Security is at the forefront of news, and although companies are making an effort to simplify the typically intense technical and legal fine print of something like the Terms and Conditions, something like cloud security certifications are still fairly hard to follow and are loaded with heavily technical terms.
This is especially true when it comes to security certifications. A company can certainly list certificates, but what does that matter if you can’t figure out the difference between FISMA and FedRAMP?

This glossary aims to demystify some of the certificates you’d come across when checking out info on a cloud-based company. We also use some of these certifications we’ve also used for our independent cloud business app ranking, Category LeaderIt’s important to note that even if a piece of software doesn’t list some of the certifications or compliance standards, they still might have it. For example the hosting service, Amazon Web Services (AWS), has some of the certifications listed below and many companies use AWS to host their data.

Some of these standards and certifications are incredibly expensive, so it’s not necessarily a reflection of poor security, it’s just many companies can’t afford to receive them. It’s part of the reason why you see big companies like Amazon, Microsoft, or Salesforce have lots of the certificates listed below.

Keeping in mind that these definitions are an attempt to translate into layman’s terms and are more complicated than the brief descriptions below.


Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

This is set by the Cloud Security Alliance, which is a worldwide non-profit dedicated to Cloud security standards. This is an incredibly detailed system that is comprised of other certifications and standards such as ISO 27001/2002. The CSA’s main goal is to educate people and organizations on good cloud security practices, and their website is a treasure trove of information.

Read more about the CSA CCM

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP was designed to specifically address cloud security for government organizations. It provides a more efficient way to have a unified standard for government agencies or related groups to follow the same security processes.

Read more about FedRAMP

Federal Information Security Management Act (FISMA)

The predecessor to FedRamp, this is to protect government agencies, departments, and related contractors and make sure that their systems are secure. Although this is for systems that may be connected to the government, other organizations may voluntarily opt for this standard. Technically, it is not a “certification”, but rather an authorization to operate your systems based on standards and guidelines. If you’re interested in diving into the nitty gritty of FISMA (the link below is general FAQs), check out this page on the National Institute of Standards and Technology (NIST) website.

Read more about FISMA

FIPS 140-2

This is a U.S. government security standard that assesses cryptography for both hardware and software. It’s broken up into four different levels, with level 1 as the basic level of cryptography, and level 4 as the most secure. Components of FIPS 140 can range from self-tests to electromagnetic protection. It’s important to note that the higher levels of FIPS 140-2 factor in physical location (e.g. where your servers are, are the security guards, alarm system info).

Read more about FIPS 140-2

HIPAA Business Associate Agreement (BAA)

This pertains to health records in the United States. This is a contract between a HIPAA-covered entity and a HIPAA business associate that is used to protect personal health information in accordance with HIPAA guidelines. Any business under this agreement is subject to audits and must alert customers if there’s been a security breach.

Read more about the HIPAA BAA

ISO 27001/27002

These come from the International Organization for Standardization, which essentially is a voluntary organization that provides international standards across a wide variety of areas. Specifically, ISO 27001 and 27002 deal with security. 27001 provides a structure for implementing and maintaining security in an organization; ISO 27002 provides a baseline for compliance or for other external certifications. Note: these do not necessarily provide proof that something is secure, rather that the app works within this agreed upon standard.

Some examples of apps that have ISO 27001/2002: Samanage, FinancialForce

Read more about ISO 27001/27002  

ISO 27018

This is one step further in the evolution of ISO that will be important in cloud computing. It’s made up of factors which say that the organization must be transparent about where they store your data, alert you in case there’s a breach, commit to a yearly third-party audit, and (perhaps most importantly) agree to not use your info in sales and marketing materials. Two notable examples that have adopted this standard are Microsoft Azure and Dropbox.

Read more about ISO 27018

Payment Card Industry (PCI) Data Security Standards (DSS)

This is a security standard for organizations that deal with the major credit card companies including Visa, MasterCard, and American Express. Originally, credit card companies had their own security standards which led to the creation of Payment Card Industry Security Standards Council (PCI SSC).

Some examples of apps that have PCI DSS: Nutcache, Nimble

Read more about PCI DSS


SOC 1 is comprised of financial and accounting standards for financial organizations. It provides a way to audit a company’s financial information. The audit provides reports on the management/company of the service organization, the company’s clients, and the auditors themselves.


This is an updated version of SOC 1 that includes more criteria to address security concerns in the financial sector. Security is judged on seven different criteria which is comprised of: organization and management, communications, risk management and design and implementation of controls, monitoring of controls, logical and physical access controls, system operations, and change management.

Read more about SOC 1 and SOC 2

United Kingdom G-Cloud

An initiative aimed at simplifying the incorporation of cloud software into UK government agencies or related groups, receiving this certification makes it easier for the agencies to choose cloud services without having to go through a procurement process (a competition to choose services). These services are offered on a digital marketplace, which makes it simpler for government organizations to find approved software.

Read more about G-Cloud

Safe Harbor – NO LONGER VALID.

This was an agreement between the EU and United States that was created in order  to take care of the differences in data protection laws. The EU (generally speaking) is far more restrictive on what companies can do with user data when compared to the United States. This allowed for Europeans’ data to be transferred across to the United States, while still adhering to the EU standards. However, it was ruled invalid in 2015 and it has since been replaced by the EU-US Privacy Shield.

There’s also a similar agreement between the US and Switzerland called the U.S.-Swiss Safe Harbor agreement, which has been replaced by it’s successor, the Swiss-U.S. Privacy Shield Framework.

Read more about Safe Harbor

(This post was originally ran Jan 15, 2015 and has since been updated.)


Share This

Share this post with your friends!