ZSCALER, INC.

SUMMARY REPORT ON ZSCALER CLOUD ISO 27001:2013 RE-CERTIFICATION ALONG

WITH THE ISO 27701:2019 SCOPE MODIFICATION

OCTOBER 27, 2020

Attestation and Compliance Services

Proprietary & Confidential Reproduction or distribution in whole or in part without prior written consent is strictly prohibited.

STATEMENT OF CONFIDENTIALITY

The sole purpose of this document is to provide Zscaler, Inc. (Zscaler) a summary document (Report) detailing the supporting controls related to its ISO 27001:2013 recertification and ISO 27701:2019 scope expansion. At Zscaler’s discretion, it may distribute this Report to its customers. Each recipient of this report agrees that it shall not distribute or use the information contained herein and any other information regarding Zscaler for any purpose other than those stated. This document, and any other Zscaler related information provided, shall remain the sole property of Zscaler and may not be copied, reproduced, or distributed without the prior written consent of Zscaler.

APPLICABILITY

This document is supplemental to the ISO/IEC 27001:2013 recertification review and ISO 27701:2019 scope modification review performed by Schellman & Company, LLC (Schellman), the primary deliverables which are the certificates. The information found in this report and the conclusions reached were dependent upon the complete and accurate disclosure of information by Zscaler. The information provided in this report is “AS IS” without warranties of any kind. Schellman expressly disclaims any warranties of representations including implied warranties and fitness for a particular purpose.

INDEPENDENCE DISCLOSURE

Schellman assessed the Information Security Management System (ISMS) for Zscaler against the ISO/IEC 27001:2013 and ISO/IEC 27701:2019 requirements. Schellman does not hold any investment or control over Zscaler. During the course of the assessment, Schellman did not willfully and unnecessarily market services to achieve conformance to ISO/IEC 27001:2013. No Schellman service was recommended during the course of the engagement. Although Schellman is a licensed CPA firm, this Report does not require an examination in accordance with attestation standards established by the American Institute of Certified Public Accountants, and as such we did not perform the review in accordance with AICPA review or attestation standards. Schellman also performed the Type 2 System and Organization Controls (SOC) 2 examination for the Zscaler cloud platform concurrently with the re-certification assessment.

TABLE OF

CONTENTS

0BSECTION 1 SUMMARY ............................................ 1

1BSECTION 2 OVERVIEW OF OPERATIONS ............. 3

2BSECTION 3 DESCRIPTION OF THE ISMS, PIMS,

AND SUPPORTING CONTROLS............. 10

3BSECTION 4 ISO 27001, 27018, AND 27701

CONTROLS IMPLEMENTED BY ZSCALER

SUPPORTING THE ISMS ......................... 22

1

0BSECTION 1

SUMMARY

2

Schellman & Company, LLC 4010 W Boy Scout Blvd, Suite 600 Tampa, Florida 33607

Tel: 1.866.254.0000 Fax: 1.866.971.7070

Mr. Jay Chaudhry CEO, Chairman and Founder Zscaler, Inc. 120 Holger Way San Jose, California 95134 October 27, 2020 Dear Mr. Chaudhry, As you know, Zscaler was recently the subject of an ISO/IEC 27001:2013 recertification review and scope expansion to include the new ISO/IEC 27701;2019 framework. The recertification review was performed from March through April of 2020 and scope expansion review in July through August of 2020. The purpose of the reviews was to assess the information security management system (ISMS) of Zscaler’s cloud services in accordance with the ISO/IEC 27001: 2013 (ISO 27001) standard and aligned with the control set within ISO/IEC 27018:2019 Code of Practice for Protection of Personally Identifiable Information (PII) in public clouds acting as PII processors (ISO 27018). This year the scope of the certification was expanded to include the new ISO/IEC 27701:2019 (ISO 27701) Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management standard. Schellman performed the ISO 27001 recertification review and ISO 27701 scope modification to summarily review the documentation and maintenance, monitoring, and operating effectiveness of the ISMS in order to achieve multiple objectives. The recertification review included the following:

The ISMS maintenance elements which include the internal audit, measurement and monitoring, management review, and corrective action;

Communications from external parties as required by the ISMS standard ISO 27001 and other documents required for certification;

Changes to the documented system and areas subject to change;

Selected elements of ISO 27001, ISO 27018, and ISO 27701; and

Other selected areas as appropriate. Upon completing our work, we concluded that the design of the ISMS and Privacy Information Management System (PIMS) for Zscaler cloud services maintained is conforming to the requirements of ISO 27001 and ISO 27701when in the role of a processor. As such, Schellman has reissued Zscaler’s ISO 27001 certificate reflecting our findings and conclusions. Congratulations on this continued achievement. In particular, Zscaler is one of the first security-as-a-service providers to include ISO 27701 in the scope of their ISO 27001 certificate. As always, it is a pleasure working with your team and we look forward to continuing to work with you. Sincerely,

Douglas W. Barbin Principal and Cybersecurity Services Leader

3

1BSECTION 2

OVERVIEW OF

OPERATIONS

4

OVERVIEW OF OPERATIONS

Company Background Zscaler, Inc. (“Zscaler” or “the Company”) was incorporated in 2007, during the early stages of cloud adoption and mobility, based on a vision that the internet would become the new corporate network as the cloud becomes the new data center. Enterprise applications are rapidly moving to the cloud to achieve greater information technology (IT) agility, a faster pace of innovation, and lower costs. Organizations are increasingly relying on internet destinations for a range of business activities, adopting new external Software as a Service (SaaS) applications for critical business functions and moving their internally managed applications to the public cloud, or Infrastructure as a Service (IaaS). Enterprise users now expect to be able to seamlessly access applications and data, wherever they are hosted, from any device, anywhere in the world. Zscaler believes these trends are indicative of the broader digital transformation agenda, as businesses increasingly succeed or fail based on their IT outcomes. Zscaler believes that securing the on-premises corporate network to protect users and data is becoming increasingly irrelevant in a cloud and mobile-first world where organizations depend on the Internet, a network they do not control and cannot secure, to access critical applications that power their businesses. Zscaler pioneered a new approach to security that connects the right user to the right application, regardless of network. Zscaler’s Cloud Platform, which delivers security as a service, eliminates the need for traditional on-premises security appliances that are difficult to maintain and require compromises between security, cost, and user experience. Zscaler’s cloud platform incorporates the security functionality needed to enable users to safely utilize authorized applications and services based on an organization’s policies. Zscaler’s solution is a purpose-built, multi-tenant, distributed cloud security platform that secures access for users and devices to applications and services, regardless of location. Description of Services Provided The Zscaler Cloud Platform consists of Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), Zscaler Business to Business (ZB2B), Zscaler Digital Experience (ZDX), and Zscaler Shift (collectively referred to as the Zscaler Cloud Platform). Zscaler is a cloud-based information security platform, which is distributed across more than 100 data centers around the world, that helps organizations accelerate their IT transformation to the cloud. This enables the secure migration of applications from the corporate data center to the cloud and from a legacy “hub-and-spoke” network to a modern direct-to-cloud architecture. Zscaler’s approach applies policies set by an organization to securely connect the right user to the right application, regardless of the network. Unlike traditional “hub-and-spoke” architectures, where traffic is backhauled over dedicated wide area networks (WANs) to centralized gateways, Zscaler’s solution allows traffic to be routed locally and securely to the Internet over broadband and cellular connections.

