
Ping Identity Compliance & Certifications 2026
Ping holds SOC 2 Type 2, ISO 27001 and 22301, plus FedRAMP High and DoD IL5 through a partner boundary. Reports are NDA-gated; map scope to your products.
Ping Identity Compliance verdict
Ping Identity supports a serious enterprise-and-government compliance posture.
It holds SOC 2 Type 2 with controls validated externally each year, and an ISMS certified to ISO 27001:2022 with 27017 and 27018, verifiable in the Schellman directory. Alongside those sit ISO 22301 for business continuity, CSA STAR Level 2, plus HIPAA, HITECH and TISAX.
Ping brings independently validated certifications and a genuine federal pedigree, but read the scope carefully. The SOC 2 Type 2, ISO 27001 with 27017 and 27018, ISO 22301 and CSA STAR Level 2 cover the commercial platform and are verifiable in the Schellman and CSA registries. Pull the SOC 2 report and ISO 22301 certificate under NDA through the Support Portal. For federal work, the FedRAMP High and DoD IL5 authorization is real but reached through the partner-operated IAM Advantage boundary that includes Ping Government Identity Cloud. Confirm the contracting boundary and which Ping products are in scope. Map the ForgeRock-renamed products, such as PingAM and PingDS, to your licenses. Verify trust-zone isolation meets your residency needs, and treat registry entries as the index, not the proof.
- FedRAMP High and DoD IL5 are delivered via the partner-operated IAM Advantage boundary that lists Ping Government Identity Cloud, not a standalone Ping FedRAMP authorization.
- Certificates are independently verifiable in the Schellman directory and the CSA STAR registry, but the SOC 2 report and ISO 22301 certificate require a signed NDA.
- ForgeRock products were folded into Ping and renamed, such as PingAM, PingDS, PingGateway and Ping IDM, so confirm certificate scope against the products you license.
- SOC 2
- Type 2, annual 3rd-party
- ISO
- 27001:2022/27017/27018 + 22301
- Cloud
- CSA STAR Level 2
- Federal
- FedRAMP High + DoD IL5 (boundary)
- Isolation
- Per-tenant trust zones
This page covers Ping's compliance posture and evidence. Its general capabilities and deployment mechanics live on their own pages.
Ping Identity certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| SOC 2 Type 2 | Certified | Externally validated by an independent third party annually; report under NDA |
| ISO/IEC 27001:2022 / 27017 / 27018 | Certified | ISMS incl. cloud security and privacy; verifiable in the Schellman directory |
| ISO 22301:2019 | Certified | Business-continuity management system certificate (under NDA) |
| CSA STAR (Level 2) | Attested | Cloud Controls Matrix v4 attestation, on the CSA STAR registry |
| HIPAA / HITECH | Compliant | Advanced Identity Cloud meets HIPAA plus HITECH breach rules |
| TISAX | Assessed | German VDA automotive; ENX portal, scope ID SZZMC3 |
| FedRAMP High / DoD IL5 | Authorized | Gov Identity Cloud in the IAM Advantage boundary, NIST 800-53 Rev5 (regulator-listed) |
Compliance evidence to request from Ping Identity
| Evidence | Type | How to get it |
|---|---|---|
| SOC 2 report | Report | Support Portal, signed NDA |
| ISO 27001 certificate | Certificate | Schellman Certificate Directory, searchable |
| CSA STAR Level 2 attestation and CAIQ | Attestation | CSA STAR registry, public |
| ISO 22301 certificate | Certificate | Support Portal, signed NDA |
| FedRAMP authorization package | Package | FedRAMP Marketplace request form (boundary) |
What to verify before you rely on Ping Identity
- FedRAMP High and DoD IL5 are delivered through the partner-operated IAM Advantage boundary that lists Ping Government Identity Cloud among its services, not as a standalone Ping FedRAMP listing, so confirm the contracting boundary.
- The most sensitive evidence is gated: the SOC 2 report and ISO 22301 certificate require a signed NDA via the Support Portal.
- Product naming changed with the ForgeRock acquisition (PingAM, PingDS, PingGateway, Ping IDM were ForgeRock products), so map certificate scope to the product names you actually license.
- Confirm which deployment you are buying: the ISMS spans on-prem products and three cloud services, and the federal boundary is a separate Government Community Cloud.
Ping Identity Compliance FAQ
Is Ping Identity FedRAMP authorized?
Yes, for its government offering, through a partner boundary. Ping Government Identity Cloud is DoD IL5-certified and FedRAMP High authorized. The US FedRAMP Marketplace independently lists it among the authorized services of the IAM Advantage boundary. It sits at Class D, or High, on NIST 800-53 Rev5 in a Government Community Cloud, alongside PingFederate, PingDirectory and PingAccess. This is reached through the partner-operated boundary rather than a standalone Ping FedRAMP listing, so confirm the contracting boundary.
Which compliance certifications does Ping Identity hold?
SOC 2 Type 2, validated externally each year. ISO/IEC 27001:2022 with 27017 and 27018 in the certified ISMS. ISO 22301:2019 for business continuity. CSA STAR Level 2 against the Cloud Controls Matrix v4. HIPAA and HITECH for health data, plus TISAX for automotive information security. Federal use adds FedRAMP High and DoD IL5 through the IAM Advantage boundary.
How do I verify and obtain Ping's compliance evidence?
Independently, and under NDA. The ISO 27001 and ISO 22301 certificates are verifiable in the Schellman Certificate Directory, and the CSA STAR Level 2 attestation and CAIQ sit on the CSA STAR registry. The SOC 2 report and ISO 22301 certificate are downloadable to customers with a signed NDA on the Ping Identity Support Portal. TISAX results are available to active ENX participants under scope ID SZZMC3.
How does Ping isolate and protect customer data?
Through hard tenant isolation and encryption. PingOne Advanced Identity Cloud gives each customer a dedicated trust zone that shares no code, data or identities with other customers, which prevents commingling. All data is encrypted at rest and in transit. The certified ISMS spans every development office, every product across on-prem and the three cloud services, and the supporting infrastructure. Advanced Identity Cloud also complies with HIPAA and HITECH.
What should I verify before relying on Ping for compliance?
Confirm the federal authorization boundary, since FedRAMP High and DoD IL5 come through the partner-operated IAM Advantage boundary rather than a standalone Ping listing. Map the ForgeRock-renamed products, such as PingAM, PingDS, PingGateway and Ping IDM, to the certificate scope and your licenses. Pull the SOC 2 report and ISO 22301 certificate under NDA and check scope and validity dates. Then decide between the on-prem products, the commercial cloud and the Government Community Cloud.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Pingidentity Official | Official product page | July 10, 2026 |
| FedRAMP Marketplace | FedRAMP authorization status | July 10, 2026 |
| Pingidentity Developer docs | Product Information Security Compliance | July 10, 2026 |
| Pingidentity Ping Government Identity Cloud | Platform Ping Government Identity Cloud | July 10, 2026 |
Every fact on this Ping Identity page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore Ping Identity
Every page on Ping Identity in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
