The International Organization for Standardization (ISO) is a global, non-governmental body of experts who provide guidelines for consistently achieving universally recognized standards for approaching process management. Esri maintains compliance with two ISO certifications addressing security and privacy assurance:
- ISO/IEC 27001:2022 — Promotes a holistic approach to information security in regard to vetting people, policies, and technology.
- ISO/IEC 20243:2018 — Addresses threats related to maliciously tainted and counterfeit products and services.
Esri in-scope Services
ArcGIS ISO Cloud
Esri's Information Security Management System (ISMS) was found to be in accordance with ISO 27001:2022 security controls. This includes both ArcGIS Online and ArcGIS Location Platform in the European Union (EU) regional hosting location. The ArcGIS ISO Cloud is the subset of the Esri Certified Services which are explicitly within the scope of Esri's certification. Additional services and regions will be covered by future ISO 27001 certification efforts.
- ArcGIS ISO Cloud Certificate (Public)
- ISO 27001 to FedRAMP Control Mapping (Public)
Esri completed a self-assessment for conformance with ISO/IEC 20243-1:2018 (O-TTPS) in April 2023. It is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and Commercial Off-The-Shelf Software (COTS) products throughout the product life cycle. The ISO 20243 standard was subsequently updated in 2023, and instead of recertifying against the new version, in 2024, Esri incorporated the new NIST 800-53 Rev 5 Supply Chain requirements that address cyber supply chain concerns more holistically.
- ArcGIS Online ISO 20243:2018 (Self-Attestation)
Cloud Service Providers
The ArcGIS ISO Cloud utilizes both Amazon Web Service and Microsoft Azure cloud service providers that are ISO certified.
- Microsoft Azure ISO Certificates (Free/Protected)
- Amazon Web Services ISO 27001 Certificate (Public)