[Intentionally Blank]

5

Zscaler Cloud Platform

Zscaler’s purpose-built cloud security platform offers four principal services built natively in the cloud. Secure Access to the Internet and Applications

Zscaler Internet Access

Zscaler’s ZIA solution securely connects users to externally managed applications, including SaaS applications and internet destinations, regardless of device, location, or network. Zscaler’s ZIA solution sits between users and the Internet and is designed to ensure malware does not reach the user and valuable corporate data does not leak out. Zscaler’s ZIA solution enforces access based on granular access control policies, inspects unencrypted and encrypted internet traffic inline for malware and advanced threats, and prevents data leakage.

Policies follow the user to provide identical protection on any device, regardless of location; any policy changes are enforced for users worldwide. Zscaler’s cloud security platform provides full inline content inspection of webpages to assess and correlate the risk of webpage objects, continuously discovering and blocking sophisticated threats.

Zscaler’s ZIA solution includes broad functionality, which Zscaler categorize by three areas:

Access Control

The access control functionality of Zscaler’s ZIA solution enforces access and usage policies to externally managed applications, including SaaS application and internet destinations. This provides functionality that has traditionally been provided by stand-alone point products, such as:

Cloud Firewall: Zscaler’s cloud firewall was designed to protect users by inspecting internet traffic on ports and protocols, and it offers user level policies, application identification with deep packet inspection and intrusion prevention.

Uniform Resource Locator (URL) Filtering: Zscaler’s URL filtering capabilities enable customers to enforce acceptable usage policies and protects organizations from users visiting unauthorized websites or illegally downloading content that can increase liability and impact their brand.

Bandwidth Control: Zscaler’s bandwidth control and traffic shaping capabilities ensure that business critical applications are prioritized over non-business critical applications, improving productivity and user experience. By enforcing quality of service in the cloud, Zscaler’s platform can optimize “last-mile” utilization of a customer’s network, providing significant value.

Domain Name System (DNS) Filtering: Zscaler’s DNS filtering solution provides a local DNS resolver and enforces acceptable use policies.

6

Threat Prevention

Zscaler’s second area of functionality, threat prevention, protects users from threats using a range of approaches and techniques. Zscaler’s threat prevention capabilities provide multiple layers of protection to prevent cyberattacks. Zscaler provides functionality that has traditionally been offered by disparate, stand-alone products, which are summarily described below:

Advanced Threat Protection: Zscaler’s advanced protection solution delivers real-time protection from malicious internet content like browser exploits, scripts, zero-pixel iFrames, malware and botnet callbacks. Over 120,000 unique security updates are performed each day to the Zscaler cloud to keep users protected. Once Zscaler detects a new threat to a user, Zscaler block it for every user. Zscaler calls this the “cloud security effect.” Advanced threat protection features include:

Botnet Protection: protection against botnets that could be secretly installed on user devices to perform malicious tasks at the instruction of command and control servers.

Malicious Active Content Protection: protection against websites that attempt to download dangerous content to a user’s web browser.

Fraud Protection: protection against phishing sites that mimic legitimate sites, such as banking and e-commerce sites, in order to steal confidential information.

Cross-Site Scripting (XSS) Protection: protection against XSS, in which malicious code injected into websites is downloaded to a user’s web browser from compromised web servers.

Suspicious Destinations Protection: block requests to any country based on ISO3166 mapping of countries to their IP address space. Websites are blocked based on the location of the web server.

Unauthorized Communication Protection: protection against communications like internet relay chat (IRC) tunneling applications and “anonymizer” sites that are used to bypass firewall access and proxy security controls.

Peer-to-peer (P2P) Anonymizer Protection: block anonymizing applications such as Tor, an application that enables users to bypass policies controlling what websites they may visit or internet resources they may access.

Cloud Sandbox: Zscaler’s cloud sandbox enables enterprises to block zero-day exploits and advanced persistent threats (APTs), by analyzing unknown files for malicious behavior, and can scale to every user regardless of location. Zscaler’s sandbox was designed and built to be multi-tenant and allows customers to determine which traffic should be sent to the cloud sandbox. As an integrated cloud security platform, customers can set policies by users and destinations to prevent patient-zero scenarios by holding, detonating, and analyzing suspicious files in the sandbox before being sent to the user.

Anti-Virus: Zscaler’s anti-virus technology uses a signature database of files and objects on the Internet known to be unsafe and runs traffic through multiple anti-virus engines in a single pass.

DNS Security: Zscaler’s DNS security blocks access to known malicious sites, including command and control sites, and routes suspicious traffic to Zscaler’s threat detection engines for content inspection.

Data Protection

Zscaler’s third area of functionality, data protection, prevents unauthorized sharing or exfiltration of confidential information, reducing Zscaler’s customers’ business and compliance risk.

Data Loss Protection: Zscaler’s data loss protection enables enterprises to use standard or custom dictionaries using efficient pattern-matching algorithms to easily scale to users and traffic, including compressed or encrypted traffic, to prevent, monitor or block unauthorized or sensitive data exfiltration.

Cloud Application Control: Zscaler’s cloud application control allows enterprises to discover and granularly control user access to known and unknown cloud applications. By doing SSL interception at scale, Zscaler provide malware protection, data loss prevention and similar cloud access security broker (CASB), functions that can be performed inline, for specific applications. In addition, customers can leverage API based CASB for out of band controls for sanctioned applications. Business policies can be defined with granular access control for specified cloud applications, such as the ability to upload or

7

download files or post comments or videos based on different user or group identity. Zscaler partners with specific CASB vendors to extend their policy controls and visibility of out-of-band cloud applications.

File Type Controls: Zscaler’s file type control allows policies to be defined that control which file types are allowed to be downloaded and uploaded based on application, user, location, and destination.

Zscaler Private Access

Zscaler’s ZPA solution offers authorized users secure and fast access to internally managed applications hosted in enterprise data centers or the public cloud. Zscaler’s ZPA solution’s architecture does not expose the identity or location of these applications and provides only the necessary levels of access. While traditional remote access solutions, such as Virtual Private Networks (VPNs), connect a user to the corporate network, Zscaler’s ZPA solution connects a specific user to a specific application, without bringing the user on the network, resulting in better security. Zscaler’s ZPA Solution was designed around Zscaler’s key tenants that fundamentally change the way users access internal applications:

Connect users to applications without bringing users on the network;

Never expose applications to the Internet;

Segment access to applications without relying on traditional approach of network segmentation; and

Provide remote access over the Internet without VPNs.

Zscaler’s ZPA solution enforces a global policy engine that manages access to internally managed applications regardless of location. If access is granted to a user, Zscaler’s ZPA solution connects the user’s device only to the authorized application without exposing the identity or location of the application. Hence applications are not exposed to the Internet, further limiting threat exposure. This results in reduced cost and complexity, while offering better security and an improved user experience. ZPA functionality falls in three major areas:

Secure Application Access: Zscaler’s ZPA Solution delivers seamless connectivity to internally managed applications and assets whether they are in the cloud, enterprise data center, or both. Administrators can set global policies from a single console, enabling policy-driven access that is agnostic to the network the users are on. By creating seamless access to applications regardless of a user’s network, Zscaler’s ZPA solution subsumes the need for traditional remote access VPNs, SSL VPNs, reverse proxies, and other similar products.

