We comply with a wide range of international recognized security standards.
Proactive, risk-based controls protect the confidentiality, integrity, and availability of our customer and user data. We adhere to current and new industry standards by maintaining current certifications with key regulatory agencies.
Certifications and attestations
FedRAMP
US federal government-approved cloud provider marketplace
The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP mandates a core set of processes to ensure effective, repeatable cloud security for cloud service offerings that hold federal government data. OCLC maintains a FedRAMP Li-SAAS authority to operate (ATO).
StateRAMP
US state and local government-approved cloud provider marketplace
The State Risk and Authorization Management Program (StateRAMP) is a United States state and local government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. StateRAMP mandates a core set of security standards based upon the National Institute of Standards and Technology (NIST) Special Publication 800-53 security and privacy controls for information systems and organizations. OCLC maintains an ‘Authorized’ security status and is a member of the StateRAMP Authorized Vendor List.
ISO/IEC 27001
Information security management standard ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. It mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. This certification helps OCLC comply with numerous regulatory and legal requirements that relate to the security of information.
ISO/IEC 27018
Personally Identifiable Information (PII) data protection standard ISO/IEC 27018 is an international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.
ISO/IEC 27701
Privacy Information Management System (PIMS) standard ISO/IEC 27701 is an international privacy framework for the protection of personally identifiable information (PII). The standard covers data protection requirements from data protection regulations such as the General Data Protection Regulation (GDPR).
SOC 2
Security, availability, processing integrity, and confidentiality standard
The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). The purpose of this audit is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality.
Certification on file
Cloud Security Alliance
Cloud security and privacy standard
The CSA Security Trust Assurance and Risk program promotes the use of best practices for providing security assurance within cloud computing. OCLC participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) to document compliance with CSA-published security and privacy controls.
EU Cybersecurity Act
European cybersecurity standard
The EU Cybersecurity Act establishes a cybersecurity framework for digital products and services. The cybersecurity framework defines required security controls companies must follow when doing business in the EU. OCLC undergoes an annual ISO 27001 audit to demonstrate compliance with this regulation.
Certification on file
Italy AGID
Italian approved cloud provider marketplace
The Agenzia per l’Italia Digitale (AgID) coordinates the policies in the field of innovation and actively supports the spread of information and communication technologies in favor of Public Administration digitization and modernization. All of its guidelines and its actions are developed at national and European levels in a unitary and consistent perspective to federate the technological infrastructure, to ensure safety and reliability to the preservation and management of public data, and to provide integrated and shared high-quality services.
Certification on file
Spain Esquema Nacional de Seguridad (ENS)
Spain cybersecurity standard
The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre). This scheme is comprised of basic principles and minimum requirements necessary for the adequate protection of information.
Certification on file
United Kingdom Cyber Essentials
UK cybersecurity standard
Cyber Essentials is a UK government-backed scheme designed to help organizations assess and mitigate risks from common cyber security threats to their IT systems. The Cyber Essentials scheme is a cybersecurity standard that identifies security controls for an organization to have in place within its IT systems. The Cyber Essentials scheme is a requirement for all UK government suppliers handling any personal data.
All of these certifications are regularly assessed by third parties and/or independent auditors, and result in a certification, audit report, or confirmation of compliance. Compliance alignments and frameworks include published requirements for specific purposes.
Contact our security team
The confidentiality, integrity, and availability of information is of paramount importance as we protect the security and privacy of libraries and their users. We have dedicated security and privacy staff with backgrounds in libraries and higher education, as well as highly security-conscious industries such as financial services, government, and defense who would love to connect.