Qualifying ServiceNow

as a Vendor

START
Introduction Introduction
Earning and maintaining trust is essential to building successful partnerships. ServiceNow believes that it is
Why certification matters important for customers to have complete confidence in our ability to prevent and mitigate security threats, protect
the confidentiality, integrity, and availability of their data, and to help them comply with a growing number of
GDPR global standards. We have made significant investments in technology, processes, and expertise to ensure that our cloud
services meet the most stringent global standards for performance, scalability, security, privacy, and compliance.
Overview of certifications
The most effective way of demonstrating this to our customers is through the process of independent certification and
and attestations accreditation. This document gives an overview of the different standards around the world that ServiceNow complies with,
ISO/IEC 27001:2013 followed by a brief description of their value and context.

ISO/IEC 27017:2015 Why certification matters

Every year ServiceNow is rigorously audited by independent third-party companies and government bodies to prove that
ISO/IEC 27018:2014 we comply with various global and regional standards governing information security. Each audit represents not just a ‘tick
in the box’, but a significant commitment and ongoing effort; each one involves thousands of point-in-time and ongoing
assessments covering every aspect of our information security program and efforts.
SSAE 18 SOC 1 and
SOC 2 reports Our accreditors are experts in their respective fields with a deep understanding of the different global and regional laws
and standards that must be complied with. They thoroughly assess ServiceNow’s processes and controls against these
standards, verifying that they are met or exceeded at all times. We give them unfettered access and encourage them to
FedRAMP JAB High fault us so that we may improve. When the audit reports are complete, we make them available to customers.
authorization
All of this means that customers can be confident that ServiceNow consistently demonstrates excellent security controls
and practices. It reduces the need for customers to generate and assess large quantities of detailed questions on these
DoD Impact Level 4 topics, as multiple well-qualified, independent assessors regularly do this on their behalf.
authorization
GDPR
Multi-Tier Cloud Security The General Data Protection Regulation (GDPR) is not listed below because GDPR is not a standard—it is a regulation, i.e. a
Standard for Singapore law, and ServiceNow complies with the law in all jurisdictions in which it operates. ServiceNow has found transition to GDPR
(MTCS) Level 3 compliance a relatively pain-free process. It is not yet possible to achieve certification against GDPR, but ServiceNow will
consider that in future should it become possible.

ASD IRAP Certified Cloud

Service

Cloud Computing
Compliance Controls
Catalog (C5) Standard

Summary

© 2020 ServiceNow, Inc. All rights reserved. 2

 Overview of certifications and attestations
Introduction

Why certification matters

Certification Description Industry Geography
GDPR

Specifies information security management best

Overview of certifications ISO/IEC 27001:2013 All industries International
practices and controls
and attestations

ISO/IEC 27001:2013 Implementation of cloud-specific information

ISO/IEC 27017:2015 All industries International
security controls

ISO/IEC 27017:2015 Securing personally identifiable information (PII) in

ISO/IEC 27018:2014 All industries International
the cloud

ISO/IEC 27018:2014
Protecting the confidentiality and privacy of
SSAE 18 SOC 1 Type 2 Report information in the cloud that affects the financial All industries International
SSAE 18 SOC 1 and reports of customers

SOC 2 reports
Focuses on controls that are relevant to security,
SOC 2 Type 2 Report availability, processing integrity, confidentiality, or All industries International
FedRAMP JAB High privacy
authorization
US government-wide program that provides a
standardized approach for assessing, monitoring,
DoD Impact Level 4 FedRAMP JAB High p-ATO US Federal Government United States Federal
and authorizing cloud computing products and
authorization services

Multi-Tier Cloud Security US government baseline for security requirements

US Department of Defense/
DoD Impact Level 4 Authorization for cloud service providers that host DoD/IC United States Federal
Standard for Singapore Intelligence Community
information
(MTCS) Level 3

Multi-Tier Cloud Security Standard for Certifies the adoption of sound risk management
ASD IRAP Certified Cloud All industries Singapore
Singapore (MTCS) Level 3 and security practices for cloud companies
Service

Helps Australian government agencies effectively Australian Federal

ASD IRAP Certified Cloud Service Australia
Cloud Computing engage and consume cloud-based solutions. Government
Compliance Controls
Catalog (C5) Standard Cloud-specific compliance controls catalog
Cloud Computing Compliance Controls
developed by the German Federal Office for All industries Germany
Catalog (C5) Standard
Information Security (BSI).
Summary

© 2020 ServiceNow, Inc. All rights reserved. 3

 ISO/IEC 27001:2013 SSAE 18 SOC 1 and SOC 2 reports
Introduction
The ISO/IEC 27001:2013 certification specifies security The Service Organizational Control (SOC) framework
management best practices and controls based on the is an attestation that ServiceNow meets the required
Why certification matters ISO/IEC 27002 best practice guide. It ensures that our standard regarding having controls in place to protect the
information security management system (ISMS) is fine- confidentiality, integrity and availability of our customers’
GDPR tuned to keep pace with changes to security threats, data in the cloud.
essential in the fast-paced world of IT security.
Overview of certifications • SOC 1 focuses on the effectiveness of internal controls
and attestations Re-certification is obtained by audit every three years, that affect the financial reports of customers
inclusive of an annual surveillance audit order to prove that
ISO/IEC 27001:2013 ServiceNow: • SOC 2 evaluates controls that are relevant to availability,
integrity, security, confidentiality, or privacy.
1. Has designed and implemented a comprehensive ISMS.
ISO/IEC 27017:2015 ServiceNow is audited annually by a third party and has
2. Has adopted a continuous risk management process maintained its SSAE 18 SOC 1 Type 2 attestation since 2011
to ensure that the appropriate information security (SSAE 18 superseded SSAE 16 in 2017). SSAE 18 is aligned
ISO/IEC 27018:2014 controls are in place to meet an evolving threat with international standard ISAE3402 and replaced the
landscape and risks. now-deprecated SAS70.