Application Segmentation: This architecture provides capabilities that enables user and application level segmentation. As each user-to-application connection is segmented with micro-tunnels, each of which is a temporary session between a specific user and a specific application, lateral movement across the network is prevented which significantly reduces security risk. Similar to CASB application discovery reports for internet applications, Zscaler’s ZPA Solution provides granular discovery of internally managed applications to aid the creation of segmentation policies. Because Zscaler’s ZPA solution sits on the application layer and is name or domain-based, organizations can quickly and easily identify the internally-managed applications that are running and then easily provision policies. Micro-tunnels subsume the need for internal firewalls, which are required for protecting against lateral malware propagation from machine to machine, and traditional network access control functionality since users are granted access only to applications for which they have permission and are not granted full access to the network.

Application Protection: Zscaler’s ZPA solution initiates and connects together outbound-only links between authenticated users and internally managed applications using micro-tunnels. Access is provided to users without bringing them onto the corporate network and without exposing applications to the Internet. Internally managed applications are not discoverable or identifiable. With no inbound connections and no public IP addresses, there is no inbound attack surface and therefore no threat of distributed denial of service (DDoS) attacks. With Zscaler’s approach, Zscaler subsumes the need for a next-generation firewall. Similarly, by completely removing the need for an exposed IP address or DNS to the Internet, Zscaler subsumes the functionality of DDoS migration systems.

Zscaler business-to-business (B2B) (ZB2B) is a cloud-delivered service that provides business customers with seamless, secure access to B2B applications. The service takes a zero-trust network access (ZTNA) approach that uses business policy to reduce the attack surface of applications, preventing them from being exposed to the internet. Only authenticated (supporting modern security assertion markup language (SAML)-based identity

8

provider (IDP) and authorized users can see or access the B2B applications. The service is hosted by Zscaler, which removes the need to spend time managing network appliances. This reduction in operating expense (OpEx) helps to accelerate cloud initiatives. The cloud service automatically connects business customers to apps via the fastest route by leveraging the Zscaler platform’s global cloud presence for higher availability, reliability, and scale.

Zscaler Digital Experience (ZDX)

ZDX solution enables organizations to monitor their users’ digital experience. ZDX restores visibility across the complete user-to-cloud app experience and assists with issue isolation. By combining Zscaler’s endpoint agent with its global cloud footprint, users receive end-to-end visibility, regardless of network or connection. From device level performance problems to network, Internet, and cloud app issues, ZDX provides relevant information to monitor and streamline troubleshooting, increase productivity, and gain back control of users’ digital experience. Key features of the ZDX solution include:

Full-path visualization

Zscaler digital experience score

Efficient issue resolution

SaaS management model

[Intentionally Blank]

9

Zscaler Shift

Zscaler’s Zscaler Shift solution provides carrier-grade security and compliance for guest networks and open public wi-fi access. Zscaler’s Shift solution offers multiple security features including content filtering, threat security, safe search, and SSL inspection. Additionally, Zscaler’s Shift solution intelligently routes suspicious traffic to the Zscaler Cloud Platform for full in-line content inspection. Zscaler's Advanced Threat Protection blocks malicious active content, such as browser exploits, vulnerable ActiveX controls, malicious JavaScript, and cross-site scripting. Security Features provided by Shift to implement an enterprise’s policies include the following:

Content Filtering

Threat Security

Safe Search

SSL Inspection

Whitelisting and Blacklisting URLs

Shift Administration

10

2BSECTION 3

DESCRIPTION OF

THE ISMS, PIMS, AND

SUPPORTING

CONTROLS

11

INFORMATION SECURITY MANAGEMENT SYSTEM

Zscaler has developed and implemented a management system in conformance with the requirements of ISO 27001. The scope of the management system covers the ISMS supporting the Zscaler global cloud in the EMEA (Europe, Middle East and Africa), NA (North America), LATAM (Latin America) and APAC (Asia-Pacific) regions for its Security as a Service platform, including operations employees, and in accordance with the statement of applicability, version 5.0, dated March 2, 2020, and aligned with ISO 27018. The scope includes the corporate headquarters office facility located at 120 Holger Way, San Jose, California, 95134, United States. The ISMS was independently reviewed and certified by Schellman, which was originally issued on June 26, 2014. The description below is a summary of the ISMS supporting the Zscaler global cloud platform. Context of the Organization (Clause 4) Understanding the Organization and its Context (Clause 4.1)

Zscaler has defined the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its ISMS within the context of the organization document. During the implementation of the ISMS program, the ISMS sponsors have identified and established objectives for achieving the intended outcomes of the ISMS by evaluating the overall business risks and the ways to mitigate those risks. The ISMS program implementation involved communicating the importance of information security management throughout the organization and clearly outlining and assigning roles and responsibilities to all employees who have an effect on the ISMS. Zscaler management has determined its interested parties to be the following:

Customers

Zscaler Global Cloud Operations team

Regulatory authorities

Stakeholders (executive management and ISMS team)

The ability for Zscaler to achieve successful outcomes depends on external and internal factors such as regulatory and contractual requirements and internal resources. In line with the requirements of interested parties, the key requirement is to protect the security, confidentiality, and availability of the Zscaler global cloud.

Understanding the Needs and Expectations of Interested Parties (Clause 4.2)

Zscaler has defined the interested parties relevant to the ISMS within the context of the organization document. The interested parties have been defined as Zscaler’s customers and the Zscaler operations team. The requirements of these interested parties are to protect the security and availability of the solution.

Determining the Scope of the ISMS (Clause 4.3)

The scope of the review was limited to the ISMS supporting the Zscaler global cloud in the EMEA, NA, LATAM, and APAC regions for its Security as a Service platform, including operations employees, and in accordance with the statement of applicability, version 5.0, dated March 2, 2020, and aligned with ISO 27018. The scope includes operations at the corporate headquarters office facility, located at 120 Holger Way, San Jose, California, 95134, United States.

In determining the scope of the ISMS, Zscaler has considered the internal and external issues relevant to its purpose, the interested parties and their requirements, and interfaces and dependencies between activities performed by Zscaler and other organizations. Zscaler has determined the focus of the ISMS is the protection and availability of customer data which is regulated through the Zscaler cloud operations team. The ISMS owner, the ISMS management committee, and the IT personnel supporting the ISMS are located in San Jose, California.

12

Information Security Management System (Clause 4.4)

Zscaler has established, implemented, maintained, and is in the process of continually improving the ISMS through the use of ISMS management reviews, internal audits, third-party audits, and awareness and effectiveness reviews. Leadership, Organizational Structure, and Support (Clauses 5 and 7) Leadership and Commitment (Clause 5.1), Policy (Clause 5.2), and Organizational Roles (Clause 5.3)

Zscaler management has assigned the responsibility of the ISMS to the executive vice president (EVP) of engineering and cloud operations. The EVP of engineering and cloud operations ensures that management has implemented procedures to meet the ISMS requirements and support the information security policy. The EVP of engineering and cloud operations is responsible for the successful implementation of the ISMS, and has delegated roles and responsibilities within the information security policy and is responsible for ensuring the ISMS as well as the information security policy continue to support the business strategies as they change over time.

