Explore our comprehensive documentation outlining Palo Alto Networks' adherence to global security standards


ISO 27000 series

The ISO 27000 series, consisting of ISO 27001, ISO 27017, ISO 27018, and ISO 27701, provides a robust framework for implementing and managing information security systems, cloud security, data privacy in the cloud, and privacy information management systems. Developed by the International Organization for Standardization (ISO), these standards are universally accepted and applicable across all geographies and types of organizations.

SOC 2+

Service Organization Control 2 is an industry-leading reporting standard, defined by the American Institute of Certified Public Accountants (AICPA), that is both easily understood and trusted by customers and their third-party auditors. A SOC 2 report reflects the controls of a services organization’s cloud offering relevant to its main pillars: security, availability, processing integrity, confidentiality, and/or privacy. This globally applicable compliance framework is applicable to all organizations that store customer data in the cloud.


The Payment Card Industry Data Security Standard (PCI-DSS) is a globally recognized set of policies and procedures intended to optimize the security of credit card transactions. PCI applies to all organizations, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. The framework aims to protect sensitive cardholder information during transactions and prevent credit card fraud. Depending on the number of transactions per year a vendor handles, a formal third party audit may be necessary. If a formal audit is unnecessary, the other way a vendor may prove compliance is through a Self Assessment Questionnaire (SAQ). There are varying SAQs depending on the business environment of the vendor.

Germany C5

C5, also known as Cloud Computing Compliance Controls Catalog (C5), is a German Government-backed cybersecurity compliance framework issued by Germany's Federal Office for Information Security (BSI). It specifically targets providers of cloud services, whether located in Germany or elsewhere, who intend to work with German public sector clients. C5 is also applicable to German organizations that do business in the German public sector as well. C5 establishes a baseline of security controls which cloud service providers must comply with to ensure a high level of data security and resilience for German cloud organizations.


The Trusted Information Security Assessment Exchange (TISAX) is a European automotive industry-standard information security assessment (ISA) catalog based on key aspects of information security such as data protection and connection to third parties.Though TISAX is based on ISO 27001, it has been specifically designed for the automotive industry and covers both on prem and cloud services. TISAX is a standard for information security defined by the German Association of the Automotive Industry (VDA). The VDA created the set of security requirements in the Information Security Assessment (ISA) catalog which serves as the basis for the TISAX certification.


The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal Government-wide program that provides a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. This framework is applicable to cloud service providers intending to sell their solutions to U.S. Federal agencies. The goal of FedRAMP is to ensure effective, repeatable cloud security for the Federal Government. It has a rigorous application process and criteria for cloud service providers to meet, ranging from the development of thorough security documentation to implementing robust security controls, testing their effectiveness, and conducting ongoing monitoring to ensure continuous security.


StateRAMP brings SLED customers together to develop standards for cloud security, educate on best practices, and recognize a common method for verifying the cloud security of service providers.


The Information Security Registered Assessors Program ( IRAP) is an Australian Signals Directorate (ASD) initiative to provide high quality information and communications technology (ICT) security assessment services to government and industry. ASD, through IRAP, endorses suitably qualified and experienced cybersecurity professionals to provide in-depth audits - which aim to improve the security of broader Industry and Government information and associated systems. The IRAP provides a comprehensive process for the independent assessment of a system's security against Australian Government policies and guidelines including, but not limited to, the Information Security Manual (ISM). The IRAP aims to improve the security of Australian Government systems by focusing on the ICT infrastructure that stores, processes, and communicates Federal, State, and local Government data.


The Information System Security Management and Assessment Program (ISMAP) is a Japanese public sector evaluation scheme which provides CSPs a common set of security measures to comply with in order to be able to participate in the Japanese government’s cloud service procurement program. ISMAP requires CSPs to undergo a stringent third party audit with an ISMAP-approved assessor.

Common Criteria

Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO-IEC 15408) for evaluating IT products and systems. This certification framework provides assurance that the process of specification, implementation, and evaluation of security measures has been conducted in a rigorous, standardized, and repeatable manner. The National Information Assurance Partnership (NIAP) serves as the U.S. representative to the Common Criteria Recognition Arrangement (CCRA), which is composed of over 30 member nations.

