This policy describes the purpose and guidelines of Kesko Group’s (“Kesko”) information security policy, as well as the related responsibilities and organisation.
In this policy, “information security” refers to ensuring the confidentiality, integrity and usability of information regardless of its presentation method. This policy determines basic requirements for information security, and lays the foundation for the planning and implementation of operations in line with the policy. In addition, more specific instructions for various areas of information security are prepared to support the implementation of the policy.
Information security is implemented and developed with a risk-based approach, using appropriate and cost-effective solutions. Kesko Group’s IT Management Steering Group assesses annually whether the information security policy is appropriate.
Combined with Kesko’s value, the K Code of Conduct, and the risk management, security and data protection policies, the information security policy is an integral part of corporate governance at Kesko.
The primary purpose of information security is to ensure the continuity of Kesko’s operations under all circumstances. Appropriate and effective information security ensures the accessibility of IT solutions and the integrity of the information used in processes and services, as well as confidentiality, with regard to Kesko’s operations under all circumstances in all operating countries. This policy lays the foundation for ensuring the security of Kesko’s information systems and data processing.
At Kesko, protecting customer data, as well as the data generated and processed by other digital functions, is an essential part of responsible operations, which both our customers and partners expect from Kesko. The growth of digitalisation means that information security is also increasingly regulated by means of legislation. Each Kesko employee in all operating countries must comply with the information security policy and its supplementary principles and instructions, as well as applicable laws.
Information security risks are assessed and analysed regularly based on their business impacts. Risks must also be assessed in the specification phase of new systems and in connection with significant changes affecting the criticality of operations.
Data classification and processing
Kesko has an information classification method in place governing how information shall be classified, as well as determining information security controls for processing information in various classes.
Processing of personal data
The data protection policy and instructions determine how personal data is processed at Kesko.
Kesko’s system and application development processes include work phases to analyse the data protection requirements applicable to the purposes of use of personal data. The applicable data protection requirements vary depending on the purpose of use of the personal data and information collected. The technical implementation is designed so that it corresponds to the risk level of the processing. Based on the risk level, management methods and information security practices suitable for the situation are selected to manage risk levels and achieve compliance.
Information security requirements
Kesko’s information security requirements determine the minimum level of information security required from contractual partners. The required level of information security can be verified through audits, when necessary.
Information security training
Kesko has several regularly implemented measures in place to improve employees’ awareness of information security. These include online training, phishing message simulations and intranet news, for example. In addition, selected groups are provided with targeted information security training.
Control and monitoring
Improving and maintaining the level of information security require systematic and continuous automatic monitoring of information systems. The persons responsible for control are legally bound by confidentiality in terms of the information they process at work.
The status of information security is reported in connection with normal internal control, as well as internal and external audits. Technical information security is assessed continuously, and separate information security audits are conducted in the most significant environments.
Processing of information security incidents
Kesko has procedures and services in place for detecting information security incidents. There are determined operating models for processing and reporting any information security incidents.
Information security breaches
Non-compliance with the information security policy and instructions is regarded as an information security breach. Kesko has determined procedures for situations involving breaches.
The information security policy is approved by Kesko’s Board of Directors.
The information security policy covers the operations of Kesko companies in all operating countries. Kesko’s personnel must comply with the policy. Kesko’s companies and units are responsible for implementing the policy and for ensuring sufficient resources in their operations.
The President and CEO is responsible for ensuring that Kesko has effective information security in place as part of its risk management system. In implementing information security, the President and CEO is supported by the Group’s IT and risk management functions. The Risk Management Steering Group, which also includes division representatives, processes and monitors the Group’s information security risks and the implementation of risk management measures.
Responsibility for the implementation of information security lies with the management of business operations and common operations. K IT coordinates and develops information security processes and is responsible for reporting and practical implementation in cooperation with service providers, as well as identifying information security risks and determining management measures together with the business operations and common operations. Each member of Kesko’s personnel must recognise risks related to information security and react to such risks.
Information security steering model
The information security steering model is part of Kesko’s Risk Management steering model. In accordance with its rules of procedure, the Audit Committee of Kesko’s Board of Directors monitors and assesses the effectiveness of Kesko’s internal control, internal audit and risk management systems, among other aspects. The Audit Committee reviews the Group’s most significant information security risks.
Approved by Kesko’s Board of Directors on 17 December 2020. Enters into force on 1 January 2021.
Replaces the information security policy approved by the Audit Committee of Kesko’s Board of Directors on 17 December 2018.
Reviewed by IT Management Board on 20 March 2023