IBM public cloud continues to expand our compliance posture for Infrastructure-and Platform-as-a-Service (IaaS and PaaS) offerings with the System and Organization Controls (SOC) framework.
The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified Public Accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.
SOC audits and reports
SOC 1 is an audit of the internal controls at a service organization that were implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge the internal controls at a service organization that were implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.
A SOC 3 report is a condensed, publicly available version of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don’t need the full details of an SOC 2 report.
Clients with an IBM Cloud account seeking SOC 1 and SOC 2 reports for IBM Cloud Infrastructure offerings may use this page. Upon form completion, clients will receive an email with the requested artifacts attached.
Clients who don’t have an IBM Cloud account seeking IBM Cloud Infrastructure and IBM Cloud PaaS SOC 1 and SOC 2 reports may use this form. Upon form completion, clients will be contacted by an IBM representative.