Certification

International standards and information security

ITAKA SA supports client companies in securing their data such as financial information, intellectual property, sensitive data regarding employees, or information entrusted by third parties through a process of computer protections.

GENERAL INFORMATION
This process relates to the ISO/IEC 27000 series of standards which refer to a set of international norms concerning information security and its management (ISMS or SGSI).

In particular, ISO/IEC 27000 establishes key concepts, principles, and vocabulary related to information security.

ISO27001 is the most well-known standard of the family that provides requirements for an Information Security Management System (ISMS). Its full name is ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – Requirements.

This acronym identifies the main international norm based on information security, issued by the International Organization for Standardization (ISO), along with the International Electrotechnical Commission (IEC), international organizations established for the development of international standards.

GOAL OF ISO 27001
ISO has built a series of policies and processes useful for organizations. ISO 27001 helps organizations, regardless of their size and sector, protect the information they possess systematically and economically, and establish an information security management system (ISMS).

WHY HAS ITAKA SPECIALIZED IN THIS FIELD?
Because GDPR (EU)* and the new LPDS (CH)* no longer provide a mere list of points whose application guarantees compliance; a very important aspect is that there is no longer a list of “minimum security measures.” It is the company that, after evaluating the risks, must apply appropriate security measures to ensure the protection of personal data. This point has created the need for companies to find prepared interlocutors who can accompany them on this path.

ITAKA SA represents the ideal partner for this purpose by providing the skills and experience for the implementation of GDPR and LPDS compliance projects, following a consolidated methodology aligned with the indications of Swiss and European supervisory authorities.

Note: The EU Regulation 2016/679 (General Data Protection Regulation or GDPR) and, as provided, the new Federal Law on Data Protection (LDSP) introduce important innovations including:

• Changed formalities (see “different requirements for notifications”)
• Different ways to formalize relationships between the parties involved, some of which become jointly responsible (see “different contents for appointments”)
• Precise formalization of the rights of data subjects
• Obligation to notify personal data breaches, both to the supervisory authority and to the data subjects concerned
• New figure of Data Protection Officer (DPO)
• A system of very severe sanctions, especially for the GDPR

PROTECTION OF DATA AND FUNDAMENTAL FREEDOMS RELATING TO THE SECURITY OF PERSONAL DATA
Data protection must be continuously ensured by preparing and implementing an adequate system for managing the security of personal data. The new Regulations require a shift from static compliance to dynamic compliance. Protection must extend to the entire lifecycle of personal data: from its acquisition and use (lawful, fair, and transparent) to its retention (secure and limited over time).

WHY GET ISO/IEC 27001 CERTIFIED
Because it is an internationally recognizable standard that can increase business opportunities for organizations and professionals worldwide. Furthermore, it is subject to verification and certification to equip your company with a tool to prevent security incidents resulting from inadequate management and safeguarding of information and to protect informational resources from any type of infringement.

WHY YOU NEED AN ISMS

• Compliance with legal requirements: Compliance with legal requirements is essential, considering the continuous increase in laws, regulations, and contractual obligations related to information security. The good news is that most of these requirements can be addressed through the implementation of ISO 27001. This standard provides a comprehensive methodology to ensure compliance with all regulatory aspects.
• Gaining a competitive advantage becomes possible through certification. If your company is certified and your competitors are not, it may enjoy an advantage in the eyes of customers who value information security.
• Cost reduction is a key benefit of ISO 27001, based on the philosophy of preventing security-related incidents. Every incident, regardless of its magnitude, incurs financial costs. Investing in prevention through ISO 27001 allows your company to save significantly in economic terms. The important thing is that the investment in ISO 27001 is significantly lower than the savings obtained on incident management costs.
• ISO 27001 offers an additional benefit through better organizational structure. Often, rapidly growing companies find themselves facing the challenge of clearly defining their processes and procedures, causing uncertainty among employees about what to do, when, and by whom. The implementation of ISO 27001 effectively resolves this situation, as it encourages companies to document their core processes, even those not directly related to information security. This helps reduce the time spent by employees, improving the overall efficiency of the organization.

