Cybersecurity is a strategic priority for organizations in every sector. With the growing number of cyber threats and the increasing attention of institutions to data protection, companies must adopt solid management systems, preferably internationally recognized.

In this context, a new “Reference Practice” (PdR) project was born in Italy, promoted by Accredia (Italian Accreditation Body) and UNI (Italian Standardization Body) in collaboration with CINI Cybersecurity National Lab (National Laboratory for Cybersecurity of the National Interuniversity Consortium for Informatics), UNINFO and other institutions. The objective is to provide a document that implements the convergence and harmonization of ISO/IEC 27001:2022/Amd 1:2024 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.

The integration of these two models represents a significant step for companies that wish to improve their digital resilience. The ISO/IEC 27001 standard, already widely adopted worldwide and in Europe, provides a prescriptive and detailed regulatory framework for information security management. The NIST Cybersecurity Framework 2.0, on the other hand, offers an apparently flexible approach, adopted by many companies in the United States. The convergence of these two references makes it possible to create a more effective and structured computer security management system, capable of guaranteeing concrete advantages for those who adopt it.

One of the key elements of PdR is the creation of a Cyber-Information Security Management System (C-ISMS), a management system that combines the principles of information security with a dynamic approach to cybersecurity. The strength of this model lies in the harmonization of two different but complementary philosophies: on the one hand, ISO/IEC 27001 establishes clear requirements for the creation, maintenance and continuous improvement of a certifiable management system; on the other hand, the NIST CSF offers greater flexibility, allowing organizations to adapt their cybersecurity strategies based on risk, oriented towards what are considered internal needs.

One of the most important aspects of PdR is the possibility for companies of obtaining an accredited certification, an added value that guarantees greater credibility and reliability to the management system adopted. Accreditation ensures that the certifications obtained effectively comply with international standards, avoiding superficial evaluations or evaluations that are not aligned with regulatory criteria. Choosing an accredited certification body means relying on an objective guarantee of the quality and effectiveness of cybersecurity management.

For companies, an accredited certification represents a strategic advantage not only in terms of security but also of competitiveness. In a market where trust is essential, being able to demonstrate compliance with high standards of IT security becomes a differentiating factor.

Firstly, it allows companies to demonstrate greater reliability and transparency towards customers, partners, suppliers and stakeholders, strengthening the trust and reputation of the organization. Risk management becomes more effective thanks to a structured approach based on international best practices, allowing companies to prevent cyber incidents and minimize damage in the event of violations.

Another fundamental aspect is access to new market opportunities. Certified companies will be able to participate more easily in public tenders and contracts that require high standards of IT security. In addition, the harmonization between European regulations and the American framework simplifies the compliance process for organizations operating on a global scale, reducing the risk of having to implement different standards depending on the target market.

The adoption of the new PdR also leads to greater operational efficiency. Cybersecurity management becomes more structured and less fragmented, reducing the costs of implementing and maintaining protection systems. Furthermore, thanks to a risk-based approach, companies can optimize resources, focusing on the most critical vulnerabilities and efficiently implementing appropriate controls.

[Extract of an article written by Riccardo Bianconi and Angelo Del Giudice, Accredia’s assessors, for the Italian magazine Agenda Digitale https://www.agendadigitale.eu/]