Zscaler has put into place an information security policy to support the ISMS and to state the requirements for protecting customer and organization data. Zscaler’s objective of managing information security is to ensure that its core and supporting business operations continue to operate with minimal disruptions. The basic premise of the ISMS policy is to protect the confidentiality, integrity, and availability (CIA) of Zscaler’s information assets. The EVP of engineering and cloud operations is assigned the responsibility of reviewing and/or obtaining appropriate reviews of the information security policy on at least an annual basis. The information security policies and the ISMS are intended to be the vehicle for reducing information-related risks associated with the organization. The information security policy is provided to relevant interested parties (contractors, subcontractors, consultants, etc.) on an as needed basis.

Information Security Objectives and Planning to Achieve Them (Clause 6.2)

Zscaler’s information security objective is to protect the organization’s information assets from threats, whether internal or external, deliberate, or accidental. It is the policy of Zscaler to ensure that:

Information should be made available with minimal disruption to staff and the public as required by the business process.

o To ensure that information and vital services are available to users when and where they need them.

The integrity of this information will be maintained.

o To safeguard the accuracy and completeness of information by protecting against unauthorized modification.

Confidentiality of information not limited to research, third parties, personal, and electronic communications data will be assured.

o To protect valuable or sensitive information from unauthorized disclosure or unavoidable interruptions.

Information security objectives are communicated via ISMS documentation and awareness training. To aid in Zscaler’s achievement of information security objectives, internal audits and management reviews are to be performed on an annual basis. Management has identified the resources required to meet information security objectives.

Zscaler will continue to maintain its compliance postured related to its ISMS and other applicable standards to address current threats and information security risks.

Resources (Clause 7.1)

The EVP of engineering and cloud operations is responsible for the establishment, implementation, maintenance, and continual improvement of the ISMS. The EVP of engineering and cloud operations will work with asset owners and the management team to establish, implement, maintain, and continually improve the ISMS. This information, including improvement activities, are captured in management review meetings. Effective

13

measurements and internal and external audits are used to ensure security procedures are supporting the business requirements effectively.

Competence (Clause 7.2)

Zscaler has established human resources (HR) policies and practices related to hiring to determine the necessary competence of employees. Documented job descriptions are in place to communicate the required competence levels of ISMS employees. HR requires employment candidates to undergo background verification screening that includes, but is not limited to, employment history, educational credentials, and criminal background checks.

Awareness (Clause 7.3)

Zscaler continually monitors the competence levels of employees and provides employees with the ability to participate in a variety of training courses relevant to information security. In addition, a formal training program is in place for security and privacy training. The training program communicate employees’ contribution to the effectiveness of the ISMS, as well as the implications of not conforming to ISMS requirements. Zscaler personnel are required to complete security awareness training upon hire and annually thereafter. Roles with access to sensitive information and systems may be required to take additional training applicable to their responsibilities. Training records are maintained on the corporate intranet. Employees are made aware of disciplinary measures upon receipt and acknowledgement of the employee handbook at hire.

Communication (Clause 7.4)

Zscaler management has determined that internal communications in the form of policies and related ISMS documentation are required to ensure adequate understanding and conformity with ISMS procedures. In addition, Zscaler communicates to personnel the importance of their individual activities and how they contribute to the achievement of the ISMS. Policies and procedures are maintained within Zscaler’s document control system. Security committee meetings are held internally on a monthly basis that spans functional areas beyond the ISMS committee members. The management review which primarily discusses the performance of the ISMS, is held on a quarterly basis throughout the year. Communications of the management review minutes are maintained and discussed to external interested parties on as-needed basis.

Documented Information (Clause 7.5)

Documentation and supporting information related to the Zscaler ISMS are stored on the corporate intranet, for Zscaler personnel to review and understand their responsibility for adhering to the associated organizational standards and security requirements. Read and write access to ISMS documentation is restricted and controlled. A documentation information document has been established to help ensure proper control of documented information. ISMS documents are required to include, at a minimum, a title, date, author, and version number. In addition, the documentation information document includes guidance regarding creating, updating, storing, disposing of, and controlling changes to any ISMS documents and records. The vice president (VP) of cloud operations, or their designee, reviews and approves ISMS documentation to ensure quality, applicability, and management support. Risk Identification, Risk Assessment, and Risk Treatment (Clauses 6 and 8) Risk Assessment Methodology Overview

A formally documented risk assessment process is in place to help guide the risk assessment and treatment processes. Assets are identified by researching the environment within the scope of the ISMS and the owner of each asset. Threats and vulnerabilities are identified throughout the organization by researching current information security trends and discussing the findings with asset owners. The assets are associated to corresponding threats and vulnerabilities to generate a risk score. The risk assessment methodology is based on the NIST 800-30 standard and was selected as it provides a mechanism to assess information assurance against threats, vulnerabilities, and cost. By choosing this method, the process for reducing risk by applying and selecting controls, transferring risk, or accepting risk becomes straightforward and repeatable. Zscaler establishes and maintains an information security risk assessment process that evaluates the organization’s risks at least once a year or when there are major changes to system.

14

Risk Assessment Framework

Zscaler’s risk assessment process comprises of risk identification, analysis, and evaluation. Risk identification is the product of the communication process, information collected from manager queries, incidents, internal and external audits, code scanning, penetration tests, contractual obligations, and changes in regulatory requirements. Zscaler’s risk assessment approach for identifying risks and assets are as follows:

Identify the information security risks:

o Assets are identified by researching the environment within the scope of the ISMS and the owner of each asset is determined.

o Threats and vulnerabilities are identified by researching current information security trends and discussions with support staff and asset owners.

o Impact and losses are evaluated based on confidentiality, integrity, and availability of the asset.

Analyze the information security risks:

o Business impact, threats, and vulnerabilities, as well as the likelihood of the exploit against the asset are determined following the risk evaluation criteria.

o The risk level is determined following the risk assessment methodology.

Evaluate the information security risks:

o Risks are evaluated and prioritized in accordance with the defined risk assessment process. Risk Evaluation Criteria

Likelihood and impact are calculated based upon the likelihood of a vulnerability being exploited by one or more threat sources and the impact on the business as it relates to confidentiality, integrity, and availability of the asset. The likelihood is scored based on the following criteria:

Likelihood

Value Value Value

1% < 1 in 100 years Unlikely

10% 1 in 5 years Rare

30% 1 in 1-2 years Likely

80% 3x per year Very Likely

99% >10x per year Extremely Likely

The impact is scored based on the following criteria:

Impact

Value Definition Label

10 Minimal cost to resume operations Low

50 $100,000 - $1,000,000 Medium

100 $1,000,000 - $5,000,000 High

1000 Likely not to recover Catastrophic

15

The risk score is calculated as the product of likelihood and impact (risk = likelihood * impact). This model is combined into a second calculation using the product of threats and vulnerabilities to obtain an impact value.

