Integrated Management System

We have developed an Integrated Management System (IMS) meeting the requirements of the ISO 9001, ISO 13485, ISO/IEC 20000-1, ISO/IEC 27001 and ISO 22301 international standards with the objective of developing work and process methodologies that combine standardisation with flexibility and self-improvement capacity through the support of experienced, knowledgeable and motivated individuals.

Change as a growth strategy
Creating value through prevention, satisfaction, motivation
These standards provide the requirements for the implementation, enactment and improvement of a quality management system (ISO 9001 and ISO 13485), an IT service management system (ISO/IEC 20000-1), an information security management system (ISO/IEC 27001) and a business continuity management system (ISO 22301). The Integrated Management Manual describes all of these management systems, the processes within the scope of each system and the Group companies to which the standards are applicable.
Quality Policy (ISO 9001)

Our Group has always been focused on developing competencies and solutions, and providing consultancy and system integration services that allow our customers to transform the need to change into a growth opportunity.

To reach these objectives, it is important to develop work methodologies and processes that combine standardisation with flexibility and the capacity for self-improvement, and it is necessary to maintain a highly skilled, knowledgeable and motivated workforce.

For this reason, management defined a new organisational structure and plans to implement a quality management system, according to the ISO 9001 international standards, supplemented with specific standards for software engineering and systems (e.g., ISO/IEC 12207, ISO/IEC 250nn).

The Quality Management System, based on an approach that seeks to prevent non-compliance, is systematically monitored to evaluate its effectiveness, including through the use of internal audits.

More specifically, the Management undertakes to:

  • guarantee the effectiveness of the Quality Management System;
  • promote the process approach and risk management which can impact on the compliance of products/services and the ability to improve customer satisfaction;
  • communicate the importance of satisfying customer requirements, legal and regulatory prescriptions, as well as contractual obligations;
  • establish and communicate the quality policy and its objectives;
  • communicate to the company the importance of meeting the established goals and complying with policies, legal responsibilities and continuous improvement requirements;
  • ensure the availability of resources to establish, implement, manage, monitor, review, operate, update and improve the Quality Management System;
  • establish risk acceptance criteria and acceptable levels of risk;
  • perform periodic reviews of the Quality Management System to ensure that expected results are achieved and ongoing improvement is promoted.

The strategic objectives of the policy, that interact synergistically, are:

  • ensure that customer needs are defined and met in order to increase customer satisfaction and retention;
  • increase employees' awareness of and involvement in the business goals and objectives, and their contribution to the organisation's continuous improvement (employee satisfaction);
  • improve employees' professionalism and their ability to convey it effectively and efficiently;
  • increase the business' competitive advantage effectively and efficiently by improving operating profits and market share;
  • develop the ability to create value, by optimising both costs and resources, which increases the speed of market response.

To make the planning and achieving of these objectives systematic, and to make them transparent to our customers, management ensures its support, the commitment of all necessary financial and professional resources, and intends to provide tools and actions to facilitate the full adoption of the quality management system by all individuals in the organisation and incentivise the contribution of each individual for continuous improvement.

IT Service Management Policy (ISO/IEC 20000-1)

The services feature high and frequent interaction with end users and are based on specific concepts such as guaranteeing continuity, availability and compliance with service levels.

Exprivia has decided to spread the culture of quality service management within its organisation by providing training courses and encouraging its personnel to become qualified on sector best practices (ITIL). In addition, to obtain formal external recognition of its capacities to manage quality IT services, it decided to adopt and certify the IT services it provides to its customers in compliance with the ISO/IEC 20000 international standard.

In brief, the company management makes a strong commitment to ensuring that the services provided to customers are planned, developed, implemented, run, monitored, updated and continuously improved through an IT Service Management System.

In detail, the management commits to:

  • establish and disclose the field of application, the policy and the objectives relating to service management;
  • ensure that a service management plan is created, implemented and updated for each service provided in order to comply with the policy, achieve service management targets and satisfy service requirements;
  • communicate the importance of meeting service requirements;
  • communicate the importance of meeting legal and regulatory requirements as well as contractual obligations;
  • ensure that resources are made available;
  • conduct management reviews at pre-established intervals;
  • ensure that service risks are assessed and managed;
  • ensure that service management authorities and responsibilities are defined and kept up-to-date.

The management has also designated a manager who has the authority and responsibility for:

  • ensuring that Integrated Management System processes are established, implemented, kept updated and improved in compliance with the ISO 9001, ISO 13485, ISO/IEC 20000-1 and ISO/IEC 27001 standards and in accordance with the policies and objectives established by the management;
  • ensuring that activities are completed to identify, document and satisfy product and service requirements;
  • ensuring that awareness is promoted throughout the organisation of the importance of always meeting customer and regulatory requirements;
  • ensuring that the assets, including licences, used to develop products and provide services are managed in accordance with legal and regulatory prescriptions as well as contractual obligations;
  • maintaining relationships with external bodies for the certification of the various components of the integrated management system;
  • reporting to the management on the performance of the Integrated Management System, including on any need for improvements.

