Posted by John Kleeman, Executive Director and Founder
Any organization can claim to be secure. But how can a purchaser determine whether a software or cloud vendor truly has good security measures in place?
The key is that you should look for independent, third party audit and review of security. Usually this means you should look for certification/accreditation to a recognized security standard, of which the two most widely used internationally are ISO 27001 and SOC 2; if you are a US government organization, FedRAMP authorization is useful.
This article explains the advantages of different security standards as they apply to vendors of testing services. It’s aimed at government and other purchasers of testing services.
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements, is an international standard for managing IT systems. By following ISO 27001, an organization puts in place a framework of policies, procedures and controls which allows it to evaluate risks to the confidentiality, integrity and availability of information and put in place controls to address the risks.
To be certified against ISO 27001, an accredited, independent certification body conducts a detailed audit of the organization and its security framework. Certificates are usually valid for 3 years with a maintenance audit each year. A key focus of ISO 27001 is continual improvement and organizations are expected to improve their security over time.
If a vendor claims to be ISO 27001 certified, here are some useful checks to make:
- Check the organization itself is ISO 27001 certified, not just its data center.
- Ask to see the certificate and check that the date is valid. You can check the certificate is valid via the certification body website.
- Check that the scope of the certification (shown on the certificate) includes the testing services being purchased.
- Check that the certification body is reputable and is itself accredited.
- Ask to see the statement of applicability which lists which of the 114 ISO 27001 controls apply to the certification, it would be unusual if almost all controls were not included.
SOC audits are annual audits performed under standards developed by the AICPA (Association of International Certified Professional Accountants). SOC audits generate reports that can be shared by an organization with its customers to help assure them that processes are in place to protect the customer’s information.
There are other kinds of SOC reports, but the most relevant to security are SOC 2 reports which focus on security, availability, processing integrity, confidentiality, and privacy.
If an organization claims to have SOC 2 attestation, here are some checks to make:
- Check the organization itself is SOC 2 accredited, not just its data center.
- Ask for a copy of the report, you should expect to put in place an NDA to be able to see this.
- Check that the auditor is a reputable organization.
- There are two types of SOC 2 report. A Type 1 report has some value but just describes the situation at a snapshot in time; whereas a Type 2 report assesses controls over a period of time, usually a year. A Type 2 report is stronger.
- Check whether the report is qualified or unqualified. An unqualified report is strongly preferred.
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program which encourages the adoption of secure cloud services within the federal government by providing a standardized approach to security and risk assessment for cloud technologies.
To achieve FedRAMP authorization, an organization needs to meet a series of controls (about 325 for FedRAMP moderate) and to describe in detail how it meets them in a System Security Plan. The organization then gets audited by an approved FedRAMP auditor and needs to be authorized either by a government agency or by the FedRAMP Joint Authorization Board.
Systems that have FedRAMP authorization usually have a separate instance for U.S. government use. For example, Questionmark has two products, our commercial OnDemand and our OnDemand for Government system. Both systems are covered under our ISO 27001 certification, but only the government system has FedRAMP Moderate authorization.
At the time of writing, there are around 200 systems approved by FedRAMP. If an organization claims to have FedRAMP authorization, here are some checks to make:
- Check the organization is listed as authorized on the FedRAMP site, https://marketplace.fedramp.gov/.
- Check the organization itself is authorized, not just its data center. And that the whole service you are using is covered.
- There are three different assurance levels, but the most common level is FedRAMP Moderate.
- U.S. government organizations can drill down further by reviewing the FedRAMP documents which explain in detail how the organization meets the FedRAMP requirements.
What does it all mean?
Obtaining ISO 27001 certification, SOC 2 attestation and FedRAMP authorization is a substantial effort for any organization. Maintaining it in place requires people, resources and processes to continue to meet the current and evolving security controls. For a testing organization, a decision to obtain a security accreditation only makes sense if it has a genuine, long-term commitment to security.
Questionmark has ISO 27001 certification and FedRAMP Moderate Authorization but doesn’t have a SOC 2 attestation, but all three are very credible.
If you are a U.S. government agency looking to use a cloud solution, you likely have to use a FedRAMP authorized solution. If you are not a U.S. government agency, then you will not usually be able to use the FedRAMP solution directly. But for most vendors, there will be a single backend process covering development, access control, training, configuration management and so on, which will apply to government and commercial systems, so many of the benefits of FedRAMP will likely be carried through to the commercial or international systems.
If FedRAMP authorization is not relevant to you, then choosing a vendor with ISO 27001 certification or SOC 2 attestation is likely to be a good choice. Neither is a guarantee of security, but they both provide assurance that an organization is actively managing security and risk.
I hope that this explanation is helpful. For more information on ISO 27001, see the ISO website , for more information on SOC 2, see the AICPA website and for more information on FedRAMP see www.fedRAMP.gov.
For another article on ISO 27001 and SOC 2 attestation in the testing industry, see the ATP’s Privacy in practice bulletin on “Security Standards and the Assessment Industry” from January 2020. And for more information on Questionmark’s security, see our trust page.
To learn more about Questionmark ,please contact us.
John is the Founder of Questionmark. He wrote the first version of the Questionmark assessment software system and then founded Questionmark in 1988 to market, develop and support it. John has been heavily involved in assessment software development for over 30 years and has also participated in several standards initiatives.