ISO/IEC 27001: Information Security Management system

Certification to guarantee information protection, cyber-security and privacy

ISO/IEC 27001 Certification is designed to ensure the compliance and effectiveness of an information security management system, in terms of protecting their confidentiality, integrity and availability.

Who is the service for?

The certification standard is aimed at organisations of all sizes and types. Indeed, information security does not only concern privacy and personal data, but also intellectual property, process data and the output of computer and telematic services. Every company that handles information is potentially affected.

ISO/IEC 27001 helps organisations assess the risks to the confidentiality, integrity and availability of the information they wish to protect, in order to select the organisational and technical countermeasures to be taken to reduce these risks to acceptable levels.

What are the advantages? 

Certification process 

Following the issue of the certificate, "Surveillance Audits" must be carried out annually from the date of first certification. The duration of ISO/IEC 27001 certification is three years, renewable at the end of the three-year period.


RINA is accredited by Accredia for ISO/IEC 27001 certification, and with this accreditation can extend certification to the Guidelines for Cloud Services (ISO/IEC 27017, ISO/IEC 27018), Incident Management (ISO/IEC 27035) and Privacy Management (ISO/IEC 27701).

Our audit teams are made up of professionals with high expertise in IT and Security, ICT auditing (CISA auditors, ITIL certified), technical experts in the technology fields, and experts in industry regulations.

Regulatory focus

The ISO/IEC 27001 standard is now in its third edition. The first, published in 2005, 'carried' into the ISO world the requirements and experience of the British standard BS 7799-2, itself the result of continuous refinement in the 1998, 1999 and 2002 editions, and retained its structure. The second edition (in 2013) marked the transition to the High Level Structure (HLS), in order to improve its integrability with other management system standards informed by risk management principles. Two (non-substantial) Corrigenda were published in 2014 and 2015, which remained separate from the standard until they were included in the current edition, which is itself aligned with the Harmonised Structure (derived from the HLS) and with minor changes to the requirements.  

As it is a standard with technological implications, it is also 'signed' by the International Electrotechnical Commission (IEC). 

ISO/IEC 27001 certification, refers to international and national regulations concerning: intellectual property, copyright, personal data, essential services, critical infrastructure, cloud services, trust services.

Our experts answer the most frequently asked questions 

The scope refers to the information to be protected, the systems and processes that enable their processing, and the physical perimeter in which their processing takes place.

Yes, the two certifications can be combined in two cases: 

- When the information security management system is integrated with the quality management system and shares its scope, management elements and common documented information, internal audit programme and management review. 
- When the management systems are not integrated and therefore do not share the above-mentioned elements.

In both cases, the certificates remain separate, what changes are the timing and manner of audits.

No, ISO/IEC Guidelines 27017 and 27018 are a technical extension, so the certificate must always refer to ISO/IEC 27001.


You may also like