The strategic objectives defined are the same as those documented for the Quality Policy.

Policy on the Information Security and Privacy Management System (ISMS)

Exprivia's information security policy requires, in coherence with the company mission, the management of all its business processes to be based upon its rules of application of the ISO/IEC 27001 standard and the regulatory requirements contained in Italian Legislative Decree 196/03 and EU Reg. 679/2016. The principle is that what is laid down by existing legislation on personal data protection are technical and organisational security measures and that personal data are a subset of information that must be protected, not only for the company business but also to respect the rights and freedoms of natural persons.

Furthermore, Exprivia, in providing ICT cloud solutions, considers the need to extend the scope of information security by following the ISO/IEC 27017 “Code of practice for information security controls based on ISO/IEC 27002 for cloud services” and ISO/IEC 27018 “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors” Guidelines.

Purpose

The Management of Exprivia has defined and disseminated at all levels of its organisation this policy on the Information Security and Privacy Management System.

The purpose of this policy is to guarantee protection from all threats, internal or external, intentional or accidental:

  • the information necessary for Exprivia's business (of which personal data is just one of the classes of information to be protected),
  • the information of its clients which is managed in the life cycle of products and services supplied to the same

in conformity with the indications envisaged by Italian Legislative Decree 196/03, EU Reg. 679/2016, ISO/IEC 27001 and the ISO/IEC 27017 and ISO/IEC 27018 Guidelines.

Scope of application

This policy applies without distinction to all the bodies and levels of Exprivia.

It is mandatory for all the personnel to implement this policy and it must be communicated to any external party who, for any reason, may be involved in processing information that falls within the scope of application of the Information Security Management System.

Our policy on Information Security 

The information assets to be protected are composed by the set of information managed through the services provided and localised in all offices of the company.

It is necessary to guarantee:

  • the confidentiality of the information: namely, the information must only be accessible to authorised persons.
  • the integrity of the information: namely to protect the correctness and completeness of the information and the methods of its processing.
  • the availability of the information: namely that authorised users can actually access the information and the assets that contain it.

The absence of adequate security levels may lead to damage being caused to the company image, a lack of customer satisfaction, the risk of incurring sanctions linked to the violation of laws and regulations in force as well as damage of an economic and financial nature.

An adequate level of security is also essential for sharing information.

The company also identifies all security requirements by analysing and assessing the risk to information security and through the DPIA (Data Protection Impact Assessment) on the protection of personal data through which knowledge is gained on the level of exposure to threats of the data management system.

The risk assessment and the DPIA allow for an assessment of the potential consequences and damages, material and immaterial, that may derive from any failure to apply the technical and organisational security measures to the information assets and the probability of occurrence of the identified threats.

The results of this assessment determine the necessary actions to identify the correct and adequate security measures and mechanisms to guarantee personal data protection.

Responsibility for compliance and implementation

Compliance with and implementation of the policy are the responsibility of all personnel and all external parties who hold relationships or collaborate with Exprivia, and who are in any way involved in the processing of data and information that falls within the scope of application of the Information Security and Privacy Management System. Everyone is also responsible for reporting any anomalies and violations of which they become aware.

Anyone - employees, consultants and/or external collaborators of the Company - who, intentionally or negligently, disregards the established security rules, causing damage to Exprivia, may be prosecuted in the appropriate venues and in full respect of legal and contractual rules.

Review

Management verifies periodically and regularly the effectiveness and efficiency of the Information Security and Privacy Management System, so as to promote and encourage the activation of a continuous improvement process, also in response to changes in the internal and external environment.

Management commitment

Management actively supports activities relating to the management of information security and privacy by way of clear guidance, a strong commitment, explicit assignments and recognition of responsibilities in the field of information security and privacy.

Management's commitment is implemented through a structure the duties of which are:

  • to guarantee that all objectives relating to information security and privacy, as well as conformity with the business requirements, are identified;
  • to establish the company roles and responsibilities for developing and maintaining the ISMS;
  • to provide sufficient resources for the planning, implementation, organisation, control, revision, management and continuous improvement of the ISMS;
  • to check that the ISMS is integrated into all business processes and that procedures and controls are effectively developed;
  • to approve and support all initiatives aimed at improving information security and privacy;
  • to activate programmes for spreading awareness and a culture of information security and privacy.