SSAE 18 SOC 1 and 3. Systematically evaluates information security risks ServiceNow has also undertaken an annual SOC 2 Type 2
SOC 2 reports appropriately, taking into account several factors, attestation since 2013, relevant to security and availability
including the impact of company threats and controls listed in the AICPA Trust Services Criteria (TSC).
vulnerabilities.
FedRAMP JAB High A SOC 1 Type 2 bridge letter is provided between audit
authorization ServiceNow has been an ISO/IEC 27001 certified periods so that the company is covered for the entire year.
organization since 2012 and the certificate is available here. This bridge letter is available via ServiceNow CORE to
ServiceNow customers at the end of every January.
DoD Impact Level 4 ISO/IEC 27017:2015
authorization FedRAMP JAB High authorization (for US
The ISO/IEC 27017:2015 standard is concerned with the
implementation of the cloud-specific information security
government entities)
Multi-Tier Cloud Security controls specified in ISO/IEC 27002. ServiceNow is honored to have achieved the U.S. Federal
Standard for Singapore Risk and Authorization Management Program Joint
(MTCS) Level 3 The certification is gained by an annual independent audit Authorization Board p-ATO (FedRAMP JAB) at the High
and ServiceNow has been an ISO/IEC 27017:2015 certified level. This enables us to accelerate the adoption of our
organization since 2018. secure cloud solutions by US federal agencies and provides
ASD IRAP Certified Cloud a standardized approach for assessing, monitoring, and
Service ISO/IEC 27018:2014 authorizing cloud computing products and services
under the Federal Information Security Management Act
The ISO/IEC 27018:2014 is a code of practice based on
(FISMA).
Cloud Computing ISO/IEC 27002 and is concerned with the protection of
Compliance Controls personally identifiable information (PII) in public clouds in ServiceNow received its JAB High Provisional Authority to
accordance with the privacy principles in ISO/IEC 29100. Operate (p-ATO) in 2019. The FedRAMP JAB High p-ATO
Catalog (C5) Standard
also meets the requirements for DoD Impact Level 4.
The certification is gained by annual independent audit
Summary and ServiceNow has been an ISO/IEC 27018:2014 certified
organization since 2016.

© 2020 ServiceNow, Inc. All rights reserved. 4

 DoD Impact Level 4 authorization high overlap of requirements with the AICPA Trust Services
Introduction Criteria, with the addition of specific cloud-focused
(for US DoD/IC entities)
requirements. ServiceNow received its C5 Attestation
DoD Impact Level 4 authorization facilitates the Report in 2020.
Why certification matters procurement of ServiceNow products by the US
Department of Defense (DoD) and Intelligence Community
GDPR
(IC). It sets out a baseline standard defined by the Defense
Information System Agency (DISA) in the Security
Summary
Overview of certifications
Requirements Guide (SRG) for cloud computing. ServiceNow holds itself to extremely high security
and attestations standards and we aim to be transparent about our efforts
In 2019, ServiceNow obtained its DoD Impact Level 4 (IL- and our achievements. The best way to achieve this
ISO/IEC 27001:2013 4) authorization. The IL-4 standard is based on FedRAMP transparency is by inviting continuous assessment against
High controls, as well as addition controls defined by DISA. multiple robust international and regional standards, to
ISO/IEC 27017:2015 ensure that our customers’ data is in safe hands.
Multi-Tier Cloud Security Standard for Singapore
(MTCS) Level 3
ISO/IEC 27018:2014 MTCS Level 3 is a certification that ensures that
ServiceNow meets standards regarding the confidentiality
SSAE 18 SOC 1 and and integrity of our customers’ data in the cloud for
Singapore. It builds upon ISO/IEC 27001 and covers the
SOC 2 reports
sovereignty, retention, and availability of data, along with
business continuity planning and disaster recovery.
FedRAMP JAB High
ServiceNow is proud to have achieved MTCS Level 3, the
authorization
highest level of certification available.

DoD Impact Level 4 ASD IRAP Certified Cloud Service

authorization Being an ASD IRAP Certified Cloud Service enables
ServiceNow to effectively engage with Australian
government agencies in order for them to use the
Multi-Tier Cloud Security
Now Platform®. This certification standard is set by
Standard for Singapore
the Australian Signals Directorate (ASD) which is an
(MTCS) Level 3 intelligence agency in the Australian government’s
Department of Defense.
ASD IRAP Certified Cloud ServiceNow is proud to have gained ASD Certification in
Service 2017 and has been issued with an ASD Certification Letter
and Certification Report accordingly.
Cloud Computing
Compliance Controls Cloud Computing Compliance Controls Catalog (C5)
Catalog (C5) Standard Standard
C5 is a cloud-specific compliance controls catalog
developed by the German Federal Office for Information
Summary
Security (BSI) and leveraged in both the public and
private sectors. The C5 Attestation Report follows a similar
process and schema as AICPA SOC 2 reports, and has a

© 2020 ServiceNow, Inc. All rights reserved. 5