What is ISO 27001: Information Security Standard?

Javed Shah

As an information security standard, ISO 27001 can be beneficial to understand and comply with, but what exactly is ISO 27001?

What does ISO 27001 mean? ISO 27001 is a regulation for Information Security Management Systems, which explains physical and logical controls an organization should abide by to protect their information more methodically.

What Are ISO 27000 Standards?

The International Organization for Standardization (ISO) is an international organization dedicated to developing practical standards around technical and professional operations such that any organization can follow them.

The ISO 27000 series is one such group of standards published by the ISO to address cybersecurity concerns in private organizations. This series covers several approaches to cybersecurity, from IT and network security to auditor guidelines and industry-specific practices.

Some of the primary documents in this series, found in the earliest sequential publications, include:

  • ISO/IEC 27001, “Information technology – security techniques – information security management systems – requirements”: ISO 27001 covers the specifics of creating and implementing Information Security Management Systems (ISMS), which we will cover in more detail in this blog.
  • ISO/IEC 27002, “Information security, cybersecurity and privacy protection – information security controls”: A list of specific security controls that may be used as part of an ISMS.
  • ISO/IEC 27003, “information security management system implementation guidance”: As the title implies, this document guides on implementing ISMSs. More specifically, this will break down the requirements outlined in ISO 27001 to provide specifics on how to implement them in real-world enterprise situations.
  • ISO/IEC 27004, “Information technology – security techniques, information security management – monitoring, measurement, analysis, and evaluation”: This publication provides specific requirements and practices that enterprises using an ISMS would use to evaluate effectiveness. This practice includes creating metrics, measuring data, monitoring system components, and more.

These are just the tip of this iceberg, as the ISO 27000 series has over 60 individual publications. For the most part, however, ISO 27001 is the most commonly adopted standard.

What Is ISO 27001?

ISO 27001 is a standard for developing an ISMS, a unique designation for an organization-wide network of people, processes, rules, and technologies that promote security. These can include documented processes or informal practices for specific problems, but both will fall under an overarching management plan tailored to specific security goals.

What Is an Information Security Management System?

In the broadest sense, an ISMS focuses on addressing the so-called CIA triad of security concerns:

  • Confidentiality: That data remains confidential and secured against unauthorized disclosure.
  • Integrity: That data remains whole and unaltered due to malicious tampering or corruption through improper processing or technology failures.
  • Availability: That data remains accessible to authorized persons for business use or customer/client/patient support.

Furthermore, an ISMS will allow an organization to accomplish a set of objectives, including:

Identifying stakeholders in an organization to determine IT security expectations.
Identifying risks to technology and data security
Defining security controls to address concerns and expectations and mitigate risks
Setting security objectives organization-wide for IT systems
Implementing controls and mitigation efforts in line with security objectives
Measure and monitor controls for effectiveness
Improve controls in cases of new threats, breaches, or ineffective operation

The ISMS isn’t a specific set of technology, but the governance policies around what needs to be secured, how, by whom, and how effectively. The ISMS, therefore, should be able to address compliance and legal requirements, organizational and enterprise goals, and operational necessities like data usability and budget.

What Are the ISO 27001 Requirements?

The ISO 27001 documentation defines several requirements for an ISMS. These requirements are defined in this document, and any future documents take these requirements as a reference in helping an organization implement the ISMS.

The requirements of an ISMS are:

  • Context and Organization: Your organization must understand its own business context, including security needs, internal and external stakeholders, industry and regulatory standards, and potential fallout from ineffective security or data breach.
  • Leadership: Your organization must have the leadership to create, implement, and maintain an ISMS. This can include specific executives (CIOs, CTOs, CISOs), compliance officers, IT management, and stakeholders or their representatives.
  • Planning: Your organization should plan the ISMS with clear information (usually from knowledge fulfilling the first requirement). This can also include vulnerability scans, risk assessments, and other diagnostics.
  • Support: Your organization must be able to allocate and distribute resources to teams managing the ISMS. This includes having the ability to communicate with team members, create organization-wide policies and education, and distribute guides, documentation, and best practices.
  • Operation: All processes for any aspect of the ISMS must be implemented and controlled. This includes implementing risk assessments for those processes.
  • Evaluation: Your organization must monitor, analyze, and assess the ISMS during its operation. This calls for internal audits and reviews.
  • Improvement: Based on the results of any internal tests, measurements, or audits, your organization should be able to implement changes and improvements, including system upgrades, retirement and replacement of equipment, changes to policies, or mitigation efforts following breaches.

The 14 Domains of ISO 27001

Finally, the requirements of ISO 27001 will cover 14 specific domains, including several control categories, of security and operations in your organization. These domains include:

  • Information Security Policies, or aligning security policies with company goals
  • Information Security Organization, or the establishment of management and personnel structures and maintaining the security of tools used by those teams.
  • Human Resource Security, or securing personnel and data involved in HR operations.
  • Asset Management, or the identification, classification, and protection of governed assets – including data and processing resources.
  • Access Control, or maintaining restricted access to processing and data resources for only authorized users related to their role in the organization.
    Cryptography, or the obfuscation of data at rest or in transit.
  • Physical and Environmental Security, or protecting physical processing facilities against damage, theft, or disaster.
  • Operations Security, or the safeguarding of processing facilities against unauthorized access or data loss.
  • Communications Security, or data protection as it moves through business networks.
  • System Acquisition, Development, and Maintenance, or the securely strategizing and planning of acquiring, expanding, and retiring system equipment.
  • Supplier Relations, or analyzing third-party vendor relationships and agreements
  • Information Security Incident Management, or detecting and responding to security issues as they happen.
  • Information Security Aspects of Business Continuity, or ensuring that security measures will remain effective in cases of business disruptions.
  • Compliance, or integrating any regulations or frameworks specific to business or industry operations.

Stay On Top of ISO 27001 Certification with 1Kosmos

While ISO 27001 isn’t a mandatory regulation, it is a strong and productive framework around which organizations should build their cybersecurity and compliance efforts. It touches on several baseline security elements considered best practices across most industries.

One of these best practices is authentication, and like many frameworks, ISO 27001 calls for strong authentication that includes multi-factor approaches or better.

1Kosmos BlockID provides this level of security with the following features:

  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Ready to learn more? Give our passwordless authentication a try with our free demo. Easily demo our app experience in 3 steps.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.