Uppwise’s Information Security Management System Achieves Global ISO 27001 Certification

ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practices in data protection and cyber resilience are covered by more than a dozen standards in the ISO/IEC 27000 family. Together, they enable organizations of all sectors and sizes to manage the security of assets such as financial information, intellectual property, employee data and information entrusted by third parties.
Achieving certification confirms that Uppwise’s ISMS has been designed to conform with the requirements of the ISO/IEC 27001:2013 standard. The certification determined that we have the capability and implementation of the system to manage compliance with statutory, regulatory, and contractual requirements.

Information Security Management Policy

The COMPANY POLICY requires that, in line with the company mission, the management of all company processes is set up with the rules of application of the Management System according to the ISO/IEC 27001:2013 standard.



Uppwise’s management has defined, disseminated and is committed to maintaining this Information Security Management policy at all levels of its organization.
The purpose of this policy is:
to ensure the protection and protection from all threats, internal or external, intentional or accidental, of the information in the context of its activities in accordance with the
indications provided by the ISO/IEC 27001 standard and by the guidelines contained in the ISO/IEC standard 27002 in their latest versions.



This policy applies without distinction to all bodies and levels of the Company.
The implementation of this policy is mandatory for all personnel and must be included in the regulation of agreements with any external subject who, for whatever reason, may be involved with the processing of information that falls within the scope of application of the Management System (ISMS).
The company allows the communication and dissemination of information externally only for the correct performance of company activities which must take place in compliance with the mandatory rules and regulations.



The information assets to be protected consist of all the information managed through the services provided and located in all company offices.
It is necessary to ensure:

  • the confidentiality of the information: that is, the information must be accessible only by those who are authorized.
  • information integrity: that is, protecting the accuracy and completeness of information and the methods for processing it.
  • the availability of information: that is, that authorized users can actually access the information and related assets when they request it.

The lack of adequate levels of security can lead to damage to the corporate image, lack of customer satisfaction, the risk of incurring penalties related to the violation of current regulations as well as damages of an economic and financial nature.

An adequate level of security is also essential for sharing information.

The company identifies all security needs through risk analysis which allows you to gain awareness of the level of exposure to threats of your information system. The risk
assessment makes it possible to evaluate the potential consequences and damages that may derive from the failure to apply security measures to the information system and
what is the realistic probability of implementation of the identified threats.

The results of this assessment determine the actions necessary to manage the identified risks and the most suitable security measures.
The general principles of information security management embrace various aspects:

  • There must be a constantly updated catalog of corporate assets relevant to information management and a manager must be identified for each one. Information
    must be classified according to its level of criticality, so as to be managed with consistent and appropriate levels of confidentiality and integrity.
  • To ensure information security, every access to the systems must undergo an identification and authentication procedure. Information access authorizations must be
    differentiated according to the role and tasks covered by individuals, so that each user can access only the information he needs, and must be periodically reviewed.
  • Procedures must be defined for the safe use of corporate assets and information and their management systems.
  • Full awareness of information security issues must be encouraged in all personnel (employees and collaborators) starting from the moment of selection and for the entire duration of the employment relationship.
  • In order to be able to handle incidents in a timely manner, everyone must report any safety-related issues. Each incident must be managed as indicated in the procedures.
  • It is necessary to prevent unauthorized access to offices and individual company premises where the information is managed and the security of the equipment must be
  • Compliance with legal requirements and information security principles in contracts with third parties must be ensured.
  • A continuity plan must be set up that allows the company to deal effectively with an unforeseen event, guaranteeing the restoration of critical services in time and with methods that limit the negative consequences on the company mission.
  • Security aspects must be included in all phases of design, development, operation, maintenance, support and decommissioning of IT systems and services.
  • Compliance with the provisions of the law, statutes, regulations or contractual obligations and with any requirement relating to information security must be guaranteed, minimizing the risk of legal or administrative sanctions, significant losses or damage to reputation.



Compliance with and implementation of the policies are the responsibility of:

  1. All personnel who, in any capacity, collaborate with the company and are in some way involved with the processing of data and information that fall within the scope of
    the Management System. All personnel are also responsible for reporting all anomalies and violations of which they become aware.
  2. All external subjects who maintain relationships and collaborate with the company. They have to ensure compliance with the requirements contained in this policy.
    The Management System Manager who, within the scope of the Management System and through appropriate rules and procedures, must:
  • conduct risk analysis with the appropriate methodologies and adopt all risk management measures company activities
  • Verify security breaches and take necessary countermeasures and control the company’s exposure to key threats and risks
  • organize training and promote staff awareness of everything related to information security.
  • periodically check the effectiveness and efficiency of the Management System.

Whoever, employees, consultants and/or external collaborators of the Company, intentionally or negligently, disregards the established safety rules and in this way
causes damage to the Company, may be prosecuted in the appropriate offices and in full compliance with the legal and contractual obligations.



The Management will check periodically and regularly or in conjunction with significant changes, the effectiveness and efficiency of the Management System, in order to ensure adequate support for the introduction of all the necessary improvements and in order to favor the activation of a process continuous, with which the control and adjustment of the policy is maintained in response to changes in the corporate environment, business, legal conditions.
The Management System Manager is responsible for reviewing the policy. The review should verify the status of preventive and corrective actions and adherence to
the policy.
Must take into account all changes that may affect the company’s approach to information security management, including organizational changes, technical environment, resource availability, legal, regulatory or contractual conditions and the results of previous reviews. The result of the review shall include all decisions and actions relating to the improvement of the company’s approach to information security management.



Management actively supports information security in the company through clear direction, clear commitment, explicit assignments and acknowledgment of responsibilities
related to information security.
The management’s commitment is implemented through a structure whose tasks are:

  • ensure that all information security objectives are identified and meet business requirements;
  • establish corporate roles and responsibilities for the development and maintenance of the ISMS;
  • provide sufficient resources for the planning, implementation, organization, control, review, management and continuous improvement of the ISMS;
  • check that the ISMS is integrated into all company processes and that procedures and controls are effectively developed;
  • approve and support all initiatives aimed at improving information security;
  • activate programs for the dissemination of information security awareness and culture.

Milan, 04/05/2022