Sophos achieves inaugural ISO 27001:2022 certification – Source: news.sophos.com

PRODUCTS & SERVICES

We are proud to announce that Sophos has achieved our inaugural ISO 27001:2022 certification! ISO 27001:2022 is the premier international standard for information security and our certification provides customers and partners with the assurance that Sophos takes information security seriously.

What is ISO 27001:2022? Who is it designed for?

ISO 27001:2022 is the globally accepted standard for information security.  The goal of the standard is to provide assurance to customers that an organization has effectively integrated information security, data privacy, and continual improvement into its day-to-day operations.

While there are many information security certifications, ISO 27001 is the most internationally accepted certification. Furthermore, ISO 27001 forms the bedrock of many other certifications, giving Sophos a foundation to further expand our suite of information security certifications.

Growing our SOC2 audit program

But wait…there’s more! In our continued effort to provide assurance to our customers, Sophos has added two new Trust Criteria Principles to our SOC 2 scope: Availability and Confidentiality. Our SOC 2 Type 2 report now includes:

• Security: Safeguards information and systems against unauthorized access, use, disclosure, disruption, modification, or destruction.
• Availability: Ensures systems are resilient and accessible when needed, minimizing downtime and disruptions.
• Confidentiality: Guarantees the protection of sensitive information by preventing unauthorized access or disclosure.
• Privacy: Demonstrates our commitment to protecting the privacy of individual data in accordance with applicable regulations.

These Trust Criteria Principles focus on what mechanisms are in place to protect Sophos customer information, ensure the information is handled appropriately, and provide assurance to customers that their information is highly available.

A SOC 2 audit must be carried out by a certified CPA company, or an entity endorsed by the American Institute of Certified Public Accountants (AICPA). Sophos utilized Coalfire, an accredited external assessor.

Sophos has achieved PCI 4.0

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of criteria that assures customers that an organization can securely store or transmit credit card information. We are pleased to share that Sophos Managed Detection and Response (MDR) has achieved PCI DSS version 4.0.

PCI DSS 4.0 was released in March 2022 and has now come into effect. This revised edition incorporates additional controls to confirm that organizations have implemented more sophisticated security measures and access controls. The previous version, PCI DSS 3.2.1, continues to be active until March 2024.

Sharing Sophos audit reports

Our commitment to fostering customer trust remains at the forefront of our values. Paired with our dedicated focus on security, we aim to deliver products that uphold the highest standards in safeguarding sensitive information.

All Sophos audit reports and certifications can be shared with Sophos customers under a non-disclosure agreement (NDA). For further details and to request a copy, visit the Sophos Trust Center.