships in a secure way

• Risk management & awareness

Identify, assess, and reduce information security risks over time

• Compliance management

Meet customer, contractual, and regulatory security requirements

• Security culture

Build awareness and shared responsibility across the organization

Our ISMS follows a continuous improvement cycle that includes:

• regular risk assessments

• internal and external audits

• control verification

• training and awareness activities

• incident simulations and reviews

The policy applies to:

• Smartvatten employees

• contractors and partners

• subcontractors and other relevant third parties

• protection of confidentiality, integrity, and availability of information

• prevention and mitigation of security incidents

• compliance with applicable laws, regulations, and standards

Smartvatten has established procedures for:

• detecting information security incidents

• responding to and managing incidents

• escalating and reporting incidents according to defined guidelines

• secure communications using encrypted connections

• access control and permission checks

• authentication mechanisms to verify identity and access rights

• network‑level protections for systems and devices

We assess and manage security risks related to:

• cloud service providers

• technology suppliers

• third‑party service partners

This includes reviewing relevant certifications, audit reports, and contractual security requirements.

Information security is embedded throughout all stages of product and software development. Smartvatten integrates security measures across the complete lifecycle of system and software creation, beginning with design and continuing through deployment and ongoing maintenance. Our secure development methods are incorporated within our ISMS and conform to ISO/IEC 27001 standards.

Our secure development approach is based on the following principles:

• Security by design and by default

• Risk‑based control selection

• Least privilege and access control

• Separation of environments

• Continuous improvement and learning

• Information security risks related to software, systems, and changes are identified and assessed as part of our ISMS risk management process

• Security risks are considered when introducing new functionality, technologies, or integrations

• Risk treatment decisions are documented and linked to applicable controls

• Security requirements are considered during system and solution design

• Architecture decisions aim to reduce attack surface and limit blast radius

• Authentication, authorization, and secure communication are treated as baseline requirements

• Changes to systems and software are controlled and traceable

• Access to development, test, and production environments is restricted and role‑based

• Duties are separated where appropriate to reduce the risk of unauthorized or unreviewed changes

• Security‑relevant controls are verified as part of development and release activities

• Identified vulnerabilities and weaknesses are tracked and addressed based on risk

• Lessons learned from incidents, audits, or testing are used to improve development practices

• Use of third‑party components, libraries, and services is considered from a security risk perspective

• Supplier and cloud security requirements are aligned with Smartvatten’s information security policies

• Relevant certifications, audit reports, and contractual controls are reviewed where applicable

• Secure configurations are applied when systems are deployed

• Logging, monitoring, and access controls support secure operation

• Security updates and improvements are part of ongoing maintenance and lifecycle management

Our SDLC practices support compliance with:

• ISO/IEC 27001 Annex A controls, including secure system development and change management

• NIS2 risk management expectations, particularly around system security, incident prevention, and resilience

• customer and partner security requirements