Sophos engages independent external auditors to assess and report on our security controls across multiple areas of our organization.

Sophos has achieved the following external certifications:

The SOC reports are available for interested parties once an NDA has been signed. Please contact:


SOC Logo

SOC2 Type II

SOC 2 (System and Organization Controls)

Gives evidence-based third-party assurance of information security split over five Trust Services Criteria evaluated using Common Criteria split into seven areas:

  1. Security
  2. Availability
  3. Processing integrity
  4. Confidentiality
  5. Privacy

Evaluated using Common Criteria covering the following areas:

  • Organization and Management
  • Communications
  • Risk Management
  • Monitoring of Controls
  • Logical and Physical Access Controls
  • System Operations
  • Change Management



HIPAA Type 2

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Assesses additional controls beyond SOC2 Type II and gives evidence-based third-party assurance of compliance with the HIPAA act to ensure Health related data is protected as defined by the HIPAA Security Rule and the HIPAA Privacy Rule.



Payment Card Industry Data Security Standard (PCI DSS)

Focused on protecting cardholder data by meeting six Core Goals achieved by implementing 12 requirements.

Goal 1 - Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Goal 2 - Protect Cardholder Data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Goal 3 - Maintain a Vulnerability Management Program

  1. Use and regularly update antivirus software or programs
  2. Develop and maintain secure systems and applications

Goal 4 - Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Goal 5 - Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Goal 6 - Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for employees and contractors