Risk Level Determination

Impact

1000 10 100 300 800 990

100 1 10 30 80 99

50 0.5 5 15 40 49.5

10 0.1 1 3 8 9.9

1% 10% 30% 80% 99%

Likelihood

Risk Level

Low Risk

Medium Risk

High Risk

Risk Treatment

Risk treatment is accomplished by reviewing possible options including:

Achieving an acceptable residual level of risk by applying additional controls;

Reducing risk while transferring residual risk;

Transferring risk; or

Accepting risk based on further analysis and review.

The VP of cloud operations is responsible for approving high risks and may delegate the approval of medium or low risks to other individuals. Identified risks are assigned a proper risk owner that manages the risk remediation. Risks are tracked within the risk register.

A statement of applicability has been documented and lists the applicable controls from Annex A of ISO 27001, as well as any applicable ISO 27018 controls that have been selected to mitigate risks as outlined in the risk assessment and risk treatment plan. It also details the controls that have been explicitly excluded with a justification for such exclusion. Risk treatment plans are implemented by considering ISMS reviews and feedback from asset owners or subject matter experts. Required resources such as roles, responsibilities, and funding are determined by the VP of cloud operations. The most recent risk assessment and risk treatment occurred in January 2020 and was noted to be effective and in conformance with the requirements of the standard. ISMS Effectiveness Measurements (Clause 9.1) An ISMS effectiveness monitoring and measurement process is defined within the performance evaluation process document. Security processes and controls, security of the system, performance of the system, and capacity of the system and related metrics have been identified as the required key performance indicators (KPIs) to be monitored and measured continuously by the security committee. The results of continuous monitoring and measurement of the effectiveness of the ISMS are presented at least annually during management review. The EVP of engineering and cloud operations is responsible for analyzing and evaluating the results.

16

The ISMS effectiveness measurement takes place on a continuous basis; however, the most recent ISMS effectiveness measurement at the time of the 2020 recertification review took place in February 2020 and was noted to be effective and in conformance with the requirements of the standard. Internal ISMS Audits (Clause 9.2) An ISMS audit procedure has been documented to define the framework for ensuring that Zscaler continually operates in accordance with specified policies, procedures, and external requirements in meeting Zscaler’s goals and objectives in relation to information security. The ISMS audit procedure outlines the internal audit process and procedures. These procedures include the assignment of auditors, the audit plan and scope requirements, the audit execution, as well as the reporting of any audit findings to the information security management representative (ISMR). The ISMR is responsible for appointing the lead internal auditor. The lead internal auditor can be someone from the organization or an outside party that has sufficient knowledge of the ISO 27001 standard and familiarity with management system auditing techniques. Internal auditors are required to be selected in such a way as to ensure objectivity and impartiality. The ISMR, along with the internal auditor, determines the scope of the internal audit and defines an audit plan based on the risk assessment and results of previous audits. The ISMR is responsible for ensuring that the internal ISMS audits are conducted on an annual basis to determine whether the ISMS conforms to organizational and ISO 27001 / ISO 27018 requirements, and whether the ISMS has been effectively implemented and maintained. An internal audit checklist is utilized to guide the internal auditor in auditing specific items particular to the organizational unit being audited and document audit conclusions that are collected through interviews, examination of documents, and observation of activities. At the conclusion of the internal audit, the internal audit checklist and audit findings report are issued to the ISMR, and ultimately communicated to management during ISMS management reviews. The most recent ISMS internal audit occurred in January 2020 and was noted to be effective and in conformance with the requirements of the standard. The audit was performed by an outside party to help ensure the objectivity and independence of the audit process. Management Reviews (Clause 9.3) Management reviews are performed at least annually to ensure continuing suitability, adequacy, and effectiveness of the ISMS. The results of the management review process, including the consideration of the required inputs and outputs, are documented within a separate management review document. During management review meetings, the following criteria is discussed and reviewed to ensure the objectives of the ISMS are being met:

Status of actions from previous management reviews

Changes to external / internal issues relevant to the ISMS (including new products, changes in scope, personnel, etc.)

General feedback on information security performance

Feedback on nonconformities and corrective actions

Feedback on monitoring and measurement results

Feedback on audit results (internal / external)

Feedback from interested parties (including customers, employees, or other parties)

Results of risk assessment and status of risk treatment plan(s)

Opportunities for continual improvement

Feedback on Annex A control physical security review for data center providers

17

Firewall configurations and logs audited

Access control / account logging for accounts in ZAdmin

Disaster recovery / business continuity plan process review

ISMS effectiveness measurement assessment

Monitoring and review of supplier services and any changes to supplier services The most recent ISMS management review took place in February 2020 and was noted to be effective and in conformance to the requirements of the standard. Corrective Action and Continual Improvement (Clause 10) Nonconformity and Corrective Action (Clause 10.1)

An improvement document has been implemented to describe Zscaler’s process for continually improving the suitability, adequacy, and effectiveness of the ISMS, including the corrective action process. The corrective action process defines the elements of corrective action and the required reporting process as well as process flows for corrective action handling. Zscaler’s reaction to nonconformities is dependent on the risk level and impact of the nonconformity. Where the risk level warrants, the management review team takes necessary action in reviewing the nonconformity, determining the cause of nonconformity, determining if similar nonconformities exist, implementing any corrective action needed, reviewing the effectiveness of corrective action taken, and making changes to the ISMS if necessary. Results of corrective action are recorded on the secure online document storage system. Continual Improvement (Clause 10.2)

Zscaler continually improves the effectiveness of the ISMS through the use of ISMS management reviews, internal audits, third-party audits, and awareness and effectiveness reviews. Statement of Applicability Zscaler has maintained a statement of applicability based on the results of the risk assessment process. All controls from Annex A of ISO 27001 as well as the additional control guidance and supplemental controls from ISO 27018 are included in the statement of applicability except for the following:

A.14.2.7 – Outsourced Development As noted within the Statement of Applicability, Zscaler does not outsource development.

[Intentionally Blank]

18

PRIVACY INFORMATION SECURITY MANAGEMENT SYSTEM

As noted previously, the PIMS is integrated within the ISMS requiring that the general design and operating effectiveness of the ISMS and PIMS conforms to the requirements of the ISO 27701 standard in addition to the control requirements included in the ISMS (including Annex A and ISO 27018) and based on the control set within ISO 27701. The following details the additional considerations Zscaler has taken and implemented for the processing of personal information when in the role of a processor. Context of the Organization Understanding the Organization and its Context (ISO 27701 Clause 5.2.1)

Zscaler has determined that it acts in the role of a processor. It has identified regulatory and contractual requirements as external factors and internal resources as an internal factor that affects Zscaler’s ability to achieve intended outcome of the PIMS. Understanding the Needs and Expectations of Interested Parties (ISO 27701 Clause 5.2.2)

Zscaler has determined that interested parties as:

Customers

Zscaler’s Global Cloud Operations team

Regulatory authorities

Determining the Scope of the Information Security Management System (ISO 27701 Clause 5.2.3)

Zscaler has determined that the scope of its Privacy Information Management System is as follows: The scope of the ISO/IEC 27001:2013 certificate is limited to the information security management system/ privacy information management system (ISMS/PIMS) supporting the Zscaler global cloud in the EMEA (Europe, Middle East and Africa), NA (North America), LATAM (Latin America) and APAC (Asia-Pacific) regions for its Security as a Service platform, including operations employees, and in accordance with the statement of applicability and aligned with ISO/IEC 27018:2019. In its products, Zscaler acts as a data processor contracted by a data controller (Zscaler’s corporate customer), who is requesting processing of the data of that corporate customer’s PII principals. Information Security Management System (ISO 27701 Clause 5.2.4)