THE ADVANTAGES OF HAVING A CERTIFICATION FOR A COMPANY
The security of having a process to protect the fundamental values of the company:

• Work processes
• Intellectual and technological know-how
• Financial information
• Customer data

Compliance with the new Regulations is an opportunity to introduce new concepts in the company related to security management, identifying the resources used for a preventive analysis of potential criticalities/vulnerabilities, holding all parties involved – internally and externally – accountable, and documenting the controls introduced.

These concepts are easily extendable from the “compliant” treatment of personal data to a “secure” treatment of all data that make up the company’s assets, with obvious potential synergies and integrations.

Furthermore, there is awareness on the part of those approaching the company that any information or data handled and/or exchanged is protected by a security system.

HOW ITAKA ACCOMPANIES A COMPANY TO CERTIFICATION

• By identifying data categories and evaluating their relative criticality in terms of confidentiality, integrity, and availability
• Identifying stakeholders
• Listing and cataloging applications used in processing
• Identifying and documenting processes
• Proceeding with the necessary authorizations
• Identifying recipients to whom data is communicated
• Identifying and assigning risks and controls
• Identifying and holding accountable external suppliers involved

HOW ITAKA CAN MAKE YOUR COMPANY AN EXCELLENCE

WHY ISO 9001 CERTIFICATION IS IMPORTANT
ISO 9001:2015 is a widely accepted standard globally, designed to guide the creation, implementation, and governance of a Quality Management System in any type of company. Its flexibility makes it suitable for organizations of various sizes and sectors. Being an international standard, it is considered a solid foundation for establishing a system that aims to ensure customer satisfaction and promote continuous improvement in any business context. As a result, many companies consider it an essential requirement for their suppliers.

When a company verifies its processes evaluated by an international certification body, its potential customers do not need to conduct further checks thanks to ISO 9001. For many companies, possessing this type of certification has become a necessity.

Furthermore, customers find comfort in knowing that the company they are dealing with has implemented a Quality Management System that adheres to the 7 principles that form the basis of the ISO 9001 standard.

WHAT THE ISO 9001 CONSISTS OF
ISO 9001 consists of 10 sections, the first 3 of which constitute the introduction while the remaining 7 represent the requirements for how the Quality Management System should be organized.

Let’s look at these 7:

Section 4: Context of the organization
This part concerns the necessary conditions to acquire a deep understanding of your company’s structure in order to establish a Quality Management System (QMS). It involves the need to recognize internal and external challenges, identify the parties involved and their perspectives, outline the QMS objective, and identify the procedures and internal dynamics between them.

Section 5: Leadership
Leadership criteria refer to the importance that top management plays in implementing the Quality Management System (QMS). It is crucial that Top Management demonstrates tangible commitment to the QMS by ensuring a constant focus on the customer, outlining and communicating the quality policy, as well as assigning roles and responsibilities within the organization.

Section 6: Planning
Leadership is responsible for the continuous planning of the Quality Management System (QMS). It is essential to evaluate the risks and opportunities associated with the QMS within the organization, identify objectives for quality improvement, and develop plans to achieve those objectives.

Section 8: Operation
Operational criteria involve all aspects of product or service design and realization. This section includes requirements related to planning, reviewing product requirements, design, control of external providers, production and distribution of the product or service, as well as control of non-conforming process outcomes.

Section 9: Performance evaluation
This section includes the essential requirements to ensure effective monitoring of the QMS operation. These requirements encompass monitoring and measuring processes, evaluating customer satisfaction, internal audits, and QMS review by Management.

Section 10: Improvement
This section incorporates essential requirements for continuously improving the organization’s Quality Management System over time. This entails evaluating process non-conformities and implementing relevant corrective actions for those processes.

