Over the last few years, there has been a push to obtain cloud computing solutions at almost every turn. A plethora of companies continue to provide cloud services to their existing clientele; however, much of the federal clientele remains untouched. The Federal Risk and Authorization Management Program (FedRAMP) provides the ability for companies to follow a standardized approach in terms of security assessments, authorizations, and continuous monitoring of cloud products and services offered to the federal government.
While companies get excited over the opportunity to expand their business domestically, they also want to stay versatile when it comes to providing security assurance internationally. ISO 27001 happens to be a globally-recognized certification process that provides companies with the opportunity to demonstrate their commitment to information security.
A FedRAMP assessment and an ISO 27001 certification have the following similarities:
- Both provide independent assurance on programmatic and technical controls that are designed and implemented to meet a specific set of requirements or criteria.
- Both allow a cloud provider to gain significant advantage over competitors.
- Both cover a broad and common control set. FedRAMP focuses on NIST 800-53 Rev 4 whereas ISO 27001 focuses on the control set within Annex A of the standard. (Hint – you can find a mapping of these controls in the NIST 800-53 standard!)
- Both assessments support the idea of continual improvement.
- The ISO 27001 certification requires two years of surveillance reviews after the initial certification review to verify that the information security management system (ISMS) maintains its conformance, including the activity of continual improvement.
- FedRAMP requires continuous monitoring, which includes an annual assessment as well as quarterly submissions of scans and other reports, to confirm that controls are operating consistently.
A FedRAMP assessment and an ISO 27001 certification have the following differences:
- The ISO 27001 certificate supports the organization’s conformance to the ISO 27001 standard requirements. Controls, while important, are not as critical as the company’s ability to identify risk and implement its own controls.
- The FedRAMP Authority to Operate (ATO) indicates that a vendor has successfully completed the FedRAMP assessment process and an agency customer has authorized the system for use according to the Risk Management Framework (RMF). The assessment analyzes how a provider has implemented the underlying NIST 800-53 security controls and test cases. As such, a successful FedRAMP assessment should not be referenced as a “certification.”
- Additionally, the NIST 800-53 standard includes almost three times as many controls for a moderate implementation.
- The ISO 27001 certification is issued for a three-year term and is intended to cover an “active” management system. FedRAMP is based on an assessment with the objective of demonstrating that the organization had effective controls during a historic period.
- The FedRAMP assessment focuses soley on cloud service providers hat have a desire to provide cloud services to the US government. The ISO 27001 certification is can be applied to any type of business, in any industry and any part of the world that requires an independent assessment of their information security management system.
So, who is the winner?
In short, the cloud customer. FedRAMP is a must-have for the federal cloud space and probably the most comprehensive assessment performed.
ISO 27001 certification, while a lessor impact assessment, requires a program centric preparation that is unique to traditional control audits. Never-the-less, ISO 27001 provides the opportunity for companies to be recognized worldwide to communicate their active commitment to information security.
Many of Schellman’s cloud provider clients undergo both, enjoying the benefits of working with a single independent assessment firm.