Zscaler tracks Corrective/Preventive Actions and Risk in relation to the ISMS and PIMS. The Due Diligence worksheet within that tool functions as a dashboard that helps the ISMS/PIMS manager identify areas of the ISMS/PIMS that require attention. The process identifies required corrective actions and includes a color-coded status for each action indicating when the action must be completed or whether it is past due. The Corrective/Preventive Action worksheets tracks in greater detail corrective and preventive actions identified during an audit or reported by someone. The ISMS Standard Operating Procedure sets forth a step-by-step procedure for documenting corrective and preventive actions. Planning Information Security Risk Assessment (ISO 27701 Clause 5.4.1.2)

Zscaler requires a Product Requirements Document (PRD) to be filled out in OneTrust for each product/offering. The PRD covers several key areas, including the privacy impact of the product in question. Depending upon answers given related to privacy questions, a full privacy impact assessment is triggered. This occurs within the PRD and does not require a separate assessment. The PIA considers the processing activities required by the product, including:

Whether new types of personal data will be processed

19

Purpose of such processing

Source of the personal data

Any third parties that may be involved in the processing activities

Geolocation of the processing

Information Security Risk Treatment (ISO 27701 Clause 5.4.1.3)

Zscaler has produced a statement of applicability (SOA) that includes relevant Annex B (i.e. ISO 27701, Clause 8) controls, the justification for inclusion of such controls, and indicates that the controls have been implemented. The SOA also includes relevant ISO 27001 Annex A Controls, including those with additional implementation guidance relevant to ISO 27701. Internal Audit Zscaler performed an independent internal assessment of the ISMS against the PIMS Processor Clause Requirements from ISO 27701. The internal audit was performed by an independent internal stakeholder from Zscaler and was performed from January through April 2020. The internal audit included an assessment on whether or not Zscaler’s processes met the requirements or did not. Additionally, the audit results were reviewed by members of the security committee to review the management system’s performance. Management Review Zscaler maintained its quarterly security committee meeting cadence to ensure that applicable requirements from ISO 27701 were incorporated into the ISMS and reviewed. It was noted that the quarterly security committee meetings were most recently held as of August 2020 and included consideration of ISO 27701’s incorporation into the ISMS, as well as a review of the internal audit results. Additional Guidance for PII Processors (ISO 27701 Clause 8) Conditions for Collection and Processing

Customer Agreement / Contracts (8.2.1 Customer Agreement)

Zscaler’s Data Processing Agreement (DPA) with customers provides that the organization will assist customers by appropriate technical and organizational measures for the fulfillment of any obligations regarding the exercise of data subject rights. Further, Zscaler’s DPA provides that it will assist the customer in complying with technical and organizational security measures and breach response. Organizations Purpose (8.2.2) and Marketing and Advertising Use (8.2.3)

Zscaler’s contract with customers provides that it only processes personal data in accordance with instructions from the customer. The only direct access to customer data the organization has is via support functions (i.e. to view customer log information). For support personnel to have access to customer log information, the customer administrator must affirmatively grant support access to Zscaler by using a toggle function in the customer user interface. If the customer support/remote access toggle is off, the organization is unable to access customer data. Zscaler’s Master Information Security Policy notes that Zscaler is a custodian of the data provided by and processed for its customers, and it is responsible for treating such data confidentially. In addition, Zscaler provides personnel with privacy training, which covers the concepts of PII in different jurisdictions (i.e. the United States and European Union) and how to safeguard PII. Infringing Instruction (8.2.4)

Zscaler’s contract with customers requires that it promptly inform the customer if in, in Zscaler’s opinion, compliance with a customer instruction would infringe on data protection legislation.

20

Customer Obligation (8.2.5)

Zscaler provides customers with third party assessment reports upon request. In addition, Zscaler maintains a list of white papers and other information about data protection functionality in Zscaler products. Zscaler’s Data Protection at a Glance white paper sets out the list of data protection components by Zscaler’s product offerings. Key data protection capabilities include:

Unified protections (Cloud Data Protection policy follows users to provide the same level of protection for data in motion across locations and unified data-at-rest protections across SaaS and public cloud applications)

Full SSL inspection of all traffic (inspects all SSL traffic)

Compliance reporting and remediation (enables unified visibility and control across SaaS and public cloud application deployments)

Elastic scale with inline enforcement (Zscaler sits inline so it can block sensitive information before the information leaves the customer’s network)

Records Related to Processing PII (8.2.6) and Obligations to PII Principals (8.3.1)

Zscaler provides customers with “Nanologs,” which log information concerning activity by the customer’s users. Zscaler does not have access to these logs; however, through the customer portal, customers may view and export this log information. Customers have the option to generate standardized reports concerning manifold metrics, including browsing history, top URL categories of a given user, and department level browsing activity. The customer portal allows customer administrators to view individual user activity or aggregate (i.e. department) level activity. Log information can be exported to a csv format. Additionally, Zscaler provides guidance for deployments in certain European Union countries. Specifically, there is a need to anonymize logs for Germany and Northern European countries so that personal information cannot be viewed or obtained by unauthorized personnel when information is stored in the cloud. To achieve this, Zscaler uses the “Four Eye Principle” where all user centric logs have obfuscated usernames for a particular administrator based on the administrator’s role, with only an allowed auditor (in an administration role) that can view actual usernames. This can be configured via the administrative interface where the auditor has the key to allow translation of actual usernames. Privacy by Design and Privacy by Default

Processes for Handling, Retaining, and Destroying Temporary Files Containing PII (8.4.1 Temporary Files)

The only customer information with PII that Zscaler retains is logs of customer activity (including username, IP address, geolocation of the IP address). Those logs are purged every six months. Return, Transfer, or Disposal of PII (8.4.2)

Zscaler customers have the ability to export log information via csv format within the customer portal. Additionally, customers may request disposal of all data associated with that customer upon termination of the contract. Customers make such requests via a support ticket, and Zscaler utilizes JIRA to track fulfillment of such requests. PII Transmission Controls (8.4.3)

Zscaler uses TLS encryption configurations for web communications. Zscaler allows customers to set policies blocking traffic utilizing cipher scripts that are unsupported by the service. PII Sharing, Transfer and Disclosure

Basis for PII Transfer Between Jurisdictions (8.5.1)

Zscaler notifies customers of the basis for transferring PII between jurisdictions primarily via the data processing agreements (DPAs) with customers. Zscaler’s DPA provides that standard contractual clauses apply to all processing where personal data is transferred from the EEA or United Kingdom where a) the recipient country is not deemed to provide an adequate level of protection for personal data, and b) no suitable framework recognized by relevant authorities provides an adequate level of protection for personal data.

21

Countries and International Organizations to Which PII can be Transferred (8.5.2) and Records of PII Disclosure to Third Parties (8.5.3)

Zscaler maintains a list of subprocessors, including their locations and service provided, on its public-facing website. With respect to subprocessors providing support services, Zscaler notes on its website that customers must do the following for Zscaler or a subprocessor to respond to a customer support ticket:

Submit a support ticket

Authorize Zscaler and/or its subprocessor(s) to access the customer’s personal data in order to respond to the support ticket.

