In the world of security, there are many different frameworks that may be relevant or important to your plans. We’ve talked a lot about FedRAMP, the federal government’s security framework, but it’s only one of many options. Others, from HIPAA to FISMA to SOC2, can all have their role.
One of the biggest and most direct equivalents to FedRAMP is ISO 27001. What is it, how does it compare to FedRAMP, and which one should you use? Let’s talk about it.
Let’s start with a brief overview of FedRAMP. We’ll keep this short because, as mentioned, we’ve covered it extensively elsewhere on our site. For further reading, check out posts such as:
In brief, FedRAMP is the Federal Risk and Authorization Management Program. It’s a security framework developed by the federal government based on a set of standard defined security controls which are developed and maintained by the National Institute of Standards and Technology, NIST. The most important NIST document to reference for FedRAMP is Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations.
FedRAMP is required of any cloud service provider that wishes to work as a contractor for the federal government or its agencies, and frequently with their subcontractors as well. Options such as FedRAMP Equivalency and the Low Impact Software as a Service impact level allow for easier access to the program for those cloud service providers with unusual circumstances.
The core goal of FedRAMP is to provide one cohesive, maintained, and updated security framework across the whole of the federal government. It serves as a minimum baseline for security authorization and controlled unclassified information (while anything classified or of greater import has to adhere to even more rigorous standards.)
ISO 27001 is a security standard framework published by ISO/IEC. ISO is the International Organization for Standardization, and IEC is the International Electrotechnical Commission. Together, they form an international governing body issuing security and compliance standards.
ISO 27001 is officially known as the Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems – Requirements framework. Even based on the name, you can tell that it broadly serves the same purpose as FedRAMP but is managed by a different organization.
Around the world, ISO 27001 is broadly known as one of the best standards for general information security management systems. It’s aimed at businesses of any size and is meant to provide a framework for security and authorization to address emerging technologies and, more importantly, emerging threats carried by those technologies.
The three core principles of ISO 27001 are known as the CIA Triad. No, it doesn’t have anything to do with the US CIA. It means:
You may recognize these if you’re familiar with FedRAMP. Part of FedRAMP is also a set of three axes of impact, which are Confidentiality, Integrity, and Availability.
Does this mean that FedRAMP and ISO 27001 are essentially the same? Well, yes and no. While they have the same overall goal and purpose, and there is a lot of convergent evolution of the standards, they aren’t the same under the hood.
There are quite a few significant differences between FedRAMP and ISO 27001, despite their similar goal and construction.
The single biggest and most obvious difference between FedRAMP and ISO 27001 is who develops it. FedRAMP is developed and maintained based on the US Government NIST and is managed by the FedRAMP Program Management Office. It’s entirely a US Government framework and program, based on US Government standards and management.
In contrast, the ISO 27001 standard is built and maintained by an international organization – or rather, a pair of them. This broadly means that FedRAMP is the narrower standard; after all, the United States is only one country out of hundreds on the planet, even if its impact on global commerce is outsized.
Another difference between the two is whether or not they’re required.
FedRAMP is required of any cloud service provider that wishes to work with the US federal government. Outside of the scope of working with the US federal government, FedRAMP is never going to be required. This is, in part, because it’s the federal government that manages FedRAMP certification. The government of Britain or the executive team of a business customer aren’t generally going to make working with the US federal government a requirement to work with themselves, after all.
ISO 27001 is not required at all by any law. However, as the largest and most well-known and well-governed security framework around the world, it’s commonly required in contracts and deals. Your customers might require ISO 27001 certification because they know it’s valid around the world.
Another significant difference between FedRAMP and ISO 27001 is who reviews and governs your security standards and implementation.
For FedRAMP, you need to work with a government agency as a sponsor (or with the joint authorization board for general-purpose authorization), and a certified third-party assessment organization. The sponsor effectively gives you permission to apply, and the 3PAO performs an audit and reviews your implementation. Once that’s done, documentation is produced and submitted to the program management office, where it can be accepted or rejected. Acceptance means an Authority to Operate, allowing your organization to work with that federal government agency (or any agency that wishes to work with you, if you got a Provisional ATO from the JAB.)
For ISO 27001, the process is mostly similar; you perform your own analysis of your security posture, and a gap analysis to determine what you need to implement to reach the minimum standards. Most of the auditing, however, is done in-house. You just need one review audit provided by an accredited certification body, of which there are a limited number.