FIPS 140-2

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. Government standard that defines the security requirements for cryptographic modules protecting sensitive information. This cryptographic module standard applies to systems sold to the U.S. Federal Government and certain regulated industries (such as healthcare and finance) that handle sensitive information. FIPS 140-2 has four levels of security, with level 1 containing the lowest level of security assurance and level 4 being the highest. FIPS 140-2 compliance is recognized around the world as the benchmark for cryptographic module security in both public sector and industries outside of the public sector.

Telecom Security Act Code of Practice

The Telecom Security Act Code of Practice is a compliance framework developed by the UK government to strengthen the security of the UK's telecoms networks and services. This legislation applies to all public electronic communications networks and services in the UK. The code of practice sets out security requirements that telecom operators and their service providers must meet.

NCSC Cloud Security Principles

The National Cyber Security Centre (NCSC) Cloud Security Principles are a set of 14 principles designed to aid in the secure use of cloud services. They are applicable to all organizations within the UK looking to adopt cloud services. The principles cover a broad range of cloud security aspects including data protection, identity and access control, secure usage, and operational security.

Cyber Essentials Plus

Cyber Essentials Plus is a UK government-backed, industry-supported scheme to help organizations protect themselves against common online threats. This framework is applicable to all organizations, of any size, in any sector, operating in the UK. It tests five key controls: secure configuration, boundary firewalls and internet gateways, access control and administrative privilege management, patch management, and malware protection. If a vendor wants to sell into the UK public sector and bid for central government contracts, a Cyber Essentials certification is required. This certification assures that essential precautions against cyber threats are in place, which include firewalls, secure configuration, user access control, malware protection, and patch management. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials Plus is more rigorous as it requires vulnerability tests to be performed as part of the certification.

ANSSI CSPN Top-Level Certification

The Top Level Certification from ANSSI (National Agency for Information Systems Security) is a French Government certification for information security products. The certification is recognized by the French administration and operators of vital importance. It is applicable to products and systems that are being sold in France and is aimed at demonstrating a high degree of security assurance.


The Department of Defense Information Network Approved Products List (DODIN APL) is a U.S. military compliance framework. It includes a list of products that have completed cybersecurity and interoperability requirements. This framework applies to vendors intending to sell information technology products to the U.S. Department of Defense.


The Commercial Solutions for Classified (CSfC) Program has been established by the U.S. National Security Agency (NSA). It enables organizations to transmit classified information using commercially available technology, including mobile and cloud systems. The program is primarily for U.S. Government departments and contractors who handle classified information.


The U.S. Government IPv6 (USGv6) is a technical standards profile for IPv6 for the procurement and deployment of IPv6-capable products and services within the U.S. Federal Government. This profile includes technical standards, testing, and purchasing requirements to enable and expedite the deployment of IPv6 in the Federal Government's infrastructure and services.. This framework aims to advance the adoption of IPv6 in government systems and ensure its successful integration.


The Network Equipment Building System (NEBS) is a set of safety, spatial, and environmental design guidelines applied to telecommunications equipment to ensure reliability and compatibility within carrier networks. There are 3 levels of NEBS compliance, with level 1 being the lowest level of assurance and level 3 being the highest.

US Cloud Act

The US Cloud Act, or the Clarifying Lawful Overseas Use of Data Act, is a law enacted in the United States that grants the government the authority to access electronic data held by US-based technology companies, even if that data is stored on servers located outside of the United States. Essentially, it allows US law enforcement agencies to compel companies to provide data stored in their systems, regardless of where the data is physically located, which has implications for privacy and data protection on a global scale.

U.S Sec 508 VPAT

The US Section 508 Voluntary Product Accessibility Template (VPAT) is a document that outlines how the ICT products (software, hardware, electronic content) complies with the US Section 508 standards. Section 508 is a Federal law mandating compliance with accessibility requirements for people with disabilities