ISO/IEC 27001 Certification

In this vlog, 1Kosmos CMO, Michael Cichon, and COO, Huzefa Olia, discuss the ISO/IEC 27001 Certification, why certifications are important and what certifications 1Kosmos is looking to obtain in the future.

Michael Cichon:
All right. Well, hello everybody. This is Michael Cichon, the chief marketing officer at 1Kosmos. I’m here today with Huzefa Olia, our chief operating officer. Huzefa welcome to our vlog. How are you today?

Huzefa Olia:
Good. Thank you for having me Michael.

Michael Cichon:
Well, I’m glad we could cut out time because just recently 1Kosmos announced the ISO 27001 Certification, and I know you had lots to do with that. Let’s start off with what is ISO 27001?

Huzefa Olia:
So ISO 27001 is a certification. This is a certification that is issued by ISO, International Standards Organization. They basically help organizations manage security of their information asset. So the entire umbrella of ISO 27001 is around how do organizations manage information security? And they provide a management framework as well, which they call ISMS, Information Security Management Systems. And that is primarily to do with managing the confidentiality, integrity and availability of all corporate data. This includes financial information, information with respect to HR, any third party related information and especially something which is very related to a SaaS provider like us, any information that we manage for our customers and partners.

Michael Cichon:
Excellent.

Huzefa Olia:
This entire process goes through a certification. The certification is done by an accredited third party certification body. They gather evidence and provide the necessary evidence, if it’s a customer of ours or investor or any other interested parties around how we are managing our information security, according to the best practices that have been defined by ISO 27001.

Michael Cichon:
Got it. All right. So at 1Kosmos, we’re amassing quite a few certifications here. We have the platform certified by FIDO2 and by Kantara for the NIST 800-63-3 guideline. This is a company certification, not a product certification. So why is this important?

Huzefa Olia:
So the most important reason is, I would say to protect us from any kind of a security threat. These can be any security threats from outsiders, from data breaches that may happen, as well as any internal actors that may cause any errors or any mistakes. So ISO 27001 Framework ensures that we have the tools in place that also goes across all the three pillars of cybersecurity, people, process and technology and making sure that we have our documented best practices, as well as fail safes in place to avoid any mistakes that may happen.

Huzefa Olia:
The other area is also to improve, I would say, structure and focus in an organization. Most often, what happens is information security is defined but it gets forgotten or it goes into the background. When you are certified with ISO 27001, it makes sure that information’s security becomes part of your daily operation. Any function that you’re performing, it is with the mindset of information security, we are responsible for it as well. And every year we go through risk assessment that is being conducted again by a third party to make sure that we are conforming to the standard as well.

Huzefa Olia:
And then there are other areas as well. I mean, we are very, very thankful for our partners who work with us. And this certification is also to show that the trust that our customers, as well as partners have shown with us. So if there are cyber attacks that are happening, most of the organizations are in headlines because of that. And having an organization like 1Kosmos, which is ISO 27001 certified, it follows ISMS. it means that we are taking information very, very serious.

Michael Cichon:
Got it.

Huzefa Olia:
And the last point I would make is more with respect to compliance. This entire framework is based on best practices. And it takes into account lot of common best practices which are there in GDPR, HIPAA and multiple different regulation. So again, it made sure that we are not going to be in non-compliance with data protection requirements, which are mentioned in any of these different regulations.

Michael Cichon:
I’ve worked for several companies that haven’t bothered to get ISO certified. So what’s the role of this ISO 27001 certification in terms of supporting a high growth company as we are.

Huzefa Olia:
Yeah. It goes back to the point that again, information security would become very much central to the court of everything that we would do. When it comes to onboarding an employee or onboarding a contractor, we want to make sure that we have the right security pieces in place. When it comes to any of our cloud operations that we would do again, they would be based on our best practices. When it comes to designing any of the functionality, it’s again based on best practices and standards.

Huzefa Olia:
So if you notice every aspect of our organization is following the guidelines as well as best practices that have been defined by this particular certification. And most important, for us is that it’s not something like a policy that’s been written once and forgotten. We are making sure that we are managing this on a day to day basis, as well as annually all of this process are reviewed by a third party who come in and certify us and let us know that how we are managing our own internal policies when it comes to this particular standard offered.

Michael Cichon:
Okay. All right. So how does this impact operations?

Huzefa Olia:
Great question. So it means that our best practices that we have documented, they systemized right to support a high growth organization like ours. We have eliminated any variances from our processes. We ensure that all our processes across all our different functions and departments are templated and documented. Now, all of this also is collected as evidence, which is reviewed by a third party on an annual basis for conformance. So on an annual basis, we are always looking the process that we have in place, evidence that has been collected. And then we are making changes to improve efficiency as well.

Michael Cichon:
Got it. Okay. With this one all wrapped up what’s what’s next?

Huzefa Olia:
So our cycle for certification still continues. We are looking at getting SOC 2 Type 2 Certified. It’s going to be coming in the early part of the next year. We are also looking at certifications for our biometrics capabilities, but they’re very, very integral to our offer. We are FIDO2 certified today. We are IAL as well as AAL certified but then we want increasing certifications based on all of these accredited bodies as well.

Michael Cichon:
That’s awesome. Sounds all very interesting. So I appreciate you taking time to talk to us today Huzefa.

Huzefa Olia:
Thank you. Thanks for your time.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More