Another difference is that the certification and approval last a different amount of time. With ISO 27001, certification is valid for three years after it has been achieved. During that time, annual surveillance visits and small audits will be performed to “spot-check” security and make sure you’re maintaining your security levels; every three years, you must perform a complete recertification.
With FedRAMP, recertification is an annual process. A FedRAMP Authority to Operate is only valid for one year and needs to be refreshed each year. The process is slightly more rigorous than a spot-check audit, but generally less intensive than the initial authorization process.
Both ISO 27001 and FedRAMP have requirements for continuous monitoring and improvements along the way. This is both for the purposes of enforcing a higher level of security and to make these audits and reassessments much easier, since all of the most relevant, updated information will be available and on hand at any time.
Perhaps the single most important difference between FedRAMP and ISO 27001 is who cares about it.
FedRAMP is a valid and proactive security standard, but it’s also surprisingly limited. It’s required by the United States Federal Government, which is certainly a large and far-reaching organization. However, that’s all it’s required by. State governments, local governments, non-governmental organizations, non-US governments, private sector business partners, and sophisticated customers all don’t generally require or care about FedRAMP. In fact, many people may not even know what FedRAMP is if they haven’t come up against it in the past.
That’s not to say that you can’t make it matter. Unless otherwise required, many customers don’t actually have set standards they need out of the security of the platforms they use. Being FedRAMP authorized can be a selling point you can use to convince less sophisticated customers that your security is up to snuff.
Conversely, ISO 27001 is a much more broadly recognized standard, used all around the world, throughout the private sector, and with non-governmental organizations. Far more customers, businesses, and organizations – including governments of other countries besides the US – are likely to know and care about ISO standards than about FedRAMP.
You have five options here.
Option zero is to not achieve any security framework. If your cloud service does not handle any sort of information and barely even needs a user account, if it needs one at all, you may not really have any reason to build up a security posture. A cloud service that lets users set a timer isn’t business-critical and doesn’t require customer information, after all. This argument does break down the moment you require users to register, let alone provide more detailed information processing or storage services, however. Generally, having some kind of security posture is a good idea.
Option one is to pursue a different framework entirely. There are a lot of security frameworks out there that may be more applicable in specific spheres than FedRAMP or ISO 27001. Financial organizations need to achieve SOC2/3 compliance. Government contractors with specific situations, like those working with the Department of Defense, may need to pursue CMMC or DFARS instead of – or in addition to – FedRAMP. Tax information needs to comply with IRS 1075. Health information needs to comply with HIPAA. All of these may be better choices than either FedRAMP or ISO 27001.
Option two is to pursue FedRAMP certification. FedRAMP is required if you wish to work with the US federal government. It can also be a good idea to pursue FedRAMP authority to operate if you’re working with the government through another framework already, like FISMA. Similarly, if you have a non-cloud service (and thus don’t need FedRAMP certification) but plan to launch a cloud service later, achieving FedRAMP certification can be a good way to go.
Option three is to achieve ISO 27001 compliance. In broad strokes, ISO 27001 is the more relevant and applicable security standard. It has a much wider possible audience and a larger pool of applicability. You’re also likely to encounter ISO 27001 requirements when working with other global, online, and foreign companies or international businesses. Essentially, if you want or need a good security posture, and you don’t plan to work with the United States Government, ISO 27001 is the better choice.
Option four is to achieve both FedRAMP and ISO 27001 certification. There’s nothing stopping you from getting both other than the time invested in doing so. The truth is, there’s a lot of overlap between FedRAMP and ISO 27001. Achieving a high enough level of security is generally going to be applicable to both.
The greatest challenge is simply keeping track of all of the information necessary to achieve certification and pass audits. Even if the security controls are broadly similar, the specific details – including the information you need to actively monitor and record – can be different. Essentially, if you wish to pursue both FedRAMP and ISO 27001, you will need two compliance teams and two sets of records, as well as two sets of continuous monitoring to keep track of it all.
We can help with this. The Ignyte Platform was developed specifically to help you keep track of all of the relevant information for any of a wide range of security frameworks, including all of the ones mentioned earlier in this post.
Moreover, if you choose to pursue FedRAMP authorization, we’re also a certified third-party assessment organization. If you choose to work with us, we can help you perform your auditing and analyses to make sure you’re checking all the boxes and implementing the right security, the right way.
If you have any questions about FedRAMP, ISO 27001, or any other security framework, feel free to reach out; we’re more than happy to chat!
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/fedramp-vs-iso-27001/