Confidence Through Compliance

Zscaler has achieved the ISO 27001 certificate, following the ISO/IEC 27002: 2013 best practice, attesting that our services are based on internationally recognized best practices for information security management and comprehensive security controls.

Zscaler has achieved the ISO 27001 certificate, including the ISO 27701 extension, attesting that our services are based on internationally recognized best practices for both information security management and privacy information management systems.

ISO/IEC 27018:2014 is a code of practice that focuses on protection of personal data in the cloud. Based on ISO/IEC information security standard 27002, it provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud personally identifiable information (PII).

Zscaler has achieved the ISO 27017 certificate for addressing cloud-specific information security risks and threats referring to the controls from clauses 5-18 in the ISO/IEC 27002: 2013 and ISO/IEC 27001 standards. This certification attests that our services are based on internationally recognized best practices for both cloud service providers and cloud service customers.

The SOC 2, Type II report provides independent validation that our security controls are in accordance with the American Institute of Certified Public Accountants’ applicable Trust Services Principles and Criteria.

Zscaler System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how Zscaler achieves key compliance controls and objectives. The SOC 3 is a public report depicting internal controls over security, availability, processing integrity, and confidentiality. SSAE 18 / ISAE 3402 Type II.

Zscaler has achieved Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 2 Certification at the Gold level.

Zscaler is committed to handling our global customers' and partners' data in accordance with security and privacy best practices. We have created this assessment for informational purposes only to help organizations understand how we handle sensitive data with respect to Zscaler services and products.

The Deutsche Cyber-Sicherheitsorganisation (DCSO), the German cybersecurity competence center, was founded in 2015 by the Allianz, BASF, Bayer, and Volkswagen groups to combat organized cybercrime and industrial espionage. The DCSO wants to bring companies, authorities, and institutions together and create a space for trusted data exchange among them. The DCSO Cloud Vendor Assessment Service assesses the security level of cloud service providers.

The Trusted Information Security Assessment Exchange (TISAX®) enables mutual acceptance of information security assessments in the automotive industry and provides a common assessment and exchange mechanism, ensuring secure sharing of sensitive information to partner companies to inspire trust throughout the automotive supply chain. Zscaler has completed a TISAX assessment.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to individually identified health information that relates to an individual’s past, present, or future physical or mental health condition or any other identifying information that can be used to identify the individual. HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. As stated by the U.S. Department of Health and Human Services, the HIPAA Privacy Rule establishes national standards for the protection of certain health information.

HITRUST has developed the HITRUST CSF, a certifiable framework that provides organizations with the needed structure, details and clarity relating to information protection.The assessment performed by an Authorized External Assessor to validate such information, and HITRUST's independent confirmation that the work was performed in accordance with the HITRUST® Assurance Program requirements, The Zscaler Zero Trust Platform, facilities, and supporting infrastructure of the Organization ("Scope") meet the HITRUST CSF® v11.2.0 Implemented, 1-year (i1) certification criteria.

Internal Revenue Service Publication 1075 (“IRS 1075”) sets standards for information security, guidelines, and agreements for protecting US government agencies and their agents that access federal tax information (FTI). While the IRS does not publish an official designation or certification for compliance with Pub 1075, Zscaler supports organizations to protect FTI managed on the Zscaler Platform by aligning our implementations of NIST 800-53 and FedRAMP security controls with the respective IRS Pub 1075 security requirements. Zscaler has worked closely with the IRS to ensure that our GovClouds (US) meet Pub 1075 requirements for storing and processing FTI.

Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) are both JAB-High authorized. What’s more, ZIA is currently the only Secure Access Service Edge (SASE) Trusted Internet Connections (TIC) 3.0 solution that has achieved FedRAMP’s highest authorization.

Government agencies such as the DoD can leverage our market-leading zero trust platforms to take on the user experience and cost challenges of securing cloud-based application access for remote and hybrid users.

Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) have maintained the FedRAMP Moderate level authorization since 2018, allowing federal agencies, DoD commands, and federal contractors to take full advantage of the Zscaler Zero Trust Exchange.

With ZIA and ZPA in hand, agencies can reap the benefits of zero trust security to reduce overhead, streamline operations, and lower costs.

