Certifications, Attestations & Assessments

"Trust is the foundation of our business and security and data protection is built into everything we do. Mimecast holds itself to the highest security and privacy standard and has implemented security and data protection measures that span across the technology, operations, and legal aspects of protecting customer data. Certifications and Audit reports are consistently undertaken and maintained to provide Transparency and communicate internal controls to our customers and partners". - Elizabeth Ruhl CISSP, CIPM, SABSA SCF, Mimecast Director of GRC & Corporate Compliance Officer

ISO 27001

ISO 27001 Certification

ISO/IEC 27001 is the internationally recognized, best-known standard providing requirements for an information security management system (ISMS). ISO 27001 Information Security and data protection certification provides organizations with a way to globally certify information security and data protection for businesses which are safeguarding both their client and company data against potential threats. By integrating a robust information security management system, organizations can ensure that the quality, safety, service and product reliability of the organization is safeguarded to the highest level.

Reference: http://certificationeurope.com/wp-content/uploads/2015/09/Certification-Europe-ISO-27001-Info-Sheet1.pdf

ISO 27018

ISO 27018 Certification

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

Reference: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498


SOC 2 Attestation Report

These reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. These reports are performed using the AICPA Guide:  Reporting on Controls at a Service Organizations Relevant to Security, Availability, Processing Integrity,  Confidentiality, or Privacy  and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. Mimecast North America’s SOC 2 Type 1 Report is available on request to prospects that sign the appropriate NDA and to existing customers under their service agreement confidentiality.

Reference: http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/aicpasoc2report.aspx


HIPAA/HITECH Compliance Assessment Report

The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). The HIPAA Privacy, Security, and Breach Notification Rules, as updated by the HIPAA Final Omnibus Rule 2 in 2013, set forth how certain entities, including most health care providers, must protect and secure patient information. The Health Information Technology for Economic and Clinical Health Act (HITECH) directly regulates business associates and directly imposes the same privacy and security obligations required for covered entities. Mimecast’s HIPAA/HITECH Security Compliance Assessment Report is available on request to prospects that sign the appropriate NDA and to existing customers under their service agreement confidentiality.

Reference: https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

Shared Assessment

Shared Information Gathering (SIG) Assessment Report

The Standardized Information Gathering (“SIG”) questionnaire contains a robust, yet easy-to-use set of questions to gather and assess information technology, operating and security risks (and their corresponding controls) in an information technology environment. The SIG questions are based on referenced industry standards and guidelines (including, but not limited to, FFIEC, OCC, ISO, NIST, COBIT and PCI), and in addition to assessing a third-party’s environment, can be used by a company to self-assess its own control environment. The SIG is in an Excel format, which should be familiar to most users. The Mimecast completed SIG Questionnaire Report is available on request to prospects that sign the appropriate NDA and to existing customers under their service agreement confidentiality.

Reference: https://sharedassessments.org/about/

CSA Star

Cloud Security Alliance (CSA) STAR Assessment Report

CSA STAR is the industry’s most-powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available as of late 2015. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

Reference: https://cloudsecurityalliance.org/star-registrant/mimecast/

Mimecast GRC Mailbox

Mimecast partners with customers to help them address a wide range of international, country and industry-specific regulatory requirements. By providing customers with independently certified and audited cloud services, Mimecast makes it easier for customers to achieve compliance for their infrastructure and applications. Mimecast provides customers with detailed information about security and compliance programs, including security packages, to help customers assess our services against their own legal and regulatory requirements.

Don’t hesitate to send questions regarding this page to Mimecast’s GRC mailbox (GRC@mimecast.com).