Sophos engages independent external auditors to assess and report on our security controls across multiple areas of our organization.

Sophos has achieved the following external certifications:

The SOC reports are available for interested parties once an NDA has been signed. Please contact:


SOC Logo

SOC2 Type II

SOC 2 (System and Organization Controls)

SOC2 provides an evidence-based third-party assurance of information security, comprising five Trust Services Criteria Principles. Sophos has been evaluated against the Security, Availability, Confidentiality, and Privacy Trust Principles.



ISO 27001:2022

ISO 27001:2022 is the globally accepted standard for information security. The goal of the standard is to provide assurance to customers that an organization has effectively integrated information security, data privacy, and continual improvement into its day-to-day operations.

The Sophos ISO 27001:2022 certificate is available here.



Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of criteria that assures customers that an organization can securely store or transmit credit card information. We are pleased to share that Sophos Managed Detection and Response (MDR) has achieved PCI DSS version 4.0.

PCI DSS 4.0 was released in March 2022 and has now come into effect. This revised edition incorporates additional controls to confirm that organizations have implemented more sophisticated security measures and access controls. The previous version, PCI DSS 3.2.1, continues to be active until March 2024.




HIPAA Type 2

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA assesses additional controls beyond SOC2 Type II and gives evidence-based third-party assurance of compliance with the HIPAA act to ensure Health related data is protected as defined by the HIPAA Security Rule and the HIPAA Privacy Rule.