Information Security Systems – ISO/IEC 27001

INFORMATION SECURITY MANAGEMENT SYSTEMS - ISO 27001

THE CERTIFICATION

The ISO IEC 27001:2017 Information Security Management System (ISMS) is the latest version of the international standard aimed at ensuring the correct management of logical, physical and organizational data security. Today, thanks to the increased circulation of data on the web and the multiplication of information exchanges on a global level, the issue of security has become increasingly pressing and of general interest.

The ISO 27001 Management System can be implemented by all private and public companies, regardless of the sector and type of company. Information must be considered as any other asset and must be protected as such. The objective of the ISO 27001 standard is precisely to protect data, in order to ensure its integrity, confidentiality and availability.

BENEFITS

The ISO 27001 certification contributes to achieving high levels of security of the information held by the Organizations and ensures the possibility of better managing the degree of accessibility to the data.

The certification guarantees numerous advantages, including:

  • Identification of risks and implementation of specific management strategies
  • Consolidation of information security systems
  • Data protection against unauthorised access and computer viruses
  • Reduction of damages involving legal and contractual liability
  • Positive influence on the corporate image in the eyes of partners and stakeholders
  • Prevention of business interruption

WHY TO GET CERTIFIED?

Compliance with ISO 27001 does not relieve the organisation of compliance with the minimum security measures and requirements required by European Regulation 679/2016 (General Data Protection Regulation). However, there are several points of contact:

  • Data confidentiality, availability and integrity: need to establish effective systems for data protection and privacy management
  • Evaluation of related risks: mandatory analysis and monitoring of possible risks related to specific activities of the organisation
  • Notification requirement: authorities in charge and interested must be informed in a timely manner in the event of a breach of privacy
  • Processing of records: each organisation must complete and keep a record of the activities and data held.

WILL MY COMPANY UNDERGO CHANGES?

One of the main concerns for those approaching the certification process for the first time is the thought of having to turn their organization upside-down.

The interventions necessary to properly implement an Information Security Management System consist of a series of activities that aim to carefully reorganise the practices already in place within the company in order to ensure greater control.

Also the ISO 27001 certification, like all the main new generation international protocols, is based on the Risk-Based Thinking approach and aims at analyzing and monitoring risks from a damage prevention perspective, guaranteeing a management plan that is consistent with the company peculiarities.

WHAT DOES THE CERTIFICATION PROCESS IMPLY?

The Audit taking place in the first year is carried out in two phases (Stage 1 and Stage 2) and leads to the final Certificate issue.

Within 12 months from the first certification, ASACERT carries out a Surveillance audit in order to verify that the management system is unchanged and still compliant with the standard. If any great change occurs, the Certification Body can modify the Certificate updating it to the organisation’s new situation.

Within one year from the first Surveillance Audit a second Surveillance Audit is due.

At the end of the third year, the organisation has to renew the Certificate through a specific Renewal Audit, otherwise the Certification will be no longer valid.

HOW LONG DOES THE CERTIFICATION PROCESS REQUIRE?

The timing depends on the consistency level of the Management System and on the business size.

For further information contact us.

We are happy to help you!