The ServiceNow Information Security team fills out standardized questionnaires from both the Shared Assessments (i.e. the Standardized Information Gathering questionnaire) and CloudSecurity Alliance (CSA). The questionnaires are then made available to every customer under an Non-Disclosure Agreement (NDA) annually.
Each year, the Information Security team goes through the questionnaire question-by-question providing answers for the Software
as a Service (SaaS) environment. The questions cover the infrastructure components, the security features within the ServiceNow application, and of course our policies and procedures. The Standardized Information Gathering (SIG) Questionnaire by Shared Assessments has long been a trusted source to ask the relevant questions for todays IT departments, providing updated questions annually. The CSA has become the de-facto standard for the security industry when evaluating security and risk of SaaS solutions through their CSA Consensus Assessments Initiative (CIA) and their CSA Cloud Controls Matrix (CCM).
In addition to the questionnaires, third party auditors annually assess the ServiceNow environment, the policies, and procedures against the control set within International Organization for Standardization (ISO) 27001:2013 standard and Statement on Standards for Attestation Engagements (SSAE) 16. Once the assessments are completed, the auditor delivers SSAE16 Attestations to ServiceNow known as Service Organization Controls (SOC) 1 Type 2 and SOC 2 Type 2 reports. These reports document from an independent perspective the SaaS environment along with the controls they evaluated. We of course make these available to customers as well!
As our customer, you can request a copy of all 5 questionnaires and/or attestations annually to help you perform your security due diligence assessment; and it's just because you are our customer and we know how much trust you put in us to help secure your data!
To access these reports, and much more, you can join ServiceNow's CORE on the ServiceNow Community and is provided at no cost to customers.
You'll just need to complete the following steps:
- Step One - Join the ServiceNow Community
If you're already a member, make sure that you know your community username and proceed to step two.
If you're not already a member, click here to sign up.
Community will email you to confirm that you have provided a valid email address; make sure to click the link to fully activate your account.
Keep the username you've created handy, as it's required to successfully complete the next step. - Step Two - Complete the ServiceNow CORE Registration Survey
Fill out the survey - Click here - Step 3 - Once on boarding is complete, you will receive a notification email from ServiceNow with access instructions.
From within the CORE area, you can find and/or request the reports
Please be specific as to which reports and/or attestations you want to receive, unless you'd like all 5.
For a PDF version of these instructions Click Here.