Zscaler Private Access (ZPA) has achieved a Provisional Authorization to Operate (P-ATO) at Impact Level 5 (IL5), as published in the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG). This allows government agencies and their contractors to use the Zscaler Zero Trust Exchange platform for systems that manage their most sensitive Controlled Unclassified Information (CUI) as well as unclassified National Security Systems (NSSs). Zscaler Internet Access (ZIA) has achieved Authorization to Operate (ATO) at Impact level 2 (IL2). The DoD’s Defense Innovation Unit (DIU) has selected Zscaler to prototype ZPA and ZIA as secure access technologies.

Zscaler is compliant with the Federal Information Processing Standard (FIPS 140-2), meeting NIST requirements for cryptographic modules. View certificates #3154 for Zscaler Mobile Cryptographic Module, #3159 for Zscaler Crypto Module, and #3188 for Zscaler Java Crypto.

Zscaler Private Access (ZPA) and Zscaler Internet Access (ZIA) have been audited by a certified IRAP auditor. The report demonstrates that Zscaler complies with related Australian government standards.

The International Traffic in Arms Regulations (ITAR) report provides for its Zscaler Private Access (ZPA) and Zscaler Internet Access (ZIA) Government Cloud (“GovCloud”) platforms.

Zscaler maintains compliance with Criminal Justice Information Services, ensuring the protection of information as required by CJIS Security Policy.

In recognition and support of the “Electronic and Information Accessibility Standards” defined by Section 508 of the Rehabilitation Act, we publish accessibility self-assessments of Zscaler products using Voluntary Product Accessibility Templates (VPATs). Section 508 was enacted to eliminate barriers in information technology, to make new opportunities available for people with disabilities, and encourage the development of technologies that will help achieve these goals.

Zscaler completed the Trusted Internet Connection (TIC) 3.0 Overlay review with the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). TIC is a federal cybersecurity initiative intended to enhance network and perimeter security across the federal government. The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.

National Institute of Standards and Technology (NIST) Special Publication 800-63C provides requirements to identity providers (IdPs) and relying parties (RPs) of federated identity systems. Federation allows a given IdP to provide authentication attributes and (optionally) subscriber attributes to a number of separately administered RPs through the use of assertions. Similarly, RPs may use more than one IdP.

The National Institute of Standards and Technology (NIST) 800-53 creates standards and guidelines pertaining to information security that are generally applicable to US Federal Information Systems. Zscaler adheres to the Nist 800-53 ensuring sufficient protection of confidentiality, integrity, and availability of information and information systems.

StateRAMP is a cybersecurity program that addresses the needs of procurement and security officials with state and local governments (SLGs) in the United States. Zscaler Internet Access (ZIA) Moderate Cloud has achieved the StateRAMP AUTHORIZED status demonstrating Zscaler’s commitment towards securing state and local government employees and data.

The Texas Risk and Authorization Management Program (TX-RAMP)provides a standardized approach for security assessment, continuous monitoring, and authorization of third-party vendors that process the data of a state agency or public higher education institution in the State of Texas (agencies). Zscaler has achieved the TX-RAMP Level-2 Authorisation that enables Zscaler to operate with confidential/regulated data in moderate or high-impact systems. 

Cloud Computing Compliance Controls Catalog (C5) is a German government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyberattacks when using cloud services within the context of the German government's Security Recommendations for Cloud Providers.

Zscaler is certified in the Spanish National Cryptologic Center (CCN) STIC Products and Services Catalog (CPSTIC). This accreditation indicates that Zscaler has successfully proven its ability to provide secure services to the Public Administration as well as strategically important companies and organizations in Spain. To achieve this qualification, Zscaler collaborated with an impartial third-party auditor to undergo the necessary evaluation and meet the required standards.

Zscaler has achieved the National Cyber Security Centre (NCSC) Cyber Security Essentials certification in the UK. The NCSC certification enables us to be a provider on the Commercial Crown Services contract supporting UK government agencies. The NCSC certification has been required for suppliers to UK government agencies that handle certain types of sensitive and personal information.

The ENS (Esquema Nacional de Seguridad) is a comprehensive framework of security controls and standards that service providers must implement to securely process data for Spanish public services, such as government agencies and public organizations. Zscaler has achieved the ENS High certification, the highest level of accreditation possible. This certification underscores Zscaler’s leadership in providing zero trust architecture and secure access solutions, ensuring that our cloud native platform meets the stringent security requirements necessary for protecting sensitive public sector data. By achieving this accreditation, Zscaler empowers Spanish public institutions to accelerate their digital transformation with confidence and security, reducing risk and enhancing resilience against cyberthreats.

