In this policy, information security means ensuring the confidentiality, integrity and availability of information, regardless of its form. This policy defines the basic requirements for information security and creates a foundation for the planning and implementation of activities in line with the policy. To support the implementation of the policy, further guidelines will be drawn for the various areas of information security. This information security policy obliges Kesko Group personnel in all operating countries.

Information security is implemented and developed in a risk-based manner, using appropriate and cost-effective solutions. The appropriateness of the information security policy is reviewed annually by Kesko Group’s Risk Management Steering Group.

The information security policy, together with Kesko values, the K Code of Conduct, and risk management, safety and privacy policies, form an integral part of the Corporate Governance adhered to at Kesko.   


The primary objective of information security is to ensure the continuity of activities under the responsibility of Kesko Group in all circumstances. Appropriate and efficient information security enables the availability of the ICT solutions related to Kesko's activities, as well as the integrity and confidentiality of the information used in processes, data files and services in all circumstances in all countries of operation. This policy forms the basis for ensuring undisrupted operations and secure data processing of Kesko Group IT systems.

At Kesko, securing customer data and other data generated and processed by digital functions is an integral part of responsible operations, which our customers and partners expect from Kesko. The growth of digitalisation means that information security is increasingly regulated by legislation. Each Kesko Group employee in each operating country must adhere to the information security policy, supplementary principles and guidelines, and legislation.

Information security steering model and responsibilities

The information security steering model is part of the Kesko risk management steering model. The responsibilities of the Audit Committee of Kesko's Board of Directors include reviewing the efficiency of Kesko Group's internal control and risk management systems. In this role, the Audit Committee ratifies the Group's information security policy and addresses the Group's main information security risks in its meetings.

The President and CEO is responsible for ensuring that Kesko has functioning information security incorporated in its risk management system. Group IT Management and Risk Management functions assist the President and CEO in implementing information security. The Risk Management Steering Group, which includes representatives of the divisions, addresses and monitors the Group's information security risks and the realisation of risk management responses.

Responsibility for implementing information security lies with the management of business divisions and common functions. IT Management coordinates the information security process and is responsible for reporting and, together with business divisions and common functions, carries out the identification of information security risks and the definition of risk management responses. Every Kesko employee must identify risks related to information security and respond to them. The table in Appendix 1 contains more detailed responsibilities.

Implementing information security

Risk assessment
Information security risks are assessed and analysed regularly on the basis of their business impact. Risk assessments must also be made when setting up new systems and whenever significant changes occur that affect the criticality of operations.

Classification and processing of information
Kesko uses an information classification method to instruct how information is to be classified and to define information security controls for the processing of information belonging to different categories.

Processing of personal data
The privacy policy and guidelines define how customer information and personal data are processed at Kesko.

Information security requirements
Kesko's information security requirements define the minimum level of information security required of contractual partners. 

Information security training
As a minimum, all employees of Kesko Group must complete an online information security training each year. The completion of the training is monitored. Additionally, task-specific information security training is organised for selected target groups.

Control and monitoring
Maintaining and improving information security calls for systematic and continuous monitoring of the operation of information systems. Those responsible for monitoring are by law bound to confidentiality regarding the information handled at work.

Reports on the state of information security are provided in connection with normal internal monitoring, and with internal and external audits. Technical information security is assessed on an ongoing basis, and separate information security audits are carried out in key environments.

Processing of information security incidents

Kesko has procedures and services for detection of information security incidents. Defined operational models are in place for processing information security breaches, and any breaches are reported to the management.

Information security breaches

Any activities that are in breach of the information security policy or principles are regarded as information security breaches. Kesko has specified practices for breach situations.

Communication to employees and partners

Kesko's information security policy is public. More detailed information security responsibilities are available in the appendix, which is internal to Kesko. The policy is provided to all employees on the intranet, translated into local languages of operating countries. The information security policy is available in Finnish and English at

Approving the information security policy

The Audit Committee of Kesko's Board has on 17 December 2018 approved this policy and monitors its implementation. This information security policy replaces the information security policy approved by the IT Management group on 20 December 2013.

To top