An Information Security Management System (ISMS) compliant with the ISO/IEC 27001:2013 standard is the internationally recognized tool through which an organization can demonstrate that it is able to protect its company records (or those of third parties entrusted to it).

But what is meant by “information”? It is an asset of the organization that, like other important assets or company resources, is essential for the organization’s business and consequently must be adequately “protected”.

The information to be protected is independent of its format, because ISO/IEC 27001:2013 is not an exclusive standard for the IT world or for information technology in general. It governs paper documents, verbal communications, conversations in public places, letters and e-mails exchanged with customers and suppliers, patents, and industrial secrets that if they were to come into public domain or become available to competitors would create significant damage to the company, economic or of its image.

The standard enables the identification and continuous updating of processes concerning the control of physical, logical and organizational security; risk analysis for the identification of suitable security measures; the management of appropriate and frequently updated operating procedures and instructions; the monitoring of business processes.

The ISO/IEC 27001 standard is the only international standard subject to verification and certifiable that defines the requirements for an ISMS and is designed to guarantee the selection of adequate and proportionate security controls. In this way it is possible to protect information from internal and external risks, and to enable stakeholders to put their trust in the organization.

The ISO/IEC ISO 27001 standard aims to ensure the maintenance of confidentiality, integrity and availability of information, in addition to other features that can be considered such as authenticity, non-repudiation, and reliability:

  • confidentiality is the reason for which information is not made available or disclosed to unauthorized individuals, entities or processes;
  • integrity: it is the property relating to the protection of the accuracy and completeness of the information and the assets connected to them;
  • availability is the property of being accessible and usable upon request by an authorized entity.

How is the certification granted?

Certification audit

  • Stage 1: Stage 1 of the Information Security Management System (ISMS) certification process is carried out at the Organization to be certified and consists of an analysis of the documentation related to the management system: from planning, we move on to execution. If the result is positive, then the certification process moves to stage 2;
  • Stage 2: Stage 2 of the ISMS certification process, conducted in the field, enables the assessment of the compliance of the management system in relation to the activities and object of the scope of application of the system. If the result is positive, the Certification is then approved.

Maintenance audit

Maintenance audits are designed to assess the continued compliance of the ISMS and the effective and efficient treatment of any findings (which APAVE CERTIFICATION ITALY classifies as Non-Compliances, Observations and Comments) detected in previous audits.
Renewal audit
Every three years, APAVE CERTIFICATION ITALY carries out an audit aimed at evaluating the overall and continuous effectiveness of the ISMS. This activity takes into account the performance of the ISMS throughout the entire past certification period, including a review of the documentation by performing an audit that evaluates the entire ISMS.
What advantages does the certification of the information security management system offer?
Certification is a guarantee for the organization and for the market it addresses in terms of protecting its business data.

This allows the company to:

  • systematically implement the information security policy;
  • apply global risk management related to information security and corresponding systems;
  • implement effective monitoring of at-risk sectors;
  • define and implement suitable security objectives and interventions;
  • comply with legislative and contractual principles;
  • implement general methods (techniques, such as Vulnerability assessment, test penetration and organizational);
  • perform a systematic risk analysis;
  • give guarantees to itself and to third parties.
Reference standard
ISO/IEC 27001

The Information Security Management Systems standard establishes the requirements of a management system that can protect an organization's business information.

Read more about Accredia