ISO 27001:2022 — certified ISMS in operation
Certified Information Security Management System covering platform, hub operations and customer data for Italy.
Scope statement — what's covered
Platform infrastructure, customer data systems, employee workstations, hub operations including printing/embellishment lines. Scope statement available on request.
Annex A controls — 93 selected
ISO 27001:2022 Annex A has 93 controls across organizational, people, physical and technological themes. SoA documents which controls apply, justifications and implementation status.
Audit cycle — surveillance and recertification
Initial certification audit (two stages), then surveillance audits annually, recertification audit every 3 years. Certifying body accredited to UKAS/ENAC/etc.
Italy — local context
Italy customers and regulators recognize ISO 27001 broadly. Coordinates with NIS2/DORA where applicable. Milano hub physical controls audited as part of scope. IVA 22%-related fiscal data systems covered under confidentiality controls.
FAQ
Latest version — 2022 or 2013?
2022 — we migrated. SoA reflects new control structure.
Statement of Applicability — shared?
Yes — under NDA. Excludes specific control IDs only when carved out for sub-service organizations.
Surveillance audit frequency?
Annually. Recertification every 3 years.
Major non-conformities?
Track record published in transparency report. Any major NC closed within agreed CAPA timeline.
Mapping to SOC 2?
Yes — controls mapping document available. Saves effort for buyers asking for both.