Ping Identity compliance
★★★★★ 4.5 CE

Ping Identity Compliance & Certifications 2026

Ping holds SOC 2 Type 2, ISO 27001 and 22301, plus FedRAMP High and DoD IL5 through a partner boundary. Reports are NDA-gated; map scope to your products.

Ping Identity Compliance verdict

Verified today·4 sources checked

Ping Identity supports a serious enterprise-and-government compliance posture.

It holds SOC 2 Type 2 with controls validated externally each year, and an ISMS certified to ISO 27001:2022 with 27017 and 27018, verifiable in the Schellman directory. Alongside those sit ISO 22301 for business continuity, CSA STAR Level 2, plus HIPAA, HITECH and TISAX.

What it means for your security review

Ping brings independently validated certifications and a genuine federal pedigree, but read the scope carefully. The SOC 2 Type 2, ISO 27001 with 27017 and 27018, ISO 22301 and CSA STAR Level 2 cover the commercial platform and are verifiable in the Schellman and CSA registries. Pull the SOC 2 report and ISO 22301 certificate under NDA through the Support Portal. For federal work, the FedRAMP High and DoD IL5 authorization is real but reached through the partner-operated IAM Advantage boundary that includes Ping Government Identity Cloud. Confirm the contracting boundary and which Ping products are in scope. Map the ForgeRock-renamed products, such as PingAM and PingDS, to your licenses. Verify trust-zone isolation meets your residency needs, and treat registry entries as the index, not the proof.

Honest limits
  • FedRAMP High and DoD IL5 are delivered via the partner-operated IAM Advantage boundary that lists Ping Government Identity Cloud, not a standalone Ping FedRAMP authorization.
  • Certificates are independently verifiable in the Schellman directory and the CSA STAR registry, but the SOC 2 report and ISO 22301 certificate require a signed NDA.
  • ForgeRock products were folded into Ping and renamed, such as PingAM, PingDS, PingGateway and Ping IDM, so confirm certificate scope against the products you license.
SOC 2
Type 2, annual 3rd-party
ISO
27001:2022/27017/27018 + 22301
Cloud
CSA STAR Level 2
Federal
FedRAMP High + DoD IL5 (boundary)
Isolation
Per-tenant trust zones
View sources

This page covers Ping's compliance posture and evidence. Its general capabilities and deployment mechanics live on their own pages.

Ping Identity certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 2 Type 2CertifiedExternally validated by an independent third party annually; report under NDA
ISO/IEC 27001:2022 / 27017 / 27018CertifiedISMS incl. cloud security and privacy; verifiable in the Schellman directory
ISO 22301:2019CertifiedBusiness-continuity management system certificate (under NDA)
CSA STAR (Level 2)AttestedCloud Controls Matrix v4 attestation, on the CSA STAR registry
HIPAA / HITECHCompliantAdvanced Identity Cloud meets HIPAA plus HITECH breach rules
TISAXAssessedGerman VDA automotive; ENX portal, scope ID SZZMC3
FedRAMP High / DoD IL5AuthorizedGov Identity Cloud in the IAM Advantage boundary, NIST 800-53 Rev5 (regulator-listed)

Compliance evidence to request from Ping Identity

EvidenceTypeHow to get it
SOC 2 reportReportSupport Portal, signed NDA
ISO 27001 certificateCertificateSchellman Certificate Directory, searchable
CSA STAR Level 2 attestation and CAIQAttestationCSA STAR registry, public
ISO 22301 certificateCertificateSupport Portal, signed NDA
FedRAMP authorization packagePackageFedRAMP Marketplace request form (boundary)

What to verify before you rely on Ping Identity

  • FedRAMP High and DoD IL5 are delivered through the partner-operated IAM Advantage boundary that lists Ping Government Identity Cloud among its services, not as a standalone Ping FedRAMP listing, so confirm the contracting boundary.
  • The most sensitive evidence is gated: the SOC 2 report and ISO 22301 certificate require a signed NDA via the Support Portal.
  • Product naming changed with the ForgeRock acquisition (PingAM, PingDS, PingGateway, Ping IDM were ForgeRock products), so map certificate scope to the product names you actually license.
  • Confirm which deployment you are buying: the ISMS spans on-prem products and three cloud services, and the federal boundary is a separate Government Community Cloud.

Ping Identity Compliance FAQ

Is Ping Identity FedRAMP authorized?

Yes, for its government offering, through a partner boundary. Ping Government Identity Cloud is DoD IL5-certified and FedRAMP High authorized. The US FedRAMP Marketplace independently lists it among the authorized services of the IAM Advantage boundary. It sits at Class D, or High, on NIST 800-53 Rev5 in a Government Community Cloud, alongside PingFederate, PingDirectory and PingAccess. This is reached through the partner-operated boundary rather than a standalone Ping FedRAMP listing, so confirm the contracting boundary.

Which compliance certifications does Ping Identity hold?

SOC 2 Type 2, validated externally each year. ISO/IEC 27001:2022 with 27017 and 27018 in the certified ISMS. ISO 22301:2019 for business continuity. CSA STAR Level 2 against the Cloud Controls Matrix v4. HIPAA and HITECH for health data, plus TISAX for automotive information security. Federal use adds FedRAMP High and DoD IL5 through the IAM Advantage boundary.

How do I verify and obtain Ping's compliance evidence?

Independently, and under NDA. The ISO 27001 and ISO 22301 certificates are verifiable in the Schellman Certificate Directory, and the CSA STAR Level 2 attestation and CAIQ sit on the CSA STAR registry. The SOC 2 report and ISO 22301 certificate are downloadable to customers with a signed NDA on the Ping Identity Support Portal. TISAX results are available to active ENX participants under scope ID SZZMC3.

How does Ping isolate and protect customer data?

Through hard tenant isolation and encryption. PingOne Advanced Identity Cloud gives each customer a dedicated trust zone that shares no code, data or identities with other customers, which prevents commingling. All data is encrypted at rest and in transit. The certified ISMS spans every development office, every product across on-prem and the three cloud services, and the supporting infrastructure. Advanced Identity Cloud also complies with HIPAA and HITECH.

What should I verify before relying on Ping for compliance?

Confirm the federal authorization boundary, since FedRAMP High and DoD IL5 come through the partner-operated IAM Advantage boundary rather than a standalone Ping listing. Map the ForgeRock-renamed products, such as PingAM, PingDS, PingGateway and Ping IDM, to the certificate scope and your licenses. Pull the SOC 2 report and ISO 22301 certificate under NDA and check scope and validity dates. Then decide between the on-prem products, the commercial cloud and the Government Community Cloud.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Pingidentity OfficialOfficial product pageJuly 10, 2026
FedRAMP MarketplaceFedRAMP authorization statusJuly 10, 2026
Pingidentity Developer docsProduct Information Security ComplianceJuly 10, 2026
Pingidentity Ping Government Identity CloudPlatform Ping Government Identity CloudJuly 10, 2026

Every fact on this Ping Identity page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.