ISO 27001 and Substitute conservation

With the publication in the Official Gazette n. 89 of 16 April 2014 of the AgID Circular n. 65/2014 the new procedures for the accreditation and supervision of public and private entities that carry out IT document conservation activities come into force.

Conservators who intend to obtain recognition of possession of the highest level requirements for quality and safety apply for accreditation from the Agency for Digital Italy .

We remind you that electronic storage is a legal/IT process regulated by Italian law, capable of guaranteeing the legal validity of an IT document over time, understood as a representation of deeds or facts and data on a paper or IT support.

Under certain conditions, substitutive conservation equates paper documents with electronic ones and should allow companies and the public administration to save on printing, storage and archiving costs . Savings are particularly high for documentation which, by law, must be kept for several years.

Digitally storing means replacing paper documents , which by law some legal entities are required to keep, with the equivalent document in digital format which is "blocked" in form, content and time through the digital signature and timestamp. It is in fact the digital signature technology that allows authorship to be given and an IT document unchangeable, then accompanied by the timestamp allows the digital document produced to be dated in a certain way.


Public or private subjects who carry out conservation activities and who intend to obtain accreditation with AgID pursuant to art. 44-bis, paragraph 1, of the legislative decree 7 March 2005, n. 82 Digital Administration Code must meet the quality and safety requirements summarized below:
  • compliance with the ISO/IEC 27001:2013 standard , also referred to by the aforementioned DPCM and which concerns the requirements of an ISMS (Information Security Management System), is attested by the certificate issued by an accredited Certification Body and sent to the Agency for Digital Italy by the registrar. The certifications already issued in relation to ISO/IEC 27001:2005 are considered valid until the foreseen validity term, and in any case no later than 1 October 2015;
  • adoption of the UNI 11386:2010 Standard SInCRO regarding the methods of descriptive structure of the index of the archiving system package
  • adoption of the ISO 14721:2002 OAIS standard (Open Archival Information System), Open information system for archiving, and the recommendations ETSI TS 101 33-1 V1.1.1 (2011-05), Requirements for creating and managing secure and reliable systems for the electronic storage of information.


Substitutive conservation is therefore a new way of managing information .
Information must be considered as a fundamental element of company management in order to be able to carry out business and therefore it is advisable that the information that is treated with electronic storage is protected, secured and safeguarded.

When we speak in general of "Information Security" we refer to a multiplicity of technical, organizational and procedural aspects that tend to protect hardware, software, information and services.

In particular, with regard to information, the main characteristics that must be protected are:
  • privacy (or confidentiality), which tends to guarantee that information cannot be accessed by unauthorized parties, either intentionally or accidentally;
  • integrity , which tends to guarantee that the information cannot be subjected to unauthorized alterations, whether accidental or intentional;
  • availability , which aims to ensure that authorized parties can effectively access information whenever necessary, even in the presence of accidental impediments or in the presence of deliberate hostile actions that tend to prevent access.

An Information Security Management System compliant with the ISO/IEC 27001 standard is a tool through which an organization can demonstrate that it is capable of globally protecting its information assets (or that of third parties entrusted to it).

Information Security Management helps to:
  • ensure the protection of corporate data and information
  • service business continuity
  • minimize damage resulting from any accidents
  • maximize the return on invested capital
  • maximize opportunities for improvement
  • evidentiary validation of certified processes.

In this context, the ISO/IEC 27001 standard can become a reference for the correct management of the risks associated with the loss of confidentiality, integrity and availability of the information managed and for the correct identification of the technological, organisational, regulatory and procedural countermeasures to be adopted for the mitigation of these risks.


CSQA Certificazioni, a leading national certification body in the food sector, has also been operating for a decade with a division specialized in the Information Technology sectors.

It is ACCREDIA accredited   for issuing certifications:

Would you like to have more informations?

Contact us

Download - Documents and pdf

Fill out the form below in order to access the resource you requested

Fields marked with an asterisk (*) are required