Integrated Management System for Quality and Information Security

Introduction

Omnia BPM Srl, given the nature of its activities, considers the quality and security of information an indispensable factor for the protection of its information assets and a factor of strategic value that can easily be transformed into a competitive advantage.

For this reason, the Management of Omnia BPM Srl has defined, disseminated and is committed to keeping active at all levels of its organisation this policy for the implementation of an Integrated Quality and Information Security Management System.

Aim and Objectives

The purpose of this policy is to guarantee the quality of its products and/or services in accordance with the provisions of ISO 9001:2015, as well as to safeguard and protect against all threats, whether internal or external, intentional or accidental, to information within the scope of its activities in accordance with the guidelines contained in the ISO/IEC 27001:2022 standard.

In this way, Omnia BPM Srl aims to guarantee an adequate level data and information security in the design, development and delivery of corporate services, through the identification, assessment and treatment of the risks to which the services themselves are subject.

The Integrated Quality and Information Security Management System defines a set of organisational, technical and procedural measures to ensure that the basic information security requirements listed below are met:

  • Confidentiality, i.e. the property information to be known only to those with privileges;
  • Integrity, i.e. the property of information to be modified only and exclusively by those who possess the privileges;
  • Availability, i.e. the property information to be accessible and usable when requested by processes and users with privileges.

Furthermore, with this Policy, Omnia BPM Srl intends to formalise the following objectives within the framework of the quality and security of information:

  • identifying and meeting the requirements of customers, users and stakeholders;
  • implement any action necessary to increase customer satisfaction;
  • determine and select opportunities for improvement;
  • exploit and reinforce the opportunities identified;
  • improve the quality of services by identifying and assessing related risks, in the knowledge that this improves the effectiveness and efficiency of the services provided;
  • plan their processes with a Risk-Based Thinking (RBT) approach in order to implement the most appropriate actions to assess and deal with risks associated with the processes;
  • understand customers’ needs and plan their activities to fully meet them;
  • Identify the different activities as processes to be planned, controlled and constantly improved and at the same time activate the resources for their realisation;
  • promote at all levels an appropriate sense of proactivity in managing their risks;
  • best preserve company’s image as a reliable and competitive supplier;
  • protect their information assets;
  • avoid delivery delays as much as possible;
  • take measures to ensure staff retention and professionalisation;
  • increase the level of security awareness and competence in their staff;
  • fully comply with current and mandatory regulations;
  • keep the management system adequate, efficient and effective in order be able to adapt quickly to changing circumstances and/or constraints outside the organisation;
  • make this Policy public and accessible;
  • adapt this Policy to changes in industry regulations and the needs arising from the requirements defined in the management system with a view to continuous improvement.

Scope of application

This policy applies indiscriminately to all interested parties, internal and external to the organisation. Its implementation is compulsory for all personnel and must be included in the regulation of agreements with any external party that, for whatever reason, may be involved with the processing of information and the use of management software, falling within the scope of the Integrated Quality and Information Security Management System (IMS).

Omnia BPM Srl only allows information to be communicated and disseminated externally for the correct performance of company activities, which must be carried out in compliance with mandatory rules and regulations, as well as with the rules and safety levels imposed by company management, in the context of risk reduction.

Content of the Policy

The IMS applies to all analysis, design, development and maintenance activities, and to the services and data connected to them: all information that is created or used by Omnia BPM Srl is to be safeguarded and must be protected, according to the classification attributed to it, from its creation, during its use, until its deletion. Information must be handled securely, accurately and reliably and must be readily available for permitted uses. The term “use of information” is to be understood here as any form of processing that makes use of electronic or paper media or allows, in any form, verbal communication.

With regard to design and development, this system requires – in accordance with ISO/IEC 27001:2022 – that the Quality and Information Security Manager periodically perform a risk analysis that takes into account the strategic objectives expressed in this Policy, any incidents that may have occurred, and strategic, business and technological changes that have taken place.

The purpose of the risk analysis is to assess the risk associated with each asset to be protected against the identified threats. Management shares with the Head of Quality and Information Security the methodology to be used for risk assessment, approving the relevant document; in the methodology report,

Management also participates in the definition of the value scales to be used to value the parameters that contribute to risk assessment.

Following the elaboration of the risk analysis, the management assesses the results obtained by accepting the acceptable risk threshold, the risk mitigation treatment above this threshold and the residual risk following treatment.

This analysis shall also be weighed against the business value of the individual assets to be protected, and shall clearly identify the actions to be taken, ranked according to a priority scale that respects the corporate objectives, the available budget and the need to maintain compliance with current regulations and laws. This analysis shall also be performed in the face of events that may change the overall risk profile of the system.

Responsibility

All personnel who, in any capacity, collaborate with the company are responsible for compliance with this policy and for reporting any anomalies, even if not formally codified, that come to their attention.

Quality and Information Security Manager: responsible for the design of the integrated Quality and

Information Security Management System and, in particular, for

  • issue all necessary procedures, including the type of classification of documents, so that the business organisation can conduct its activities in a secure manner;
  • adopt criteria and methodologies risk analysis and management;
  • suggest organisational, procedural and technological security measures to protect the security and continuity of Omnia BPM Srl‘s activities;
  • plan a specific and periodic training course on quality and information security for staff;
  • periodically monitor the exposure of corporate services to major threats;
  • verify security incidents and take appropriate countermeasures; promote a culture of information quality and security.

All external parties, who have relations with Omnia BPM Srl, must ensure compliance with the information security requirements set out in this Policy, including by signing a “Confidentiality Pact” conferring the assignment (when this type of constraint is not expressly mentioned in the agreements).

Review

Omnia BPM Srl will periodically check effectiveness and efficiency of the Integrated Quality and Information Security Management System, guaranteeing adequate support for the adoption of the necessary improvements in order to enable the activation of a continuous process that monitors changes in business conditions or objectives in order to ensure its correct adaptation.