Standard ISO · ISO 27001

ISO/IEC 27001:2023 — Information Security Management System

International standard for information security management. IESolution is ISO 27001:2023 certified. Annex A controls applied to an insurance PAS.

ReferenceISO/IEC 27001:2023 In forcecertificato 2023
Talk to a compliance engineer Back to compliance hub

IESolution is ISO/IEC 27001:2023 certified

IESolution is ISO/IEC 27001:2023 certified — the most recent edition of the international standard for information security management. The certificate covers the entire NewPicass 14.Net software lifecycle (design, development, hosting, support). The 93 Annex A controls of the 2023 revision are applied with documented and audited SoA (Statement of Applicability). Annual surveillance passed; triennial recertification scheduled. The certificate is a starting point for the insurer's CISO doing vendor due diligence, and is recognised by IVASS and European regulators as positive evidence of security maturity.

Key Annex A controls

The 93 ISO 27001:2023 controls applied to a PAS

A.5.7
Threat Intelligence

Threat intelligence

Subscription to CERT-Finance and ENISA feeds, annual threat modeling, continuous IOC monitoring.

A.5.23
Cloud Security

Cloud services security

Documented cloud architecture, Shared Responsibility Model with cloud provider, cloud-native hardening.

A.5.30
BC/DR

ICT readiness for business continuity

Quarterly tested BCP, annual live DR test, documented RPO/RTO, supplier dependency mapping.

A.8.10-A.8.12
Data protection

Deletion, masking, DLP

Verifiable deletion workflow, sensitive-data masking in non-prod, DLP egress monitoring.

A.8.24
Cryptography

Cryptography & key management

TLS 1.3 in transit, AES-256 at rest, HSM-based key management, periodic key rotation.

A.8.28
Secure coding

Secure development lifecycle

SAST/DAST in CI/CD pipelines, mandatory code review, dependency scanning, OWASP Top 10 awareness, pre-deploy security gates.

Facts

ISO 27001 in numbers on IESolution

93Annex A controls appliedAll documented in the SoA
2025Certification year2023 edition of the standard
1×yearSurveillance auditAccredited certification body
3 yearsRecertificationExtended full audit
Modules & personas affected
Module 01

Surety bond back-office

Full surety bond lifecycle: issuance, renewal, endorsements, release, with immutable audit trail.

Open module Module 12

KYC & digital onboarding

SPID/CIE/eIDAS identification, AML/PEP/sanction screening, beneficial owner check and continuous refresh.

Open module Persona 05

Insurance companies — back-office, network supervision, compliance

Core system for surety insurers: multi-line portfolio management, coverholder-network supervision, claims, reinsurance, IVASS-ready audit trail, two-DC failover.

Open persona Persona 01

Coverholder & MGA — delegated authority management

Multi-insurer issuance under binding authority, automatic BDX generation, audit trail for Lloyd's coverholder audit and IVASS.

Open persona
FAQ

Frequently asked questions on ISO 27001

What is ISO/IEC 27001:2023 and what does it guarantee?

ISO/IEC 27001 is the international standard for information security management (ISMS - Information Security Management System). The 2023 revision introduces 93 Annex A controls (vs 114 of 2013) organised in 4 themes: organisational, people, physical, technological. It guarantees the certified company has: documented ISMS, risk management, applied and monitored controls, continuous improvement, periodic audits. Recognised by regulators (including IVASS) as strong evidence of security maturity.

When did IESolution obtain the 2023 certification?

ISO/IEC 27001:2023 certification obtained in February 2025 (Audiso Certification, certificate No. I520, valid 07-02-2025 → 06-02-2028), annual surveillance scheduled. Certificate issued by Audiso Certification, accredited certification body. Scope covers the entire NewPicass 14.Net software lifecycle: design, development, hosting, support. Public certificate available on request + in Trust Center.

Which Annex A controls are critical for an insurance PAS?

Highest-impact ones for our context: A.5.7 Threat intelligence, A.5.23 Cloud information security, A.5.30 ICT readiness BC/DR, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.23 Web filtering, A.8.24 Cryptography, A.8.28 Secure coding. All 93 documented in the SoA (Statement of Applicability) shareable under NDA.

How does the annual surveillance audit work?

The certification body conducts an annual surveillance audit (2-3 day on-site + documentary) to verify ISMS maintenance: control sampling, risk-treatment verification, audit log, incident management, training. Every 3 years extended recertification audit. Minor non-conformities closed with action plan; major non-conformities suspend the certification.

How can my insurer use your certification?

For vendor due diligence: our ISO 27001:2023 certificate substitutes many security questionnaires insurers normally fill in. SoA + internal audit report + pen-test results are the standard due-diligence package for the insurer's CISO. Public certificate verifiable with Audiso Certification. For specific audits (e.g. Lloyd's coverholder audit on IT requirements) the ISO certification is a positive starting point.

Do you also have SOC 2 Type II?

Yes, complementary to ISO 27001. SOC 2 Type II covers the 5 Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) with retrospective audit over 12 months. SOC 2 report available under NDA for enterprise customer due diligence. Difference vs ISO: ISO certifies the management system, SOC 2 attests that controls are actually operative in the audit period.

Compliance check · 45 minutes

Audit your ISO 27001 compliance with us

45 minutes with a compliance engineer. We walk through the platform's coverage on this framework and identify the gaps you still need to close on your side.

Book compliance check Email security questions