ISO 27001:2017

ISO 27001 sets out the requirements for an Information Security Management System. The main objective is to establish a system for risk management, protection of information and company assets, including IT assets. The standard is applicable to all enterprises or public companies, as it is independent of a specific business sector or organisation of the company or purpose of the public body.


The ISO 27001: 2017 standard outlines the requirements for the certification of the information security management system within companies.

The basic requirements for starting the ISO 27001 certification process are:

  • to implement an information security management policy within the workplace, shared with the most important company figures and communicated both internally and externally through the communication channels normally used;
  • carry out its activities in compliance with the concepts of cryptography, business continuity, compliance with the current legislation on the protection of information (eg GDPR Privacy and subsequent amendments).


Information security certification demonstrates that your company is following information security best practices and provides independent, qualified control that information security is managed in line with international best practices and business objectives.

ISO 27001 is a voluntary non-mandatory standard, but its possession is becoming an indispensable attribute to face the challenges of the market.


Through the creation of an information security management system, the operations office takes an active role in the production process: it must manage, monitor, control and improve the information security of your company through efficient risk management.

In this way it is possible to protect information and give trust to stakeholders, in particular to its customers and suppliers, but at the same time guarantees are also created for internal staff.


The ISO 27001 certification has a three-year duration and can always be renewed: at the end of the three-year period, the companies can activate the procedures to renew their certificate which will be reissued with the updated date and the changes that will be deemed necessary.

Upon achieving the first certification, IWZ will carry out maintenance checks at the expiry of the 1st and 2nd year from the date of issue of the certificate. At the end of the 3rd year, the customer will have the possibility to decide whether or not to renew the certificate.


  • Request for certification: in this stage we establish the economic aspects and the activities that will be performed by the auditors during the certification process. IWZ will submit its certification offer to the customer and an agreement will be signed between the parties (application for certification).
  • Pre-assessment audit (optional): in this optional stage, the customer can interface with IWZ’s staff who will examine the level of preparation of the certification’s management system with the aim of improving its processes and minimizing major non-conformities.
  • Training (optional): in this stage we explain the various points of the standard and describe the best management methodologies of the company system referred to the certification’s standard in question.
  • Certification Audit: in this phase the actual certification audit begins, which takes place mainly at the company headquarters. The auditor, following an inspection of the various sites covered by the certificate and after interviewing the top management figures, collects information and checks the documentation relating to the certification’s management system. It determines which are the mandatory and voluntary reference standards for the system to be certified. In the absence of major non-conformities, the auditor will submit a request to the decision-making committee to issue the ISO certification.

IWZ is able to guarantee the conclusion of the certification process in a short time according to the needs of the customers and the maturity of the system under certification.