THE ADVANTAGES OF ISO 9001 FOR COMPANIES
Companies of all sizes have successfully adopted this standard, achieving significant benefits in terms of cost reduction and efficiency.

Increase customer satisfaction:
By focusing on improving customer satisfaction, ISO 9001 helps identify and meet customer requirements and needs, contributing to increased customer loyalty.

Enhance image and credibility:
ISO 9001 certification by an authoritative body indicates to customers that you have implemented a system focused on meeting customer requirements and improvement. This increases their confidence in your ability to keep promises.

Fact-based decision-making:
ISO 9001 promotes making decisions based on real data, enabling better allocation of resources to address issues and improve overall organizational efficiency.

Complete process integration:
The process approach of ISO 9001 considers not only individual processes but also interactions between them. This facilitates identifying areas for improvement and resource savings throughout the organization.

Culture of continuous improvement:
With continuous improvement as the main objective, ISO 9001 allows for consistently increasing results in terms of time, money, and resource savings. Introducing this culture in the company encourages employees to focus on improving processes for which they are directly responsible.

Employee involvement:
Involving staff in finding effective solutions to improve processes is a key aspect of ISO 9001. By focusing employees’ efforts not only on maintaining but also innovating processes, engagement and accountability towards business outcomes are increased.

HOW ITAKA PREPARES THE PATH TO ISO 9001 CERTIFICATION (ESSENTIAL PHASES)
ISO 9001 certification is a process that consists of two types: the certification of a company’s Quality Management System (QMS) in compliance with the ISO 9001 standard requirements and individual certification for those who must perform verifications against these requirements. This section details the phases that a company must follow to implement and certify an ISO 9001 QMS.

ISO 9001 certification for your company requires establishing a Quality Management System (QMS) in compliance with the ISO 9001 standard requirements. To do this, you will need to involve an officially recognized certification body that will assess and approve your QMS to ensure compliance with the standards established by ISO 9001.

Starting from support in managing and identifying the customer requirements for the Quality Management System (QMS), it is essential to begin defining the quality policy and quality objectives. Together, these elements define the overall purpose and implementation of the Quality Management System. Along with these aspects, you will need to develop the necessary processes and procedures, as well as additional ones, tailored to the specific needs of your organization for creating and delivering the product or service. The six mandatory documents must be included, but additional ones can be added, at the discretion of the company, based on its own needs.

ITAKA works alongside Companies assisting them in this process, ensuring that the Certification Body finds a company that is compliant, in every respect, with the requirements necessary for issuing the certification. This applies both to the QMS and to the individual people dedicated to verifying compliance with ISO 9001 requirements. Once all processes and procedures are in place, it will be necessary to use the QMS for a period. By doing so, the necessary records can be collected to move on to the next phases: verifying and reviewing your system and obtaining certification.

Through ITAKA, the following steps are taken:

Analysis and Identification of Requirements
Understand and define the requirements of the Quality Management System (QMS) based on the ISO 9001 standard, along with identifying the customer requirements.

Definition of Policy and Quality Objectives
Formulate the quality policy and establish objectives that will guide the implementation and operation of the QMS.

Development of Processes and Procedures
Create the necessary processes and procedures to produce and deliver products or services, adapting them to the organization’s specificities.

Mandatory and Additional Documentation
Prepare the six mandatory documents required by the ISO 9001 standard and add additional documents, if deemed necessary to meet business needs.

Implementation of QMS
Introduce and apply the QMS within the organization, involving staff and integrating practices into business processes

Verification and Evaluation
Conduct internal audits to verify the effectiveness of the QMS and assess areas for improvement.

Selection of Certification Body
Choose a recognized certification body to assess the QMS and approve it as compliant with the ISO 9001 standard.

Certification Audit
Undergo the certification audit by the chosen body to obtain ISO 9001 certification.

Issuance of Certification
Receive the official certification once the QMS has been assessed and approved by the certification body.