The Changing State of Data Center Auditing Requirements

Data center auditing requirements are changing as new rules appear and old ones evolve.

Christopher Tozzi, Technology Analyst

March 10, 2023

3 Min Read
Server room with purple and green lights.
devilmaya / Alamy Stock Photo

Few people get excited about auditing or regulatory requirements. However, given the rapid pace of change within the regulatory and compliance landscape in recent years, there is reason to get excited about data center auditing. The auditing rules that data centers need to meet are changing in some ways, and stakeholders must track and respond to the changes if they want to remain in compliance with the various regulatory and industry auditing standards they need to meet.

Data center auditing overview

Data center auditing procedures fall into two main categories:

  • Audits that data center operators voluntarily perform to help optimize cost, performance, security, and other priorities.

  • Audits that are required by regulations or industry standards.

The first category consists of audits that are subjective and vary widely from one data center to another. Given this, it's hard to identify any central trends involving voluntary audits.

The second type of data center audit – audits that are formally required by regulations – has seen a lot of change in recent years.

Perhaps the most notable shift was the replacement of SAS 70 and SSAE 16, which are auditing standards that play a key role in SOC 2 compliance, with SSAE 18, which is an updated version of the standard. This change doesn't fundamentally alter the reporting requirements for data centers that need to achieve SOC compliance, but it does update some of the reporting details.

Related:Audit Finds Department of Defense Cloud Use Poorly Defined and Tracked

Another major compliance change currently in the works is the introduction of PCI DSS 4.0, which took effect in March 2022. PCI DSS is a set of compliance standards maintained by the payment processing industry. The rules aren't designed for data centers in particular – indeed, data centers are not an explicit focus of PCI DSS – but are a consideration for data centers that want to host workloads that process payments in some way.

For that reason, data center operators may need to update their auditing strategies to reflect the new rules introduced by PCI DSS 4 – which, among other enhancements, imposes much stricter requirements related to security and authentication. Those requirements could impact the physical and virtual security protections that data centers need to implement if they want to achieve PCI DSS compliance.

Beyond auditing: Other data center compliance changes

Beyond PCI DSS, there are a host of other compliance regulations and standards that some data centers may need to meet, especially if they cater to certain industries or operate in certain regions.

Related:Hackers That Took Down Saudi Oil Site Probing US Power Grid

For example, data centers that host healthcare-related workloads may need to comply with HIPAA, the major healthcare data privacy protection regulation in the United States. The GDPR, CPRA, and CCPA data privacy regulations also impact data centers that are based in – or, in some cases, merely serve users based in – particular jurisdictions.

These compliance frameworks haven't seen major updates in recent years, so auditing strategies that data centers already have in place to help comply with HIPAA, GDPR, CCPA and similar regulations should continue to work for the foreseeable future.

However, some changes may be in the works over the course of 2023 at least for HIPAA, so data center operators should monitor the compliance landscape closely to make sure they remain compliant with whichever auditing or other mandates the regulations impose.


The auditing requirements that data centers must heed haven't been totally upended, but they are changing in notable ways. If you're not paying attention – and if your data center auditing strategy is stuck in the 2010s – now's the time to figure out how to meet new and emerging auditing mandates.

About the Author(s)

Christopher Tozzi

Technology Analyst, Fixate.IO

Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like