Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Part of the process of achieving ISO 27001 certification is creating the fundamental documents necessary to outline and prove your security. One of those fundamental documents is the SoA, or Statement of Applicability. The statement of applicability is a rundown of all of the ISO 27001 security controls, and a discussion of whether or not that control applies to your business.

If you’ve browsed the FedRAMP marketplace in the interest of using a government-certified service, either as part of your own services or on behalf of an agency, you’ve likely seen the various -aaS designations. The “aaS” stands for “as a Service”, and it’s part of how modern internet services function. What are the different kinds of services, and how do they engage with FedRAMP? The differences can be important.

ISO 27001 is a very useful certification for just about any company operating abroad. Comparable in many ways to NIST-based frameworks like CMMC in the United States, ISO 27001 is an international standard built to help organizations of all sizes, in all industries, across all regions of the world, to obtain a high level of standardized information security.

FedRAMP is a government-wide program meant to ensure a standardized baseline for information security throughout the cloud service providers working with the federal government. It’s a tall order. Setting forth standards that are robust enough to cover all the bases, while being open and flexible enough to cover every CSP, is not easy.

FedRAMP is the federal government’s framework for evaluating and enforcing standardized security across the cloud service providers operating as contractors. They take security seriously, and the protection of controlled information is their top priority. A key part of validating the security of a CSP is the SAR, or Security Assessment Report. What is the SAR, and how do FedRAMP agencies evaluate SAR submissions?

Companies that need to comply with CMMC to earn their governmental contracts have a lot of work ahead of them. Securing their systems against intrusion and protecting data from breaches, malicious actors, and snooping is all part and parcel of the program. One aspect of information security that can be distressingly easy to overlook is disposal.

Here on the Ignyte blog, we talk a lot about ISO 27001 as a valuable international framework for information security. We also frequently touch on two related documents: ISO 27002 and Annex A. As you may know, ISO/IEC, the organization responsible for developing the various ISO standards, has a lot of different standards for a lot of different purposes.

As one of the most common information security frameworks in the world, ISO 27001 is used by tens of thousands of organizations worldwide. That means it has to fit a lot of different groups with a lot of different needs. It also means that there’s a lot of information pertaining to ISO 27001 within each of those companies. Data like the logs of access control systems, the chain of custody for sensitive information, and the results of audits are all stored somewhere.

Ask anyone on the outside of information security what the most important part of the industry is, and you’ll get a lot of different answers, but among them will be cryptography. Using strong encryption to hide information where it can’t be accessed without the proper authorization makes a lot of sense, and the idea of strong cryptography has saturated popular culture.

Here on the Ignyte blog, we talk a lot about the most important cybersecurity frameworks for the federal government, including FedRAMP and CMMC. There’s a lot that goes into these frameworks, with contributors all across the information security world, but one of the more important agencies is DISA. The United States Defense Information Systems Agency, formerly known as the Defense Communications Agency, is the DoD sub-agency responsible for IT services and security for the Department of Defense.