Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

FedRAMP vs. ISO 27001

FedRAMP vs. ISO 27001

Blog Article Published: 10/28/2022

Originally published by Schellman here.

Ever seen those jugglers that manage to balance multiple spinning plates at the same time? As impressive as it is, you figure you’d be happy to spin just the one plate successfully. For cloud service providers (CSPs), you have lots of different proverbial compliance “plates” to choose to channel your effort into—the trick is knowing the differences and which is best for you.

FedRAMP has emerged as a lucrative compliance initiative, particularly for those eager for the opportunity to expand their business domestically into the large budgets of the federal government. But there’s a whole world out there too, and so it also makes sense to stay versatile and internationally compliant, which makes ISO 27001 an attractive “plate” to possibly spin as well.

As both an ISO Certification Body and a 3PAO, we’ve provided both of these services for more than a decade so we’ve come to know the details of each quite well. Now, we’d like to help you understand these compliance frameworks a bit more.

In this article, we’ll give a brief overview of both FedRAMP and ISO 27001 and their major components. We’ll detail the differences, as well as the similarities between them, along with some basic reasons for opting one way or the other. By the end, you’ll have clarity on both standards and, your decision for either, both—or neither—will be simplified.

What is FedRAMP?

If you’re considering FedRAMP compliance, you’re almost certainly interested in providing cloud services or infrastructure to the federal government. But to do that, you need FedRAMP Authority to Operate (ATO), which means your offering must meet a comprehensive set of authorization standards.

Once you’ve adequately prepared your environment, a third party assessment organization (3PAO) must attest to both your capacity to secure your systems and your risk management practices before the FedRAMP PMO, along with your agency sponsor or the Joint Authorization Board, approves your ATO.

FedRAMP is an ongoing and rigorous standard that you must continue to meet if you want to maintain your business with the federal government, and—aside from the 3PAO assessment—there are two other important aspects to this compliance program:

Major Components of FedRAMP Authorization

NIST Compliance

  • FedRAMP requirements are largely based on the unified security and privacy control catalog of NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations” (though your agency sponsor may request that you comply with other NIST publications as well).
  • This catalog contains groupings of operational, technical, and management controls that touch on topics such as access control and personnel security.
  • Low Impact: Offerings where loss or destruction of the data within them would have little impact on the functioning of your agency (e.g., it may already be public information).
  • Moderate Impact: Offerings whose loss or destruction of the data contained would significantly impact your agency. This would be confidential and controlled information—but not classified information.
  • High Impact: Offerings where, should data loss or destruction occur, there would be severe consequences—these systems might contain medical information or classified defense intelligence.

Impact Levels

FedRAMP permits you to meet different authorization requirements based on NIST SP 800-53’s control baselines. Which you choose will depend on your offering’s level of risk:

Controls

While the impact levels above are based on the type of information handled each has an associated number of base-line controls:

  • Low Impact – 125+ controls
  • Moderate Impact – 325+ controls
  • High Impact – 420+ controls

Department of Defense requirements include additional controls and/or process requirements.

The above articulates why scope matters—the larger the environment and higher the impact, the more control tests are applied. That methodology--plus the fact that FedRAMP includes vulnerability scanning and penetration testing—distinguish it from most other types of security assessments.

What is ISO 27001?

While FedRAMP is a domestic program, ISO 27001 is a globally recognized certification process that provides the opportunity to demonstrate your commitment to information security, combining risk assessment, security management, and continuous monitoring to support a holistic cybersecurity defense.

Getting ISO 27001 certified will mean prioritizing confidentiality, integrity, and availability through ample preparation, including:

  • Building out infrastructure
  • Designing and implementing comprehensive controls and risk management approaches to mitigate vulnerabilities
  • Documenting and maintaining operational processes and procedures that will ensure adequate security over time

Accommodating all of that will mean implementing an information security management system (ISMS), and what’s important to understand about your ISMS is that it’s not just a “piece” of software or even a program—as an overarching management infrastructure that incorporates all your security and risk management efforts, it’ll be comprised of a few distinct components:

ISMS Component

Details

Controls

Implemented controls should address both the risk and IT context of your organization. They may include:

  • Physical security (locks, cameras, etc.),
  • Software and hardware
  • Administrative controls (rules and regulations, assigned responsibilities, and security policies)

Risk Assessment, Identification, and Mitigation

The required regular risk assessments will help you:

  • Identify potential vulnerabilities,
  • Find solutions to mitigate threats that align with your business and security goals.