Zscaler Internet Access for Japanese Government(ZIA-JG) and Zscaler Private Access for Japanese Government(ZPA-JG) are registered cloud services under Japan’s Information System Security Management and Assessment Program(ISMAP). These services have been audited by independent third parties to and accepted by the ISMAP program regulators to meet the security standards of the Japanese government. Evidence of ISMAP certification for Zscaler services can be found on the ISMAP cloud services list(available in Japanese only). For more information about ISMAP, please refer to the official ISMAP website.

The Zscaler Zero Trust Exchange platform has attained the highest level of certification(Level 3) under Singapore’s Multi-Tier Cloud Security(MTCS) standard(SS 584). This certification attests that the Zero Trust Exchange meets the security requirements of high-impact use cases by regulated organizations and government in Singapore, based on rigorous audits conducted by an independent MTCS certification body. Evidence of Zscaler's MTCS certification can be found on the certified cloud services list operated by Singapore's Infocomm Media Development Authority(IMDA), where the Zero Trust Exchange is listed as a certified SaaS. Further information about the MTCS scheme may be found on the same website.

The Payment Card Industry Data Security Standard (PCI DSS) exists to protect against credit card fraud, security threats, and vulnerabilities. PCI is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International, and Discover Financial Services.

The Australian Prudential Regulation Authority (APRA) is the primary financial regulator in Australia that describes its purpose as the prudential regulation of Australia’s financial institutions. APRA oversees banks, credit unions, building societies, general insurance and reinsurance companies, life insurance, private health insurance, friendly societies, and most members of the superannuation industry promoting the financial safety of institutions and the stability of the Australian financial system. This white paper outlines general information for financial institutions looking to use Zscaler services.

Zscaler is committed to acting ethically and with integrity in all our business relationships and to promoting a workplace and supply chain free from modern slavery and human trafficking, where workers are treated with respect and dignity.

Zscaler runs the world’s largest cloud security platform. The Zscaler cloud operations team strives to ensure the platform's resilience in the face of any natural or manmade disaster or other unplanned emergency.

Supervisory Statement 2/21 (SS 2/21 titled “Outsourcing and third party risk management” (2021) governs financial institutions from the United Kingdom’s activities for supplier management. The Prudential Regulation Authority (PRA) is a part of the Bank of England and is responsible for prudential regulation in the UK. As Zscaler is not a UK financial institution it does not fall directly under the prevue of SS 2/21. The purpose of the attestation report is to provide context for how Zscaler meets the relevant data security requirements within Chapter 7 of the standard.

We are committed to ensuring that our global customers and partners can meet compliance requirements of the People's Republic of China. For the licenses/certifications and the filings for Zscaler Clouds that our technology partners possess, please request it from your Zscaler contact/Account manager.

In March 2023, the Securities and Exchange Board of India (SEBI) published the Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs). The Framework provides Governance, Baseline Security, Legal and Regulatory requirements that regulated entities should adopt to effectively manage their cloud service providers. key risks, and mandatory control measures which REs need to put in place before adopting cloud computing. This whitepaper outlines the general information for RE's looking to use Zscaler service. Regulated Entities can utilize this information to assess the service risk in terms of compliance with security, privacy and business risk and understand how Zscaler meets the framework requirements.

The United Kingdom's Secure by Design Principles aim to increase the government’s cyber resilience and improve data sharing between organisations. The policy has been developed by the Central Digital and Data Office (CDDO) and a cross-goverment working group in collaboration with the Government Security Group, National Security Centre (NCSC) and industry experts. As a strategic priority included in the transforming for a digital future roadmap: 2022 to 2025 and the Government Cyber Security Strategy, Zscaler is committed to assisting customers in aligning with these principles. The United Kingdom Secure by Design Zscaler Capabilities & Internal Alignment white paper provides customers insight into how Zscaler products and services can be leveraged to meet these principles as well as how Zscaler aligns internally to these principles.

The Network and Information Systems Directive (NIS2) is an update to the original NIS Directive aimed at strengthening cybersecurity across critical sectors. NIS2 broadens the scope to include more sectors and entities, such as energy, transport, banking, and healthcare, while imposing stricter security and reporting requirements. The Zscaler white paper explores how the Zscaler Zero Trust Exchange™ platform—as well as specific capabilities and tools—can help meet these new challenges. Taking advantage of Zscaler services, organizations can enhance their security practices to support NIS 2 compliance, focusing on key areas such as risk management, incident detection, response, and governance.