Certifications Past and Future: A Future Model for Assigning Certifications that Incorporate Lessons Learned from Past Practices

Security certifications are widely used to demonstrate compliance with privacy and security principles, but over the last few years, new technologies and services –such as cloud computing applications – have brought new threats to the security of information, making existing standards weak or ineffective.

Three of the most highly regarded information technology security certifications used to assess cloud security are ISO/IEC 27001, SOC 2, and FedRAMP. ISO and SOC 2 have been used worldwide since 2005 and 2011, respectively, to build and maintain information security management systems or controls relevant to confidentiality, integrity, availability, security, and privacy within a service organization; FedRAMP was created in 2011 to meet the specific needs of the U.S. government in migrating its data on cloud environments.

This chapter describes the evolution of these three security standards and the improvements made to them over time to cope with new threats, and focuses on their adequacy and completeness by comparing them to each other. Understanding their evolution, resilience, and adequacy sheds light on their weaknesses and thus suggests improvements needed to keep pace with technological innovation.