Stakeholders

When you build your ISMS, you’ll need to take into account the relevant stakeholders and their priorities and needs related to cybersecurity.

Monitoring and Continuous Improvement

ISO 27001 requires surveillance audits during the certification period, which will mean steady monitoring of the effectiveness of your implemented controls and related policies and procedures. When assessed, you’ll also be evaluated as to whether you are making a continual effort to make improvements to your ISMS based on evolving threats and technologies.

Differences Between FedRAMP and ISO 27001

Given all that, there are some clear-cut ways these standards deviate in their approaches to security:

  • Relevance of Defined Controls
    • For ISO 27001 certification, you must demonstrate conformance to the standard requirements, and defined controls—while important—are not as critical as your ability to identify risk and implement your own controls.
      • The base control set from Annex A is only 114 controls.
    • FedRAMP Authority to Operate (ATO) will indicate that your cloud service offering is authorized for use due to its adherence to the Risk Management Framework (RMF) and the underlying NIST 800-53 security controls.
      • As noted above, the number of controls could range from 125 to more than 400.
  • Forward-Thinking vs. Historic
    • ISO 27001 certification is issued for a three-year term and is intended to cover an “active” management system.
    • A successful FedRAMP assessment indicates that your organization had effective controls during a historic period. That said, the ATO itself is active and ongoing—you’re required to provide data to the government on a regular basis in addition to annual reviews.

Similarities Between FedRAMP and ISO 27001

Despite these differences, there are some ways these two initiatives are comparable. Both:

  • Provide independent assurance on a broad and common control set that is designed and implemented to meet a specific set of requirements or criteria.
  • Support the idea of continual improvement.
    • ISO 27001 certification: Requires two years of surveillance reviews after initial certification to verify, among other things, continual improvement.
    • FedRAMP: Requires, in addition to the annual assessment, quarterly submissions of scans and other reports to confirm that your controls are operating consistently.
  • Will position your cybersecurity infrastructure well to pivot to different frameworks, should that become necessary.
  • Allow a cloud provider to gain a significant advantage over competitors.

FedRAMP or ISO 27001: Which is Right for You?

Because ISO 27001 does take such a holistic approach to organizational information security, it makes for a very attractive option, but FedRAMP too takes a framework approach, though serves a highly specific need for that large customer-base.

Especially for the cloud service providers for whom both standards can help, this can be a difficult choice. Depending on the nature of your business, it may benefit you to do one, the other, or even both.

Why Pursue FedRAMP ATO

Why Pursue ISO 27001 Certification

  • You’re a CSP looking to maintain or expand your business into the American federal government. This is obvious and the most important reason—you’re not breaking into this sector without FedRAMP ATO. But even if you don’t have a presence in this sector just yet, you may want to be in future—a FedRAMP consultant can help with that.
  • You already follow NIST 800-53 requirements for FISMA compliance. Given that FedRAMP is based largely on the same requirements, authorization should be relatively straightforward.
  • You’d prefer to implement accessible, common federal controls. ISO standards are behind paywalls, but NIST SP 800-53 is free.
  • Your business is international. ISO certifications are a worldwide brand, so building your security around this standard vs. more domestic frameworks like NIST or FedRAMP may suit your entire customer base much better.
  • You like the idea of centralized and systemic controls. ISO 27001 is a vetted, comprehensive framework for organizational security that also offers a roadmap for your ongoing risk management.
  • You work with a lot of third-party vendors. Part of ISO’s holistic nature will require you to consider beyond your own, on-premises cybersecurity that is the focus of so many compliance initiatives. But a well-defined ISMS will help you address any vulnerabilities work with providers opens you up to.

Next Steps

So, to recap each of these different plates you might need to juggle:

  • FedRAMP is a must-have for those in the federal cloud space and—thanks to its reliance on the RMF in NIST SP 800-53—it’s arguably one of the most comprehensive assessments you can have performed.
  • ISO 27001 certification, while a lesser impact assessment, provides an opportunity to be recognized worldwide for your active commitment to information security as demonstrated by what is required to be a unique, multi-faceted, and overarching approach.

It’s also worth noting that the NIST 800-53 requirements that form the backbone of FedRAMP include a mapping to ISO 27001 controls, so the writers of both standards definitely considered organizations might take on both. And many of our cloud provider clients actually do, in part because they can take advantage of working with a single independent assessment firm.

Of course, both do require extensive preparation—something you may prefer to have assistance with. To determine where your organization currently stands regarding either direction, check out our content which will help clarify:

Share this content on your favorite social network today!