We conduct and coordinate audits, certifications, and risk assessments to establish suitable policies, standards, processes, and procedures. This ensures the protection of personal, confidential, and technical data for colleagues, clients, and others, driven by legislation, contracts, and competitive advantage.
There are many ISO standards used and followed across Clarivate, but whereas our Information Security Management System (ISMS) design and practices etc. are based on these standards, not every product/product team within our catalog have been independently audited and certified to be fully in alignment with them all:
Clarivate PLC has been independently certified with the following scope for ISO27001. also see Statement of Applicability
The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting the systems, products and services provided by the Clarivate Intellectual Property Group (IPG), Life Sciences & Healthcare (LS&H) Group, and Academic and Government (A&G) Group, in accordance with the statement of applicability, version 1.60, dated November 27, 2023. The scope of the ISMS includes the Information Security (InfoSec), Technology (Corporate IT, Systems Engineering, Product Technology), and Product Management functions responsible for supporting the in-scope systems, products, and services and other functions necessary to support business unit operations including Human Resources, Facilities, Compliance, Privacy, and the TechOps Project Management Office. The services and products within scope of the ISMS are included on page 2 of the certificate.
Innovative Interfaces Inc has been independently certified with the following scope for ISO 27001, ISO 27017 and ISO 27701. also see Statement of Applicability
The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting the corporate and customer infrastructure managed by Innovative Interfaces’ Information Technology Department in accordance with the statement of applicability, 1.4 dated October 4, 2022, aligned with the control set and implementation guidance from ISO/IEC 27017:2015 (ISO 27017), and includes the requirements of ISO/IEC 27701:2019 (ISO 27701) and Innovative Interfaces’ Privacy Information Management System (PIMS), in the role of a Processor.
ExLibris Limited has been independently certified with the following scope for ISO22301, ISO27001, ISO27017, ISO27018, ISO27032, ISO27701: also see Statement of Applicability
The Information Security Management System is Applicable to the IT Operations Department related to development processes, cloud services, global support services, operation services, professional services, library management services, learning & research solutions, all cloud-based services. According to Statement of Applicability: Date 1 May 2015.
AICPA Service Organization Control (SOC) Reports are independently created reports by certified organizations that cover the Trust Service Criteria used to evaluate “the suitability of the design and operating effectiveness of controls relevant to the security, availability, processing integrity, confidentiality or privacy of information systems used to provide product or services”. Note that these reports are designed to be shared with a limited audience with adequate understanding of the system in question, and not for public consumption. For that reason, we can only provide them to clients on request under NDA.
These describe a service organization’s systems and whether the design of specified controls meet the relevant trust principles. The latest independent audit reports have been attested to for the following products:
These cover the issues in a Type I and assess the operational effectiveness of the specified controls over a specified time-period. The latest independent audit reports have been attested to for the following products:
The Payment Card Industry Data Security Standard is an information security standard for handling credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended for small to medium sized merchants and service providers to assess their own PCI DSS compliance status. There are multiple types of SAQ, each with a different length depending on the entity type and payment model used. Each SAQ question has a yes-or-no answer, and any “no” response requires the entity to indicate its future implementation. An attestation of compliance (AOC) based on the SAQ is also completed.
Type C-VT
Type A
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach for adopting and using cloud services by the US federal government. Service providers must show that their software and services meet the requirements. FedRAMP certification is a mandatory requirement to do business with US Federal agencies. NIST 800-53 is the required security standard for all IT software and services that all US Federal agencies must implement. FedRAMP allows agencies to leverage the same approved set of documentation and validation (the FedRAMP package) instead of each agency going through the process individually.
The Texas Risk and Authorization Management Program (TX-RAMP) is a Texas Department of Information Resources (DIR) program that provides a review of security measures taken by cloud products and services that transmit data to Texas state agencies, institutions of higher education, and public community colleges. Cloud providers must comply with an established DIR framework and continuous compliance to be accepted.
The certification applies only to service providers with cloud solutions that are processing customer data. Cloud computing services (IaaS, PaaS, SaaS), as defined by https://statutes.capitol.texas.gov/Docs/GV/htm/GV.2054.htm are within scope for TX-RAMP certification.
For more information , please see Tx RAMP website at Texas Risk and Authorization Management Program (TX-RAMP) | Texas Department of Information Resources and the list of certified cloud products at TX-RAMP Certified Cloud Products | Texas Department of Information Resources