Skip links

Information security management systems - ISO 27001


The ISO IEC 27001:2017 Information Security Management System (ISMS) standard represents the latest version of the international standard aimed at ensuring the proper management of logical, physical and organizational data security. Today, with the increased circulation of networked data and the multiplication of global information exchanges, the issue of security has become increasingly pressing and of general interest.

The ISO 27001 Management System can be implemented by all private and public enterprises, regardless of industry or type of business. Information should be considered the same as any other asset and should be protected as such. The goal of the ISO 27001 standard is precisely to protect data in order to ensure its integrity, confidentiality and availability.


ISO 27001 certification helps to achieve high levels of security of the information held by the Organizations and ensures that the degree of accessibility to data can be managed to the fullest extent possible.

Certification provides numerous benefits, including:

- Identification of risks and implementation of specific management strategies
- Consolidation of information security systems
- Protection of data from unauthorized access and computer viruses
- Reduction of damages involving legal and contractual liabilities
- Positive influence on corporate image in the eyes of partners and stakeholders
- Prevention of business interruption risk.


Compliance with ISO 27001 does not relieve the Organization from complying with the minimum security measures and requirements of European Regulation 679/2016 (General Data Protection Regulation). However, there are several points of contact:

- Data confidentiality, availability and integrity: need to establish effective systems for data protection and privacy management
- Assessment of related risks: mandatory analysis and monitoring of possible risks related to the specific activities of the Organization
- Notification obligation: authorities in charge and data subjects must be notified in a timely manner in the event of a privacy breach
- Record processing: each Organization must compile and maintain a record of activities and data held.


One of the main concerns for those approaching the certification process for the first time is the thought of having to disrupt their Organization.

The interventions required to appropriately implement an Information Security Management System consist of a series of activities aimed at the judicious reorganization of practices already in place within the company to ensure greater control.

ISO 27001 certification, like all major new-generation international protocols, is also based on the Risk-Based Thinking approach and aims at analyzing and monitoring risks with a view to preventing damage, ensuring a management plan that is consistent with the company's peculiarities.

In this way, the scope of the Business Continuity Management System (BCMS) can be identified, taking into account:


The process of achieving Information Security certification begins with the implementation of the system, which can be done independently or through the support of an outside consultant. Following implementation, ASACERT will verify the system's compliance with the regulations and issue certification that is valid for 3 years, subject to annual verification. The audit takes place the first year and is divided into two stages (Stage 1 and Stage 2) at the end of which certification is issued.

A surveillance audit shall be conducted within 12 months of the initial issuance of certification to ensure that the certified system has not changed and is still in compliance. In case of major changes, the certification body may decide to make changes to the certificate in order to make it responsive to the changed situation of the company. A second surveillance verification then takes place within one year after the first surveillance verification. At the end of the third year, the certificate must be renewed by means of a renewal check, otherwise the certificate will become invalid.


Timelines depend on the level of readiness and compliance of the Management System implemented by the Organization and the size of the company. For more detailed guidance on costs and timelines, contact us and we will be happy to offer any support you need.