Certification and Attestation

ISO/IEC 27001:2022 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how Mimecast perpetually manages security in a holistic, comprehensive manner.

This international security standard specifies that Mimecast:

• Systematically examine our organisation's information security risks, taking account of the threats, vulnerabilities, and impacts
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis.
  Mimecast has certification for compliance with ISO-27001.  This certifications assessment is performed by independent third-party auditors and our compliance with this internationally recognised standard and code of practice is evidence of our commitment to information security at every level of our organisation, and that the Mimecast security program is in accordance with industry leading best practices.

What Mimecast regions are covered?
This certificate is applicable to all of the regions Mimecast operates in.

Can my organisation be certified by association?
No, your organisation is not automatically certified by association. However, if you are pursuing ISO-27001 certification then the Mimecast certification may make it easier for you to certify.

ISO/IEC 27701:2019 specifies requirements and guidelines to establish and continuously improve the Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII). It is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management providing a set of additional controls and associated guidance intended to address public cloud PIMS and PII management requirements for both processers and controllers, not addressed by the existing ISO/IEC 27002 control set.

What does this certification mean to me, the customer?
Alignment to ISO-27701 demonstrates to customers that Mimecast has an effective Privacy Information Management System (PIMS) in place to support compliance to European General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), and other data privacy regulations. Mimecast's alignment with this standard, in addition to the independent third-party assessment of this internationally recognised code of practice, demonstrates our commitment to the privacy and protection of Customer Data and is designed to comply with international and local privacy legislations.

My company does not handle PII – should this certification matter to me?
Yes, Mimecast maintains the high level of data protection and privacy controls outlined in ISO-27701 for all customer data, regardless of whether data is PII.

How is this standard applied to the services offered?
This is applied as an extension of our ISO 27001:2013 standard for privacy management as a personally identifiable information (PII) processor.

ISO/IEC 22301:2019 is an internationally recognised standard for implementing and maintaining effective business continuity plans, systems and processes. It specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

What does this certification mean to me, the customer?
Mimecast's alignment with this standard demonstrates that our organisation is adhering to good practices in business continuity management.

What Mimecast regions are covered?
This certificate is applicable to all Mimecast hosting jurisdictions.

The Mimecast System and Organisation Controls (SOC) report is an independent third-party examination that demonstrates how Mimecast achieves key compliance controls and objectives. The purpose of the report is to help you and your auditors understand how Mimecast controls are established to support operations and compliance.

Mimecast offers a single SOC report:

• SOC 2 Type 2: Security, Availability, Confidentiality, Processing Integrity and Privacy

What is the report?
A description of the Mimecast controls environment and external audit of Mimecast controls that meet the AICPA Trust Services Security, Availability, Confidentiality and Privacy Principles and Criteria.
Under what Standard is the Audit Report Performed?
ISAE 3000 and SSAE No. 18  attestation standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements AICPA Guide, Reporting on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) TSP section 100A, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).

What's the Primary Report Purpose?
To provide customers with an independent assessment of the Mimecast control environment relevant to system security, availability, confidentiality and privacy; in the latter case, establishes criteria for evaluating controls related to how personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Who is the Primary Report Audience?
Customer Administrators with business need to understand the Mimecast controls environment.

What Period does the Report Cover?
Point in time covering the previous 12 month period.

Is a Non-Disclosure Agreement (NDA) required to receive a copy of the SOC 2 Type II report?
Yes, an NDA is required to receive this report.

The Cloud Security Alliance (CSA) describe themselves as a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”

What does Mimecast offer in this space?
Mimecast participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) Self-Assessment (Level 1) to document our compliance with CSA-published best practices. This is published on the CSA Star website, found here https://cloudsecurityalliance.org/star-registrant/mimecast/.

HIPAA - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires companies to secure and protect the privacy of protected health information (PHI), including in electronic format. PHI includes personally identifiable health and health-related data, including insurance and billing information, diagnosis data, clinical care data, and lab results such as images and test results. 

The HIPAA rules apply to covered entities, which include hospitals, medical services providers, employer-sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. The HIPAA requirement to protect PHI also extends to business associates and their subcontractors.

What is a Business Associate Agreement?
Under the HIPAA regulations, cloud service providers (CSPs) such as Mimecast may be considered business associates . The Business Associate Addendum (BAA) is a contract that is required under HIPAA rules to ensure that Mimecast appropriately safeguards. The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by Mimecast, based on the relationship between Mimecast and our customers, and the services provided by Mimecast.

Will Mimecast sign a Business Associate Agreement?
Yes. Mimecast has a standard Business Associate Agreement (BAA) we present to customers for signature. It takes into account the SaaS services Mimecast provide.

Is Mimecast HIPAA certified?
There is no HIPAA certification for a cloud service provider (CSP) such as Mimecast. In order to meet the HIPAA requirements applicable to our operating model, Mimecast aligns our HIPAA risk management program with StateRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule.

The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).

Protecting Australian Government data from access and unauthorized disclosure remains a prime consideration when procuring and leveraging cloud services. Mimecast recognises that customers rely upon the secure delivery of Mimecast services and the importance of having features that enable them to create secure environments. Mimecast enables customers to meet these objectives by prioritising security in the delivery of its services, through the establishment of a robust control environment, and by making available for use a wide range of security services and features."

What IRAP documents are available?
Mimecast can provide customers with an Executive Summary Report as a result of an assessment conducted by a registered IRAP assessor.

Who are the IRAP assessors?
IRAP Assessors are ASD-certified ICT professionals from across Australia who have the necessary experience and qualifications in ICT, security assessment and risk management, and a detailed knowledge of Australian Government information security compliance requirements.

Mimecast has completed a Trusted Information Security Assessment Exchange (TISAX) assessment. This standard provides the European automotive industry a consistent, standardized approach to information security systems.

TISAX is a European automotive industry-standard information security assessment (ISA) catalogue based on key aspects of information security such as data protection and connection to third parties.

Who created the standard?
TISAX was developed by the Association of the German Automotive Industry (VDA) in partnership with an association of European automotive manufacturers, called the European Network Exchange (ENX).

What level of certification has Mimecast achieved?
To complete the TISAX assessment, Mimecast was successfully audited by an accredited independent assessor and was certified to level AL 3.