On its public website, Zscaler lists four subprocessors that provide support-related services and notes their location, as follows:

Subprocessor Location

CSS Corp. dba SlashSupport Poland and India (Support Services)

Costa Rica (TAM Support Services)

Salesforce.com, Inc. Hosted in the United States

Zendesk, Inc. Hosted in the United States

Zscaler Affiliates Worldwide

Notification of PII Disclosure Requests (8.5.4) and Legally Binding PII Disclosures (8.5.5)

Per Zscaler’s Guidelines for Responding to Judicial and Law Enforcement Requests, Zscaler discloses information pursuant to a legally binding request only after notice to the customer, unless prohibited from doing so. Per the Guidelines, Zscaler will not disclose customer information upon request unless and until a court or law enforcement agency issues a legal subpoena or equivalent form of process directed at Zscaler. Disclosure of Subcontracts used to Process PII (8.5.6), Engagement of a Subcontractor to Processor PII (8.5.7), and Change of Subcontractor to Process PII (8.5.8)

Zscaler maintains a list of its subprocessors on its public website. Zscaler’s DPA with customers provides that it will provide reasonable advance notice to customers before a new subprocessor processes any personal data, and customers may object to the new subprocessor within 15 days of such notice. Zscaler provided notice to customers of a proposed new subprocessor on December 5, 2019, for a subprocessor to begin providing services on January 14, 2020. Zscaler provided such notice via its trust portal and via e-mail to customers.

22

3BSECTION 4

ISO 27001, 27018,

AND 27701

CONTROLS

IMPLEMENTED BY

ZSCALER SUPPORTING

THE ISMS

23

APPLICABLE ISO 27001 CONTROL ACTIVITIES INCLUDING ISO 27018

Note that controls in the matrices below denoted with an asterisk (*) were noted as those controls that included additional guidance, and subsequent testing, applicable to supplemental control guidance from ISO 27018.

Control ID

Control Activity

5 Information Security Policy

5.1 Management Direction for Information Security

5.1.1* A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

5.1.2 The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

6 Organization of Information Security

6.1 Internal Organization

6.1.1* All information security responsibilities shall be defined and allocated.

6.1.2 Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuses of the organization’s assets.

6.1.3 Appropriate contacts with relevant authorities shall be maintained.

6.1.4 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

6.1.5 Information security shall be addressed in project management, regardless of the type of the project.

6.2 Mobile Devices and Teleworking

6.2.1 A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

6.2.2 A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

7 Human Resources Security

7.1 Prior to Employment

7.1.1 Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

7.1.2 The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.

7.2 During Employment

7.2.1 Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

7.2.2* All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

7.2.3 There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

24

Control ID

Control Activity

7.3 Termination or Change of Employment

7.3.1 Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

8 Asset Management

8.1 Responsibility for Assets

8.1.1 Information, other assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

8.1.2 Assets maintained in the inventory shall be owned.

8.1.3 Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

8.1.4 All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

8.2 Information Classification

8.2.1 Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.

8.2.2 An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

8.2.3 Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

8.3 Media Handling

8.3.1 Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

8.3.2 Media shall be disposed of securely when no longer required, using formal procedures.

8.3.3 Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.

9 Access Control

9.1 Business Requirements of Access Control

9.1.1 An access control policy shall be established, documented and reviewed based on business and information security requirements.

9.1.2 Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

9.2 User Access Management

9.2.1* A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

9.2.2 A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.

9.2.3 The allocation and use of privileged access rights shall be restricted and controlled.

9.2.4 The allocation of secret authentication information shall be controlled through a formal management process.

9.2.5 Asset owners shall review users’ access rights at regular intervals.

25

Control ID

Control Activity

9.2.6 The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

9.3 User Responsibilities

9.3.1 Users shall be required to follow the organization’s practices in the use of secret authentication information.

9.4 System and Application Access Control

9.4.1 Access to information and application system functions shall be restricted in accordance with the access control policy.

9.4.2* Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

9.4.3 Password management systems shall be interactive and shall ensure quality passwords.

9.4.4 The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

9.4.5 Access to program source code shall be restricted.

10 Cryptography

10.1 Cryptographic Controls

10.1.1* A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

10.1.2 A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

11 Physical and Environmental Security

11.1 Secure Areas

11.1.1 Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information process facilities.

11.1.2 Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

11.1.3 Physical security for offices, rooms and facilities shall be designed and applied.

11.1.4 Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.

11.1.5 Procedures for working in secure areas shall be designed and applied.

11.1.6 Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

11.2 Equipment

11.2.1 Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

11.2.2 Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

11.2.3 Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

26

Control ID

Control Activity

11.2.4 Equipment shall be correctly maintained to ensure its continued availability and integrity.

11.2.5 Equipment, information or software shall not be taken off-site without prior authorization.

11.2.6 Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

11.2.7* All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

11.2.8 Users shall ensure that unattended equipment has appropriate protection.

11.2.9 A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

12 Operations Security

12.1 Operational Procedures and Responsibilities

12.1.1 Operating procedures shall be documented and made available to all users who need them.

12.1.2 Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

12.1.3 The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

12.1.4* Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

12.2 Protection from Malware

12.2.1 Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

12.3 Backup

12.3.1* Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.

12.4 Logging and Monitoring

12.4.1* Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

12.4.2* Logging facilities and log information shall be protected against tampering and unauthorized access.

12.4.3 System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

12.4.4 The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source.

12.5 Control of Operational Software

12.5.1 Procedures shall be implemented to control the installation of software on operational systems.

12.6 Technical Vulnerability Management

12.6.1 Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

12.6.2 Rules governing the installation of software by users shall be established and implemented.

12.7 Information Systems Audit Considerations

27

Control ID

Control Activity

12.7.1 Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

13 Communications Security

13.1 Network Security Management

13.1.1 Networks shall be managed and controlled to protect information in systems and applications.

13.1.2 Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

13.1.3 Groups of information services, users and information systems shall be segregated on networks.

13.2 Information Transfer

13.2.1* Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

13.2.2 Agreements shall address the secure transfer of business information between the organization and external parties.

13.2.3 Information involved in electronic messaging shall be appropriately protected.

13.2.4 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

14 System Acquisition, Development, and Maintenance

14.1 Security Requirements of Information Systems

14.2 Security in Development and Support Processes

14.2.1 Rules for the development of software and systems shall be established and applied to developments within the organization.

14.2.2 Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

14.2.3 When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

14.2.4 Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.

14.2.5 Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

14.2.6 Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

14.2.7 The organization shall supervise and monitor the activity of outsourced system development.

Not Applicable per Zscaler’s SOA

14.2.8 Testing of security functionality shall be carried out during development.

14.2.9 Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

14.3 Test Data

15 Supplier Relationships

15.1 Information Security in Supplier Relationships

28

Control ID

Control Activity

15.1.2 All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

15.1.3 Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.

15.2 Supplier Service Delivery Management

15.2.1 Organizations shall regularly monitor, review and audit supplier service delivery.

15.2.2 Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

16 Information Security Incident Management

16.1 Management of Information Security Incidents and Improvements

16.1.1* Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

16.1.2 Information security events shall be reported through appropriate management channels as quickly as possible.

16.1.3 Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.

