Sophos continuously monitors evolving regulatory standards around the globe. We incorporate the latest relevant controls into our organization, products, and technology to help our customers meet their compliance obligations. Read on to learn about the many Sophos certifications in place to help you protect your data and processes in a standards-compliant manner.
System and Organization Controls (SOC) 2
SOC 2 provides evidence-based, third-party assurance of information security pertaining to how customer data is managed, measured against the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. Sophos has been evaluated against SOC 2 AICPA criteria for security, availability, confidentiality, and privacy.
Sophos’ SOC 2 Type 2 report is available to interested parties once an NDA has been signed. Please contact your account manager or Sophos sales to request a copy.
ISO 27001:2022
ISO 27001 is the globally accepted standard for information security, cybersecurity, and privacy protection. Its goal is to provide assurance to customers that an organization has effectively integrated information security, data privacy, and processes for continual improvement into its day-to-day operations.
See Sophos ISO 27001:2022 certificate
ISO 9001
ISO 9001 is an international standard for quality management systems (QMS). It focuses on meeting customer expectations and delivering customer satisfaction by implementing efficient quality management processes.
See Sophos ISO 9001 certificate
Payment Card Industry Data Security Standard (PCI DSS) 4.0
PCI DSS is a set of criteria for assuring customers that an organization can securely store and transmit credit card information.
Sophos’ PCI DSS Attestation of Compliance (AoC) is available to interested parties once an NDA has been signed. Please contact your account manager or Sophos sales to request a copy.
View Sophos PCI DSS 4.0 compliance card
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. law designed to provide privacy standards that protect patients' medical records and other health information.
Sophos’ HIPAA Risk Assessment is available to interested parties once an NDA has been signed. Please contact your account manager or Sophos sales to request a copy.
View Sophos HIPAA compliance card
General Data Protection Regulation (GDPR)
GDPR is a European Union (EU) law designed to assure data protection and privacy to all individuals within the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA, aiming to give individuals control over their personal data and simplify the regulatory environment for international business.
View Sophos GDPR compliance card
California Privacy Rights Act (CPRA)
CPRA amends and extends the California Consumer Privacy Act (CCPA) to enhance privacy rights and consumer protection for the residents of California. It expands the scope of consumer rights and data protection obligations and introduces a new enforcement agency, the California Privacy Protection Agency (CPPA).
View Sophos CPRA compliance card
NIST SP800-171
NIST SP800-171 provides guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It also includes specific requirements for safeguarding the confidentiality of CUI when stored or transmitted and applies to contractors and other organizations working with U.S. federal agencies.
View Sophos NIST SP800-171 compliance card
Health Information Trust Alliance Common Security Framework (HITRUST CSF)
HITRUST CSF is a third-party audit and certification process that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. It incorporates aspects of HIPAA, NIST, ISO 27001, and PCI DSS to address the specific needs of the healthcare industry.
View Sophos HITRUST CSF compliance card
Network and Information Security 2.0 (NIS2) Directive
NIS2 is an EU directive aimed at increasing the level of cybersecurity across member states. It builds on the original NIS Directive, setting more stringent security requirements for critical infrastructure operators and digital service providers, with the aim of improving incident response and resilience against cyberthreats.