The ISO/IEC 27017:2015 standard is concerned with the implementation of the cloud-specific information security controls specified in ISO/IEC 27002.
The certification is gained by an annual independent audit and ServiceNow has been an ISO/IEC 27017:2015 certified organisation since 2018.
The ISO/IEC 27001:2022 certification specifies security management best practices and controls based on the ISO/IEC 27002 best practice guide. It ensures that our information security management system (ISMS) is fine-tuned to keep pace with changes to security threats, essential in the fast-paced world of IT security.
Re-certification is obtained by audit every three years, inclusive of an annual surveillance audit order to prove that ServiceNow:
- Has designed and implemented a comprehensive ISMS.
- Has adopted a continuous risk management process to ensure that the appropriate information security controls are in place to meet an evolving threat landscape and risks.
- Systematically evaluates information security risks appropriately, taking into account several factors, including the impact of company threats and vulnerabilities.
ServiceNow has been an ISO/IEC 27001 certified organisation since 2012 and the certificate is available here.
The ISO/IEC 27018:2019 is a code of practice based on ISO/IEC 27002 and is concerned with the protection of personally identifiable information (PII) in public clouds, in accordance with the privacy principles in ISO/IEC 29100.
The certification is gained by annual independent audit and ServiceNow has been an ISO/IEC 27018:2019 certified organisation since 2016.
The Service Organisational Control (SOC) framework is an attestation that ServiceNow meets the required standard regarding having controls in place to protect the confidentiality, integrity and availability of our customers' data in the cloud.
- SOC 1 focuses on the effectiveness of internal controls that affect the financial reports of customers
- SOC 2 evaluates controls that are relevant to availability, integrity, security, confidentiality, or privacy.
ServiceNow is audited by a third party and has maintained its SSAE 18 SOC 1 Type 2 attestation since 2011 (SSAE 18 superseded SSAE 16 in 2017). SSAE 18 is aligned with international standard ISAE3402 and replaced the now-deprecated SAS70.
ServiceNow's SOC 1 report covering the period from 1 October (of the previous calendar year) to 30 September (of the current calendar year) is available via ServiceNow CORE by the end of each calendar year (December).
The SOC 1 report covering the period from 1 April to 31 March is available via ServiceNow CORE by the end of each calendar Q2 (June).
ServiceNow has also undertaken an annual SOC 2 Type 2 attestation since 2013, relevant to security, availability and confidentiality controls listed in the AICPA Trust Services Criteria (TSC).
ServiceNow's SOC 2 report covers the period 1 October (of the prior calendar year) to 30 September (current calendar year) and is available via ServiceNow CORE by the end of each calendar year (December).
A Bridge Letter is provided between audit periods so that the company is covered for the entire year.
ServiceNow's SOC 1 bridge letter covering the period from 1 October (of the current calendar year) to 31 December (of the current calendar year) is available on ServiceNow CORE by the end of each calendar Q1 of following year.
The SOC 1 bridge letter covering the period from 1 April to 30 June is available via ServiceNow CORE by the end of each calendar Q3.
ServiceNow's SOC 2 bridge letter covers the period 1 October (current calendar year) to 31 December (current calendar year) and is available on ServiceNow CORE by the end of each calendar Q1 of next year.
The EU Cloud Code of Conduct (EU Cloud CoC) is a set of control requirements designed to develop trust and transparency in the European cloud computing market and to simplify the risk assessment process of Cloud Service Providers (CSPs) for cloud customers. To demonstrate this compliance, ServiceNow performed an internal audit of over 80 EU Cloud CoC requirements and was subject to an external assessment of that audit effort. ServiceNow's external validation of adherence to the EU Cloud CoC speaks to our ongoing commitment to maintaining the highest privacy and security standards alongside our existing Security and Privacy certifications.
Services are verified compliant with the EU Cloud CoC, Verification-ID 2022LVL02SCOPE3113. For further information please visit https://eucoc.cloud/en/public-register.
ServiceNow's Government Community Cloud (GCC) offering currently maintains a Federal Risk and Authorization Management Program (FedRAMP) High Baseline Provisional Authority to Operate (P-ATO). This enables ServiceNow to accelerate the adoption of our secure cloud solutions by US federal agencies and providers and implement a standardised approach for assessing, monitoring and authorising cloud computing products and services under the Federal Information Security Management Act (FISMA).
GCC received the initial GCC FedRAMP High Provisional Authority to Operate (P-ATO) in August 2019. GCC also meets Department of Defense (DoD) Impact Level 4 (IL4) and CNSSI 1253F Privacy Overlay High PII + PHI control requirements.
ServiceNow's Government Community Cloud (GCC) offering currently maintains a Department of Defense (DoD) Impact Level 4 (IL4) Provisional Authorisation (PA). This facilitates the procurement of ServiceNow products by the US Department of Defense (DoD) and Intelligence Community (IC) and establishes a baseline standard defined by the DoD Cloud Computing (CC) Security Requirements Guide (SRG) developed by the Defense Information Systems Agency (DISA).
ServiceNow received its initial GCC DoD IL4 PA in October 2019. The DoD IL4 PA includes both FedRAMP High and DoD IL4 control requirements. ServiceNow's GCC offering also meets CNSSI 1253F Privacy Overlay High PII + PHI control requirements.
Click here to see ServiceNow on the DISA Storefront within the Standard Offering section
ServiceNow has obtained a US Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorisation. This makes the ServiceNow National Security Cloud (NSC) one of the few software‑as‑a‑service and platform‑as‑a‑service (SaaS/PaaS) offerings built and authorised to meet the rigorous Department of Defense Cloud Computing Security Requirements Guide at Impact Level 5.
The IL5 Provisional Authorisation will accelerate the DoD's digital transformation, as it enables the DoD, its mission partners and selected federal agencies to move highly sensitive data, including Controlled Unclassified Information and Unclassified National Security Systems, to ServiceNow cloud‑based solutions hosted on Microsoft Azure Government.
MTCS Level 3 is a certification that ensures that ServiceNow meets standards regarding the confidentiality and integrity of our customers' data in the cloud for Singapore. It builds upon ISO/IEC 27001 and covers the sovereignty, retention, and availability of data, along with business continuity planning and disaster recovery.
ServiceNow is proud to have achieved MTCS Level 3, the highest level of certification available.
ServiceNow's Australian Platforms have been independently assessed by an endorsed IRAP assessor to meet the Australian ISM controls for OFFICIAL and PROTECTED data. The IRAP assessed OFFICIAL and PROTECTED Cloud Services provides Australian Government customers with trust and confidence in the NOW Platform and enables ServiceNow to effectively engage with Australian Government Agencies and Critical Infrastructure Providers.
Further details for Australian Regulated customers can be reviewed here: https://your.servicenow.com/microsoftregulatedindustries/australia
ServiceNow and the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC):
Please direct any communications in accordance with the EU Digital Services Act to DSACompliance@ServiceNow.com.
ServiceNow is a Data Privacy Framework (DPF) Program participant. The EU-U.S. DPF, UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government and Swiss Federal Administration to provide U.S. organisations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom and Switzerland while ensuring data protection that is consistent with EU, UK and Swiss law.
More information about the Data Privacy Framework Program can be found here (https://www.dataprivacyframework.gov/s/). ServiceNow's DPF Policy is available here (https://www.servicenow.com/data-privacy-framework.html).