These standards provide the requirements for the implementation, enactment and improvement of a quality management system (ISO 9001 and ISO 13485), an IT service management system (ISO/IEC 20000-1), an information security management system (ISO/IEC 27001) and a business continuity management system (ISO 22301). The Integrated Management Manual describes all of these management systems, the processes within the scope of each system and the Group companies to which the standards are applicable.
Quality Policy (ISO 9001)
Our Group has always been focused on developing competencies and solutions, and providing consultancy and system integration services that allow our customers to transform the need to change into a growth opportunity.
To reach these objectives, it is important to develop work methodologies and processes that combine standardisation with flexibility and the capacity for self-improvement, and it is necessary to maintain a highly skilled, knowledgeable and motivated workforce.
For this reason, management defined a new organisational structure and plans to implement a quality management system, according to the ISO 9001 international standards, supplemented with specific standards for software engineering and systems (e.g., ISO/IEC 12207, ISO/IEC 250nn).
The Quality Management System, based on an approach that seeks to prevent non-compliance, is systematically monitored to evaluate its effectiveness, including through the use of internal audits.
The strategic objectives of the policy, that interact synergistically, are:
- ensure that customer needs are defined and met in order to increase customer satisfaction and retention;
- increase employees' awareness of and involvement in the business goals and objectives, and their contribution to the organisation's continuous improvement (employee satisfaction);
- improve employees' professionalism and their ability to convey it effectively and efficiently;
- increase the business' competitive advantage effectively and efficiently by improving operating profits and market share;
- develop the ability to create value, by optimising both costs and resources, which increases the speed of market response.
To make the planning and achieving of these objectives systematic, and to make them transparent to our customers, management ensures its support, the commitment of all necessary financial and professional resources, and intends to provide tools and actions to facilitate the full adoption of the quality management system by all individuals in the organisation and incentivise the contribution of each individual for continuous improvement.
IT Service Management Policy (ISO/IEC 20000-1)
The services feature high and frequent interaction with end users and are based on specific concepts such as guaranteeing continuity, availability and compliance with service levels.
Exprivia has decided to spread the culture of quality service management within its organisation by providing training courses and encouraging its personnel to become qualified on sector best practices (ITIL). In addition, to obtain formal external recognition of its capacities to manage quality IT services, it decided to adopt and certify the IT services it provides to its customers in compliance with the ISO/IEC 20000 international standard.
In brief, the company management makes a strong commitment to ensuring that the services provided to customers are planned, developed, implemented, run, monitored, updated and continuously improved through an IT Service Management System.
In detail, the management commits to:
- establish and disclose the field of application, the policy and the objectives relating to service management;
- ensure that a service management plan is created, implemented and updated for each service provided in order to comply with the policy, achieve service management targets and satisfy service requirements;
- communicate the importance of meeting service requirements;
- communicate the importance of meeting legal and regulatory requirements as well as contractual obligations;
- ensure that resources are made available;
- conduct management reviews at pre-established intervals;
- ensure that service risks are assessed and managed;
- ensure that service management authorities and responsibilities are defined and kept up-to-date.
The management has also designated a manager who has the authority and responsibility for:
- ensuring that Integrated Management System processes are established, implemented, kept updated and improved in compliance with the ISO 9001, ISO 13485, ISO/IEC 20000-1 and ISO/IEC 27001 standards and in accordance with the policies and objectives established by the management;
- ensuring that activities are completed to identify, document and satisfy product and service requirements;
- ensuring that awareness is promoted throughout the organisation of the importance of always meeting customer and regulatory requirements;
- ensuring that the assets, including licences, used to develop products and provide services are managed in accordance with legal and regulatory prescriptions as well as contractual obligations;
- maintaining relationships with external bodies for the certification of the various components of the integrated management system;
- reporting to the management on the performance of the Integrated Management System, including on any need for improvements.
The strategic objectives defined are the same as those documented for the Quality Policy.
Information Security Management System Policy (ISO/IEC 27701)
Information security is highly relevant for any organisation, but particularly for a company like Exprivia, which manages vital information for its own business and also comes into frequent contact with the information and data of its customers while developing products and providing services.
Therefore, the management believes it is important to define an information management policy to be distributed to all internal personnel as well as outside parties that may receive information due to their interactions with Exprivia.
The purpose of this policy is to define:
- the general objectives,
- the principles of action,
in order to protect from all internal or external intentional or accidental threats the information that constitutes the informational wealth of Exprivia, as well as the information of its customers managed throughout the life cycle of the products and services provided. The policy applies to information system analysis, design, development, installation, maintenance and management activities as well as the planning, development and provision of technical and operations management services, and the associated processes and information.
With the awareness that its design and development/service activities for outside parties may entail the transfer of critical data and information, Exprivia works in accordance with internationally recognised security standards.
Therefore, Exprivia has decided to put into place an Information Security Management System (ISMS) that meets the requirements of the ISO/IEC 27001 international standard. The management has established the following information security objectives:
- establishing and implementing an Information Security Management System on the basis of the ISO/IEC 27001 standard;
- guaranteeing an appropriate level of information security within the life cycle of the products and services provided to customers by identifying, assessing and dealing with the risks impacting those products/services;
- ensuring continuity in company business processes and in the services provided to customers;
- preventing information security incidents and minimising their impacts, while safeguarding the interests of the company and other parties concerned;
- ensuring compliance with applicable binding regulations;
- increasing the degree of personnel awareness and skill around information security;
- safeguarding the company’s image with its customers as a reliable and competent supplier;
- identifying opportunities for improvement to increase the effectiveness and efficiency of the management system and its processes.
For each of these objectives, specific goals are set each year to support and confirm continuous improvement.
To reach these objectives, Exprivia has defined the following principles and general guidelines:
- information is an asset of vital importance to the organisation and it is to be protected using effective means of protection and control that ensure its confidentiality, integrity and availability;
- customer information entrusted to Exprivia for any reason must be protected as if it were its own and in any event in compliance with any contractual arrangements;
- binding laws and regulations on information protection established by the competent authorities constitute top-priority requirements in the creation of products and services as well as in day-to-day activities;
- the controls put into place to guarantee information security must be identified in light of a rigorous and continuous risk management process;
- company personnel must be provided with training/information on information security and on the company processes put into place to guarantee it;
- the information security management system must be based on internationally recognised models and best practices and oriented towards continuous improvement.
To ensure compliance with the principles listed above and the achievement of objectives, the following specific policy has been developed for the management of information security risks:
- Information protection must be guaranteed by the systematic application of appropriate controls proportionate to the importance of the information to be protected;
- The controls must be determined through a risk management process designed and implemented on the basis of international standards (ISO 31000 and ISO/IEC 27005);
- Control effectiveness must be continuously monitored to identify opportunities for improvement;
- Internal and external stakeholders must be made aware of the effectiveness of the overall risk management process and consulted when necessary in the decision-making process;
- Risk management decisions should be entrusted to personnel with appropriate authorities and responsibilities, who must decide based on accurate risk weighting;
- The residual risks resulting from the risk weighting phase must meet the risk criteria defined by the management and, in any case, be fully compliant with applicable laws and regulations.
- Any information security incidents must be resolved promptly and trigger a risk re-assessment process.
- The identification and analysis of potential risks should be based on historical data within the organisation and information obtained from specialised sector fora and literature.