GitHub continues to invest in security, privacy, and compliance as part of our ongoing effort to be the most trusted home for all developers. As a result of that investment, GitHub’s Information Security and Privacy Management System (ISPMS) was assessed against the ISO/IEC 27701:2019 (PII Processor) and ISO/IEC 27018:2019 standards. GitHub simultaneously completed the necessary third-party assessment to achieve the Level 2 STAR Certification in CSA’s STAR Registry. These accomplishments were built upon the foundation of GitHub’s ISO/IEC 27001:2013 compliance announced last year.
An ISPMS is a comprehensive framework designed to safeguard information’s confidentiality, integrity, availability, and privacy. The core emphasis here is on privacy. It demonstrates our commitment to preserving personal information and ensuring its appropriate use within our organization.
The ISPMS applies to several areas:
- GitHub.com: Fully-integrated platform for developers to write and collaborate on code.
- GitHub Enterprise Cloud (GHEC): Cloud-hosted solution that enables organizations and teams to safely store and manage their code.
- GitHub Advanced Security (GHAS): An application security testing solution that is natively embedded in the developer workflow. Automated security checks are run with every pull request, surfacing issues in the context of the development workflow so vulnerabilities are fixed in minutes, not months.
- GitHub Actions: Continuous integration and continuous delivery (CI/CD) platform that allows developers to automate their build, test, and deployment pipeline.
Within these areas, the ISPMS also covers various features, including:
- Pull Requests: A method for developers to notify team members of changes they’ve made to a project.
- Issues: A system for tracking bugs or tasks within a project.
- Wikis: A space for documenting information about your projects.
- Pages: A feature to host a website about your project directly from your repository.
- Packages: A way to distribute software within your team or to the public.
The ISO/IEC 27701:2019 (PII Processor) standard is an extension to the ISO 27001 and ISO 27002 standards and focuses explicitly on privacy information management. The certification means that we have implemented robust measures for the protection of personally identifiable information (PII) within our data processing systems.
ISO/IEC 27018:2019 is another privacy-specific standard, targeting the protection of personal information in the cloud. It is based on the ISO/IEC information security standard 27002, and contains implementation guidance on ISO/IEC 27002 controls applicable to public cloud PII. This certification further emphasizes our dedication to maintaining strong privacy standards in the cloud computing environment.
The STAR certification leverages the ISO/IEC 27001 standard’s requirements as a baseline and builds upon it with additional requirements from the Cloud Controls Matrix (CCM). The certification requires a rigorous third-party assessment following normal ISO/IEC 27001 protocol and expires after three years.
GitHub’s certifications are now available for enterprise owners and organization owners to download. Instructions to download the certifications are documented here (enterprise) and here (organization). The certifications are generally available here under “ISO/IEC 27701:2019 (PII Processor), ISO/IEC 27018:2019, and CSA STAR Level 2.” Validation of GitHub’s CSA STAR certification is also reflected on GitHub’s CSA STAR Registry entry.
ISO 27018, ISO 27701 (PII Processor), and CSA Star Level 2 certifications are exciting milestones that demonstrate our continued investment in security processes, risk management, and operational maturity at GitHub. The ISO 27018, ISO 27701 (PII Processor), and CSA Star Level 2 certifications are the latest additions to GitHub’s compliance portfolio, preceded by SOC and ISAE reports, FedRAMP Tailored LiSaaS ATO, ISO 27001, and the Cloud Security Alliance CAIQ.
As we strive to remain the trusted platform for developers and your data, we understand the importance of evolving our privacy and security measures. These new ISO certifications are not just accreditations; they represent our unwavering commitment to privacy and security. They are proof that GitHub will continue to evolve to meet international standards for data protection and respect the deeply personal nature of privacy.
In addition to announcing these new certifications, we are happy to announce that GitHub is beginning the process to participate in the Trusted Information Security Assessment Exchange (TISAX), currently in the audit provider selection stage. TISAX is administered by the ENX Association on behalf of the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA). Participating in the TISAX program will be a deliberate step for GitHub to better serve more of our enterprise customers in the automotive industry. The TISAX entry on the GitHub public roadmap will be published soon!