Today in Italy there are just under 3,500 companies that can exhibit the Iso / Iec 27001 certification for information security, a very limited number in absolute terms but still growing by 21% in the comparison over twelve months. These data “green passes” are issued by 20 accredited bodies, while there are five test laboratories appointed to carry out “vulnerability assessments” and about 700 professionals currently certified as Data Protection Officers.

Accredia, the single national accreditation body designated by the Italian government (active since 2002 with the task of certifying the competence of laboratories and bodies that verify the compliance of products, services and professionals with the reference standards), which has made public an Observatory created together with the Cybersecurity National Lab of Cini, the inter-university Consortium for information technology, to verify the contribution and benefits that the certification with respect to the quality of defense systems against the action of cybercriminals.

To do this, two samples of public and private companies were examined and their respective websites analyzed, verifying the number of known vulnerabilities, the correct use of the Https protocol and the updating and security level of the content management platform.

The fact that immediately leaps to the eye is that organizations (companies and institutions) with certification of information security management systems are exposed to cyber attacks in a measure that is 23% lower than those in possession of the only certification for ISO 9001 quality: of the 1,207 Web services vulnerabilities found, in particular, 524 belonged to the first cluster and 683 to the second.

Certification also has the advantage of producing lasting benefits in the company and not limited to better management of IT risk. From the qualitative analysis that involved some large Italian companies, including Poste and Iccrea Group, it emerged that the effort to adapt the organization to certification has produced, in the medium and long term, a profound improvement of business processes ( homogenization, monitoring, performance evaluation, auditing and more) and at the same time stimulated a growth in the culture of safety.