ISO 27001 certification process of Electronic Invoice in the State of Minas Gerais

Abstract

This paper presents the process by means of which the Secretariat of Finance of the State Minas Gerais intends to get an ISO 27001 certification of the Electronic Invoice authorization. In 2007, the Secretariat of Finance of Minas Gerais started the project of Electronic Invoice - NF-e, which involves replacing the conventional invoice, on paper, by a document issued and stored electronically that exists only digitally. The purpose of the Electronic Invoice is documenting the movement of goods occurring between the seller and the buyer, which is subject to State taxes. The legal validity of the Electronic Invoice is guaranteed by the issuer's digital signature and by the reception of the data by Secretariat of Finance of Minas Gerais before of the movement of the goods . The information technology architecture of the Electronic Invoice authorization process of the Secretariat of Finance of the State of Minas Gerais is intended to ensure three basic objectives: 1) availability; 2) scalability and 3) elimination of single point of failure. So, the Secretariat of Finance of the State Minas Gerais concluded that the ISO 27001 certification of the information technology production environment, undergoing evaluation by external entities, namely, certification bodies, would demonstrate explicitly the commitment of the State of Minas Gerais with the general public and entrepreneurs who are based in the Minas Gerais and with those who intend establish themselves in the State of Minas Gerais in near future. This work presents some of the difficulties faced by the Secretariat of Finance of the State Minas Gerais during the preparation for the ISO 27001 certification, which is a major step to ensure the security requirements of information assets that are critical to the business. To the best of our knowledge this is the first ISO 27001 certification process of the Electronic Invoice authorization in Brazil, and the first ISO 27001 certification process in the executive branch of the direct administration in Brazil, in all three levels of government.