After intense internal audit activities and 600 hours of work dedicated – in addition to 700 hours of preparatory tasks and network management – Irion achieved the important ISO/IEC 27001:2013 certification. The specialized body DNV Business Assurance verified that the company meets the international standard for data security and risk reduction in sensitive data management, including customer data and possible trade secrets.
Privacy and customer benefits
This complete management system is known under the acronym ISMS (Information Security Management System) and involves the entire organization actively. DNV certified that Irion employees adopt the appropriate levels of confidentiality concerning digital and paper documents and computer and network hardware. A practical example is the adoption of the new corporate Word template that indicates the privacy and ownership of each document, i.e., the classification policy of the contained data and information. This results in seven different degrees of confidentiality with the related criteria and restrictions.
Being a customer of a certified company means collaborating with a partner that already adopts procedures, precautions, systems, and processes that guarantee a high level of service and security. The customer thus saves time and resources on independently checking the vendor, as the standard already requires periodic checks and internal audits to ensure compliance with best practices and continuous improvement of procedures. In addition, periodic external audits will take place.
In its technical and administrative guidelines, the Agency for Digital Italy (AgID) mentions the ISO 27001 standard among vendor requirements for more secure public administration. For those who achieve it, the certification helps secure their reputation and promote business expansion while minimizing the possibility of penalties and risks related to potential cyber-attacks.
Checks and processes
As for the reference perimeter, Irion processes concern the “design, development, sales, maintenance, and management of software and solutions for Enterprise Data Management and the related consulting on the applications.” For this purpose, there have been training sessions with all employees.
In particular, 114 necessary checks were carried out to achieve this important result. They can be divided into the following four categories:
- Physical checks for physical and environmental safety (15)
- Legal checks related to compliance (8)
- Organizational checks, divided into security policies, organization of information security, and human resource security (15)
- Technical checks, the most structured area that is in turn divided into asset management; access control; encryption; operational security; communication security; system acquisition, development, and maintenance; vendor relations; management of incidents related to information security and its implications for Business Continuity (a total of 85 checks in this area)