The International Organization for Standardization (ISO) is a global, non-governmental body of experts who provide guidelines for consistently achieving universally recognized standards for approaching process management. Esri maintains compliance with two ISO certifications addressing security and privacy assurance:
- ISO/IEC 27001:2022 — Promotes a holistic approach to information security in regard to vetting people, policies, and technology.
- ISO/IEC 20243:2018 — Addresses threats related to maliciously tainted and counterfeit products and services.
Esri in-scope Services
ArcGIS ISO Cloud
Esri's Information Security Management System (ISMS) was found to be in accordance with ISO 27001:2022 security controls. This includes both ArcGIS Online and ArcGIS Location Platform in the European Union (EU) regional hosting location. The ArcGIS ISO Cloud is the subset of the Esri Certified Services which are explicitly within the scope of Esri's certification. Additional services and regions will be covered by future ISO 27001 certification efforts.
- ArcGIS ISO Cloud Certificate (Public)
- ISO 27001 to FedRAMP Control Mapping (Public)
Esri completed a self-assessment for conformance with ISO/IEC 20243-1:2018 (O-TTPS) in April 2023. It is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and Commercial Off-The-Shelf Software (COTS) products throughout the product life cycle. The ISO 20243 standard was subsequently updated in 2023, and instead of recertifying against the new version, in 2024, Esri incorporated the new NIST 800-53 Rev 5 Supply Chain requirements that address cyber supply chain concerns more holistically. Esri's ISO 27001 certification attests that Esri operates an Information Security Management System (ISMS) conforming to ISO 27001:2022 controls for preserving the confidentiality, integrity, and availability of in-scope platforms/services/apps used to process, transmit, and store customer assets and/or PII for the EU-based offerings.
- ArcGIS Online ISO 20243:2018 (Self-Attestation)
Note:
While regional hosting includes APAC, Esri's ISO 27001 certification for ArcGIS ISO Cloud currently applies to in-scope services in the European regional hosting location and does not extend to APAC. Esri is actively working to expand ISO 27001 certification coverage to include APAC. AWS and Microsoft Azure maintain ISO 27001 certifications for in-scope cloud services, which support underlying infrastructure assurance but do not extend Esri's ISO scope.
NIS2 Directive Support
NIS2 (Directive (EU) 2022/2555) requires cybersecurity risk-management measures and governance and encourages use of recognized standards. Esri's ISO 27001 certification for ArcGIS ISO Cloud can support customer NIS2 due diligence by providing independent evidence of a certified ISMS, documented controls with ongoing oversight, and alignment to many Article 21 measure areas.
Customers remain responsible for confirming scope fit and meeting any sector-specific and national requirements.
Cloud Service Providers
The ArcGIS ISO Cloud utilizes both Amazon Web Service and Microsoft Azure cloud service providers that are ISO certified.
- Microsoft Azure ISO Certificates (Free/Protected)
- Amazon Web Services ISO 27001 Certificate (Public)