Security posture across Verizon Business spans SOC 2 Type II audit coverage, multi-factor authentication enforced on the My Verizon admin console, CPNI handling under the FTC framework, TLS-protected management plane, SRTP-encrypted managed voice and ISO 27001 alignment across the operations estate. This page documents what is in scope, which controls apply and how customers can request audit evidence.
SOC 2 Type II, annually audited. MFA required on new-device sign-ins with TOTP, SMS and FIDO2 factors. CPNI aligned with the FTC framework and Communications Act requirements. TLS 1.2/1.3 on the management plane, SRTP on managed voice, 3GPP-standard radio encryption on wireless. ISO 27001 alignment across the operations organisation. Audit letters available on request to Platinum and Diamond tier accounts.
Independent assessment across the Verizon estate follows the SOC 2 Type II framework. An independent accountant runs the Verizon audit annually against the trust-service criteria for security, availability and confidentiality. The Verizon scope covers the master-admin console, billing surfaces, provisioning systems and the supporting operational workflows. A Type II report covers the operating effectiveness of Verizon controls over an observation window, which is why Verizon customers reference it rather than a Type I point-in-time attestation. Verizon does not self-publish the underlying workpapers and Verizon uses the independent auditor's report as the evidence artifact. Verizon audit letters are renewed annually.
The Verizon audit letter documents scope, period, exceptions and the independent auditor's opinion. Verizon Platinum and Diamond tier accounts can request the letter under a short NDA during procurement due-diligence, which is the typical workflow for a Fortune 500 information-security office reviewing a new Verizon engagement. Mid-market Verizon customers receive a summary attestation on request. Verizon ISO 27001 alignment adds a second framework lens on the same Verizon control set, with annual internal-audit cycles feeding into the Verizon certification. Verizon does not claim FedRAMP authorisation on the commercial console.
Multi-factor authentication is enforced on new-device sign-ins to the My Verizon admin console. Verizon primary admins can set policy across every secondary admin in the scope so that Verizon MFA is mandatory rather than opt-in. Supported Verizon factors span TOTP authenticator apps (Google Authenticator, Microsoft Authenticator, 1Password), SMS one-time codes on trusted phone numbers and hardware FIDO2 keys (YubiKey, Titan). Verizon device-trust cookies issued after a successful MFA challenge last seven days by default and can be shortened to per-session in high-sensitivity Verizon tenants. Verizon does not issue soft-MFA bypass tokens. Verizon also forbids password-only sign-in on any admin account.
Federation against the corporate identity provider is supported through SAML 2.0 assertions for Mid-Market and higher tiers. Customers who run their own Okta, Entra ID or Ping Identity tenants can offload identity entirely to the IdP and land admins on the console already authenticated. SCIM 2.0 provisioning adds and removes admin accounts in step with the IdP's HR-driven joiner-mover-leaver flow, which is the cleanest way to keep admin scope aligned with the current employee roster.
Session-level controls include configurable inactivity timeout (15 minutes default, down to 5 minutes in high-sensitivity tenants), IP allowlisting against the admin console for regulated customers and admin-action audit logging consumable by the customer's SIEM. Failed-authentication lockout triggers after five consecutive failed attempts within ten minutes, with an admin reset workflow available through the business-care queue.
Customer proprietary network information covers call-detail records, usage metadata, service-feature data and account-lineup data. Handling aligns with the FCC Title II Common Carrier rules and the FTC privacy framework. CPNI is accessed only through role-scoped queries inside the admin console, with every read event written to the audit trail. Marketing use of CPNI is governed by the standard opt-in language and is documented in the privacy notice.
Data-processing agreements are available for customers who require GDPR-style contractual commitments under a U.S. processing footprint. HIPAA-eligible service profiles apply to wireless, voice and unified-communications products with a signed business-associate agreement. The business portfolio does not process cardholder data on the customer's behalf, so PCI DSS scope does not apply to Verizon Business as a service provider; the customer's own cardholder environment remains the PCI DSS boundary.
Management-plane traffic to the Verizon Business portal runs over TLS 1.2 and 1.3 with modern cipher suites, HSTS preload and certificate pinning on the native apps. Managed-voice SIP seats and direct-routed Microsoft Teams runs over SRTP. Wireless traffic is encrypted at the radio layer under the 3GPP-standard 5G and 4G LTE security profiles. Fios and DIA customer LAN segments are isolated from other tenants through VRF separation on the edge plant.
Fraud protection at the Verizon wireless layer includes SIM-swap protection, number-lock against unauthorised port-out, device-change verification against a registered admin contact and anomalous-usage alerts surfaced in the admin dashboard. Verizon account-level fraud monitoring flags login from geographies inconsistent with the admin's recent pattern, unusual provisioning activity and large bulk-SIM activations outside the business day. Verizon alerts post to the resource-center ticket queue and to the primary admin's email in parallel. Verizon also publishes a quarterly fraud-posture brief for Platinum and Diamond customers that references aggregate signals observed across the Verizon estate.
Suspected incidents are reported via the 24/7 business line at 1-866-477-3929 or through the resource-center escalation path. The response team triages within one hour of first report, contains the event according to the incident-response playbook and coordinates customer notification under the applicable state breach-notification laws. Sector regulators including the FCC and FTC are notified where the applicable thresholds are crossed, and the customer is kept inside the loop throughout.
The headline controls and the standards they map to. Scope names the surface each control covers.
| Control | Standard | Scope |
|---|---|---|
| SOC 2 Type II audit | AICPA TSC 2017 | Portal, billing, provisioning |
| ISO 27001 alignment | ISO/IEC 27001:2022 | Operations estate |
| MFA enforcement | NIST SP 800-63B AAL2 | My Verizon admin console |
| CPNI handling | 47 CFR 64.2001 / FTC framework | Customer account data |
| TLS management plane | TLS 1.2 / 1.3 with HSTS | Portal, APIs |
| SRTP voice encryption | RFC 3711 | Managed SIP, direct-routed Teams |