16.1.4 Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

16.1.5 Information security incidents shall be responded to in accordance with the documented procedures.

16.1.6 Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

16.1.7 The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

17 Information Security Aspects of Business Continuity Management

17.1 Information Security Continuity

17.1.1 The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

17.1.2 The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

17.1.3 The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

17.2 Redundancies

17.2.1 Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

18 Compliance

18.1 Compliance with Legal and Contractual Requirements

29

Control ID

Control Activity

18.1.1 All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.

18.1.2 Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

18.1.3 Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

18.1.4 Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

18.1.5 Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

18.2 Information Security Reviews

18.2.1* The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

18.2.2 Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

18.2.3 Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

A.2 Consent and Choice

A.2.1 The public cloud PII processor should provide the cloud service customer with the means to enable them to fulfil their obligation to facilitate the exercise of PII principals’ rights to access, correct and/or erase PII pertaining to them.

A.3 Purpose Legitimacy and Specification

A.3.1 PII to be processed under a contract should not be processed for any purpose independent of the instructions of the cloud service customer.

A.3.2 PII processed under a contract should not be used by the public cloud PII processor for the purposes of marketing and advertising without express consent. Such consent should not be a condition of receiving the service.

A.4 Collection Limitation

No additional controls are relevant to this privacy principle.

A.5 Data Minimization

A.5.1 Temporary files and documents should be erased or destroyed within a specified, documented period.

A.6 Use, Retention and Disclosure Limitation

A.6.1 The contract between the public cloud PII processor and the cloud service customer should require the public cloud PII processor to notify the cloud service customer, in accordance with any procedure and time periods agreed in the contract, of any legally binding request for disclosure of PII by a law enforcement authority, unless such a disclosure is otherwise prohibited.

A.6.2 Disclosures of PII to third parties should be recorded, including what PII has been disclosed, to whom and at what time.

30

Control ID

Control Activity

A.7 Accuracy and Quality

No additional controls are relevant to this privacy principle.

A.8 Openness, Transparency, and Notice

A.8.1 The use of sub-contractors by the public cloud PII processor to process PII should be disclosed to the relevant cloud service customers before their use.

A.9 Individual Participation and Access

No additional controls are relevant to this privacy principle.

A.10 Accountability

A.10.1 The public cloud PII processor should promptly notify the relevant cloud service customer in the event of any unauthorized access to PII or unauthorized access to processing equipment or facilities resulting in loss, disclosure or alteration of PII.

A.10.2 Copies of security policies and operating procedures should be retained for a specified, documented period upon replacement (including updating).

A.10.3 The public cloud PII processor should have a policy in respect of the return, transfer and/or disposal of PII and should make this policy available to the cloud service customer.

A.11 Information Security

A.11.1 Individuals under the public cloud PII processor’s control with access to PII should be subject to a confidentiality obligation.

A.11.2 The creation of hardcopy material displaying PII should be restricted.

A.11.3 There should be a procedure for, and a log of, data restoration efforts.

A.11.4 PII on media leaving the organization’s premises should be subject to an authorization procedure and should not be accessible to anyone other than authorized personnel (e.g. by encrypting the data concerned).

A.11.5 Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented.

A.11.6 PII that is transmitted over public data-transmission networks should be encrypted prior to transmission.

A.11.7 Where hardcopy materials are destroyed, they should be destroyed securely using mechanisms such as cross-cutting, shredding, incinerating, pulping, etc.

A.11.8 If more than one individual has access to stored PII, then they should each have a distinct user ID for identification, authentication and authorization purposes.

A.11.9 An up-to-date record of the users or profiles of users who have authorized access to the information system should be maintained.

A.11.10 De-activated or expired user IDs should not be granted to other individuals.

A.11.11 Contracts between the cloud service customer and the public cloud PII processor should specify minimum technical and organizational measures to ensure that the contracted security arrangements are in place and that data are not processed for any purpose independent of the instructions of the controller. Such measures should not be subject to unilateral reduction by the public cloud PII processor.

31

Control ID

Control Activity

A.11.12 Contracts between the public cloud PII processor and any sub-contractors that process PII should specify minimum technical and organizational measures that meet the information security and PII protection obligations of the public cloud PII processor. Such measures should not be subject to unilateral reduction by the sub-contractor.

A.11.13 The public cloud PII processor should ensure that whenever data storage space is assigned to a cloud service customer, any data previously residing on that storage space is not visible to that cloud service customer.

A.12 Privacy Compliance

A.12.1 The public cloud PII processor should specify and document the countries in which PII might possibly be stored.

A.12.2 PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination.

INCREMENTAL ISO 27701CONTROLS RELEVANT TO PROCESSORS

B.8.2 Conditions for Collection and Processing

B.8.2.1 The organization shall ensure, where relevant, that the contract to process PII addresses the organization’s role in providing assistance with the customer’s obligations, (taking into account the nature of processing and the information available to the organization).

B.8.2.2 The organization shall ensure that PII processed on behalf of a customer are only processed for the purposes expressed in the documented instructions of the customer.

B.8.2.3 The organization shall not use PII processed under a contract for the purposes of marketing and advertising without establishing that prior consent was obtained from the appropriate PII principal. The organization shall not make providing such consent a condition for receiving the service.

B.8.2.4 The organization shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation and/or regulation.

B.8.2.5 The organization shall provide the customer with the appropriate information such that the customer can demonstrate compliance with their obligations.

B.8.2.6 The organization shall determine and maintain the necessary records in support of demonstrating compliance with its obligations (as specified in the applicable contract) for the processing of PII carried out on behalf of a customer.

B.8.3 Obligations to PII Principals

B.8.3.1 The organization shall provide the customer with the means to comply with its obligations related to PII principals.

B.8.4 Privacy by Design and Privacy by Default

B.8.4.1 The organization shall ensure that temporary files created as a result of the processing of PII are disposed of (e.g. erased or destroyed) following documented procedures within a specified, documented period.

B.8.4.2 The organization shall provide the ability to return, transfer and/or disposal of PII in a secure manner. It shall also make its policy available to the customer.

B.8.4.3 The organization shall subject PII transmitted over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination.

32

B8.5 PII Sharing, Transfer, and Disclosure

B.8.5.1 The organization shall inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this regard, so that the customer has the ability to object to such changes or to terminate the contract.

B.8.5.2 The organization shall specify and document the countries and international organizations to which PII can possibly be transferred.

B.8.5.3 The organization shall record disclosures of PII to third parties, including what PII has been disclosed, to whom and when.

B.8.5.4 The organization shall notify the customer of any legally binding requests for disclosure of PII.

B.8.5.5 The organization shall reject any requests for PII disclosures that are not legally binding, consult the corresponding customer before making any PII disclosures and accepting any contractually agreed requests for PII disclosures that are authorized by the corresponding customer.

B.8.5.6 The organization shall disclose any use of subcontractors to process PII to the customer before use.

B.8.5.7 The organization shall only engage a subcontractor to process PII according to the customer contract.

B.8.5.8 The organization shall, in the case of having general written authorization, inform the customer of any intended changes concerning the addition or replacement of subcontractors to process PII, thereby giving the customer the opportunity to object to such changes.