Data Center Certification Standards

In today’s world of business, computers are all the rage. Without them, after all, nobody could buy things online and there wouldn’t be free email accounts.

The management, dissemination, and storage of digital information is known as information technology, or IT for short. Since taking care of IT needs in-house is so expensive, businesses often outsource their IT needs to data centers.

Data centers are facilities dedicated to hosting, managing, and maintaining any and all equipment that businesses use to handle their information technology needs.

What do data centers consist of?

There are four main components of data centers: the facilities themselves, support infrastructure, equipment, and operations staff. Let’s go into greater detail about what each of these four components entails.


Data centers need facilities to store and operate the equipment they need to meet their clients’ IT needs. These facilities include the buildings that actually house such equipment and staff, HVAC systems used to heat and cool data centers, and the infrastructure used to supply utilities like electricity and Internet bandwidth to these facilities.

IT equipment

All the hardware that is directly responsible for hosting websites and otherwise performing IT support functions falls under this category. This includes the racks, cabinets, and cables to store such hardware and keep it operating.

Operations staff

People working for data centers who aren’t directly responsible for implementing and maintaining data center equipment fall under operations staff. Members of data centers’ operations staff include managers and executives.

Support infrastructure

The hardware, software, and people used to keep IT infrastructure up and running fall under the category of support infrastructure. Businesses and organizations need to have around-the-clock access to support functions from their data centers. Otherwise, they might as well take care of their IT needs in-house.

How can businesses and organizations know that data centers are doing their jobs?

Just how organizations like SACS, the Southern Association of Colleges and Schools, oversee American colleges and universities in the Southeastern United States, there are several governing bodies that oversee data centers and make sure they provide the services they claim to provide and keep clients’ information safe.

The rest of this article consists of a discussion about the current top data center certification standards and the governing bodies that maintain such standards in the United States and some other countries.

SAS 70 Type II data center certification

SAS 70 stands for Statement on Auditing Standards Number 70: Service Organizations, an auditing standard that was put into place by the AICPA, or the American Institute of Certified Public Accountants.

SAS 70, in short, is a standard that provides oversight and guidance for independent, third-party auditors to assess data centers’ service controls and provide them with a professional, unbiased opinion on them.

Internal controls, at least as far as auditing, oversight, and regulation are concerned, are policies and procedures that – put simply – make sure things are running like they’re supposed to. Internal controls are usually referred to simply as controls.

Although SAS 70 has been phased out of being legally required since 2011, many data centers still pay auditors to provide them with SAS 70 Type II reports and opinions. SAS 70 reports include three things:

  • An in-depth, thorough description of the tests that auditors use to affirm the effectiveness of their operations.
  • An in-depth, thorough description of any and all internal controls that are currently being used to keep things running as they’re supposed to.
  • Most importantly, the professional, unbiased, independent opinion of the auditor regarding whether their internal controls are doing what they’re supposed to or not.

SAS 70 Type II reports are used by data centers to find out if their internal controls could be improved or if they’re doing a good enough job already. Further, these reports are often passed on to current and potential clients of data centers. Most data centers make SAS 70 Type II reports widely available to the world by posting them online or otherwise making them readily available to people – not just clients – who are interested in reviewing them.

One thing that’s important to keep in mind regarding SAS 70 audits is that there are no standards that must be met. Rather, auditors determine whether data centers are running as well as they should be on a case-by-case basis.

SSAE 16 data center certification

The AICPA is also responsible for overseeing SSAE 16 data center certifications. SSAE 16 stands for the Statement on Standards for Attestation Engagements Number 16, which was first published in early 2010.

SSAE 16 has largely replaced Statement on Auditing Standards Number 70: Service Organizations as the go-to standard for certifying the effectiveness of data centers’ operations here in the United States. However, as mentioned above, keep in mind that SAS 70 is still regarded highly by the likes of data centers, auditors, and the potential clients and existing stakeholders of data centers.

SSAE 16 is the United States’ equivalent of the international standard ISAE 3402, or the Assurance Reports on Controls at a Service Organization, which was implemented by the International Auditing and Assurance Standards Board, or the IAASB.

In order to gain SSAE 16 data center certification, data centers must subject themselves to three main things. The first of these is that they must provide auditors with a list of any and all systems they use as internal controls. Further, data centers must also thoroughly describe these internal controls.

The second thing data centers must object themselves to is providing auditors with a full description of their overall systems. SAS 70 guidelines only call for descriptions of facility internal controls. The difference between these two things – overall systems and facility internal controls – is that the latter contains a broader variety of internal controls.

Lastly, auditors have to sign off on a statement of assertion, which has to be composed by the managers of data centers themselves. These statements of assertion, more or less, consist of various pledges that data center managers agree to hold themselves to.

If it’s not already clear, the SSAE 16 data center certification supersedes its SAS 70 Type II counterpart, though many data centers hire auditors to hold them to both of these standards.

SOC Types 1, 2, and 3 data center certifications

The AICPA also provides regulatory guidelines called Service Organization Controls for data centers. Also known as SOCs, Service Organization Control reports fall under the categories of Types 1, 2, and 3.

Service Organization Control reports cover five distinct, well-defined areas of internal controls: privacy, availability, processing integrity, security, and confidentiality. Without getting into the definition of each of these fingers of coverage, just know that they collectively make up the focus of the AICPA’s Trust Services Principles and Criteria.

We won’t be going over the differences between the types of Service Organization Controls. Rather, we’ll discuss the basics of SOC Type 2 data center certifications, which are the most comprehensive and stringent of the three, some of which has already been discussed above.

Service Organization Control Type 2 compliance addresses organizations that provide information technology and cloud computing services. The AICPA’s Attestation Standard 101 is used extensively in auditing data centers to determine whether they are certified under Service Organization Control standards.

Auditors must sign off on written statements of assertion, which are written directly by the managers of data centers. These statements must contain descriptions of the data center systems that data centers use to operate.

LEED data center certification

The United States Green Building Council developed and oversees LEED data center certification, which standards for Leadership in Energy and Environmental Design.

In the United States, data centers aren’t required to uphold themselves to LEED standards, though many clients of data centers prefer them to be held to LEED standards.


The Uptime Institute defines four tiers for data centers to be classified under. Tier 1 data centers usually provide services to small businesses. They also have to be available for support at least 99.671 percent of the time, which equates to an annual downtime of just 29 hours.

Tier 2 data centers must be available 99.749 percent of the time, equating to an annual downtime of precisely 22 hours. They often provide services to mid-sized and small businesses.

Tier 3 data centers can only be out of service for 1.6 hours each year, must be fault-tolerant, and able to sustain operation throughout a three-day power outage.

The largest businesses and organizations outsource their data center needs to Tier 4 data centers, which are only down a maximum of two-and-a-half minutes each year. This means they’re available at least 99.995 percent of the time. They also have to sustain at least two independent utility paths, be able to stay open throughout a 96-hour power outage, and be fully redundant.