FedRAMP vs. ISO 27001: Pursuing the Right Security


Companies attempting to navigate the complex world of private and public cybersecurity might get confused about what they should focus on. The truth is that you can’t adopt them all… but you can focus on the regulations that directly impact how you do business. 

Here, we’ll discuss two of the most prevalent security frameworks–FedRAMP and ISO 27001. 


What Is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a cohesive set of authorization standards that cloud service providers (CSPs) must meet to provide their cloud infrastructure to federal agencies. 

Based on several layers of regulations and law, FedRAMP is an ongoing and rigorous standard under which these CSPs must attest to their capacity to secure their systems and maintain appropriate risk management practices. 

What’s important to note is that FedRAMP isn’t a flat compliance standard. Instead, agencies in the government, based on the types of data they manage, will provide requests for proposals (RFPs) for cloud providers that will dictate a FedRAMP authorization.

Some of the major aspects of FedRAMP authorization include:


NIST Compliance

FedRAMP is based on several different documents published by the National Institute of Standards and Technology, including NIST Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations.” This document is a catalog of the primary security controls federal agencies and contractors use to secure IT systems. These controls include perimeter control, data obfuscation, identity and access management, media sanitation and disposal, physical security, and practices around configuration and upgrade management. 


Impact Levels for Cloud Systems

FedRAMP partitions authorization requirements around impact levels:

  • Low Impact: Low impact systems are those where loss or destruction of data would have a limited impact on the functioning of the agency and the constituents. In many cases, low-impact systems are made up of information available through Freedom of Information Act requests. 
  • Moderate Impact: Moderate impact systems are those where data loss or destruction would significantly impact agencies and their constituents, including the potential for financial loss, bodily harm or significant hindering of the agency’s ability to function. 
  • High Impact: High impact systems are those where data loss or destruction would have a severe impact, including a complete loss of an agency’s ability to function, significant financial loss or severe bodily harm (including loss of life). Systems containing protected health information (PHI) often fall under the designation of “high impact.”


Third-Party Authorization

FedRAMP requires that CSPs undergo assessment from Third-Party Assessment Organizations (3PAOs) who conduct structured audits based on conditions of the RFP. Other frameworks like CMMC or NIST SP 800-171 also require such organizations. 

This is a non-negotiable requirement for CSPs working with federal agencies, and organizations must also undergo continuous monitoring and annual review to maintain their authorization.


What Is ISO 27001?


The ISO 27001 standard is an optional but essential private-sector security framework that combines risk assessment, security management and monitoring practices to support critical cyber defense for complex IT systems.

The priorities for the ISO standard are that information remain confidential, available, and intact (integrity), often called the classic CIA triangle of cybersecurity. More importantly, ISO 27001 focuses on requirements that:

  • Call on organizations to inventory IT infrastructure and any associated security risks, threats, and vulnerabilities. 
  • Design comprehensive controls and risk management approaches to mitigate current and future system vulnerabilities.
  • Create and maintain operational processes to ensure proper security and risk management over time. 


Information Security Management Systems (ISMS)

The core aspect of ISO 27001 is the concept of the ISMS, or the administrative and technical infrastructure controlling security and risk management. 

It’s important to understand that an ISMS isn’t a piece of technology or a cloud program–instead, it’s an overarching management infrastructure that encompasses your security and risk management efforts. 

An ISMS includes some of the following components:

  • Stakeholders: An ISMS should be able to identify and respond to stakeholders throughout the company, including identifying their priorities and needs related to cybersecurity. 
  • Controls: The nuts and bolts technologies and safeguards that support cybersecurity. This can include actual software and hardware (IAM systems, encryption, firewalls, etc.), physical controls (locks and cameras, protected server rooms), or administrative controls (rules and regulations around roles, responsibilities, and security policies).
  • Identifying Risk: Risk management is a critical part of ISO 27001, it requires that organizations conduct regular risk assessments to identify potential threats and vulnerabilities, suggest rectifications for those vulnerabilities, and help align business and security goals. 
  • Implementation: Simply put, putting controls into practice within the risk and IT context of the company. 
  • Monitoring and Effectiveness: Your organization should monitor the effectiveness of the implemented policies, procedures, and controls in their ISMS. Furthermore, there should be a continual effort to make improvements based on evolving threats and technologies. 


Why Consider FedRAMP over ISO 27001?

Generally speaking, most organizations will support a limited set of frameworks based on the industries they serve and seek ways to overlap their infrastructure to eliminate redundancies. 

That being said, FedRAMP is a highly specific framework for cloud providers in the federal support industry. Accordingly, there are a few reasons that MFTs and CSPs would pursue FedRAMP Authorization:

  • You are a federal cloud service provider: The most obvious reason is that you are providing critical cloud services (including SaaS apps, cloud storage, or cloud computing capabilities to a federal agency, particularly one that isn’t involved with defense information systems. 
  • You work with federal agencies under FISMA and plan to offer cloud services: If your organization works with other agencies as an IT consultant, service provider, or technology provider, then you will necessarily follow NIST 800-53 requirements for FISMA compliance. If you plan on moving into managed services or cloud space, moving from NIST 800-53 compliance to FedRAMP authorization is relatively straightforward. 
  • You want to work with common federal controls under NIST: Unlike ISO standards locked behind paywalls, NIST standards are open and free, and it’s often worthwhile to pursue either FedRAMP or NIST 800-53 for heightened security. Meeting these standards can position your cybersecurity infrastructure well to pivot to different but comparable other frameworks. 


Why Consider ISO 27001 Over FedRAMP?

While ISO standards aren’t required by law or industries per se, they can often come up as requirements for contracts or proposals. 

Likewise, there are a few reasons your organization would pursue ISO 27001:

  • You are a private sector business: Without the demands of government regulations, it can be easy to think security isn’t as important. However, with more cyberattacks and advanced threats attacking mid-sized businesses and their service providers, even SMBs must have security plans in place. ISO 27001 is a vetted, internationally supported framework that provides a roadmap for organizational security and offers a path to ongoing risk management.
  • You work with many third-party vendors: ISO standards will help you think beyond the limited, on-premises cybersecurity paradigm that most of us are used to. Working with MSPs can open your business to vulnerabilities, many of which you won’t be able to predict without robust risk management and security infrastructure in place. Having a well-defined ISMS can help you address that issue. 
  • You operate an international business: Businesses worldwide use ISO standards. Using ISO vs. NIST or FedRAMP, you may have a much easier time translating centralized ISMS and security controls across different locations with a single source of compliance truth. 


Lazarus Alliance For All Your Compliance Demands

Regular cybersecurity and risk management are a cost of doing business. There’s no way around that. Instead of worrying about it, work with a company that can help you juggle ISO 27001, FedRAMP, or dozens of other regulations and frameworks. 

We have decades of experience working with federal, industry-specific and private security standards, helping companies reach their FedRAMP authorization, ISO 27001 attestation, and everything in between. 


Preparing for Either ISO 27001 or FedRAMP?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

Lazarus Alliance