FedRAMP (the Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Read more about the FedRAMP program

FedRAMP authorizes cloud systems with a three-step process that includes security assessment, leveraging and authorization, and ongoing assessment and authorization. All Bluemix data centers are built to FedRAMP standards. The SoftLayer Federal Cloud is authorized by the U.S. Government to provide services to U.S. Federal Agencies. The authorization can be viewed at FedRAMP (the Federal Risk and Authorization Management Program).



The Federal Information Security Management Act of 2002 (FISMA) ensures the security of data in the federal government.

Read more about the FISMA Reports

The act requires program officials and agency heads to conduct annual reviews of information security programs to keep risks at or below specified acceptable levels in a cost-effective, timely, and efficient manner. All Bluemix data centers are built to FISMA standards.



To address emerging threats, the FFIEC requires financial organizations to continuously perform risk assessments, adjust control mechanisms as appropriate in response, and implement a layered approach to security. In compliance with FFIEC, Bluemix identifies key controls required to meet the FFIEC guidance, identify emerging threats, address their impact, and apply layered security to prevent client fraud.


SOC Reports

You can download the Bluemix IaaS/SoftLayer SOC 1 and SOC 2 reports from the customer portal or contact our sales team. Our SOC 3 report is available for general use and can be accessed here: Bluemix IaaS/SoftLayer SOC 3 Report

Read more about the SOC Reports

Bluemix IaaS/SoftLayer provides SOC 1, SOC 2 and SOC 3 reports, evaluating Bluemix IaaS/SoftLayer's operational controls with respect to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for services providers such as Bluemix IaaS/SoftLayer to safeguard customer data and information.


ISO 27001

ISO 27001 is a widely-adopted global security standard outlining the requirements for information security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments. Download ISO 27001 certificates here:

IBM SoftLayer ISO 27001 certificate
IBM Bluemix ISO 27001 certificate
IBM SaaS ISO 27001 certificate

Read more about the ISO 27001

To achieve ISO 27001:2013 certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This standard emphasizes the measurement and evaluation of how well an organization’s Information Security Management System (ISMS) is performing and also includes information security related controls based system along with other requirements.

The Bluemix platform is audited by a third-party security firm and meets all requirements for ISO 27001 in every assessed data center:


ISO 27017

The Bluemix IaaS/SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27017 in every assessed data center: Bluemix IaaS/SoftLayer ISO 27017:2015 Certificate of Registration.

Read more about the ISO 27017

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provisioning and use of cloud services as well as implementation guidance for both cloud service providers and cloud service customers. ISO 27017 provides implementation guidance for relevant controls specified in ISO/IEC 27002 as well as additional controls and guidance that specifically relate to cloud services.

Bluemix IaaS/SoftLayer’s alignment with ISO 27017:2015 demonstrates our highly sophisticated system of cloud-specific controls and our commitment to being the best in IaaS/


ISO 27018

The Bluemix IaaS/SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27018: Bluemix IaaS/SoftLayer ISO 27018:2014 Certificate of Registration.

Read more about the ISO 27018

ISO 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

In particular, ISO 27018:2014 specifies guidelines based on ISO 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.


Cloud Security Alliance — STAR Registrant

Read Bluemix IaaS/SoftLayer’sSTAR Consensus Assessment Initiative Questionnaire.

Read more about Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust, and Assurance Registry (STAR)—a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.


PCI Compliance

For more information about and assistance to achieve, certify, and maintain PCI compliance for your SoftLayer environment, please contact our sales team.

Read more about the PCI Compliance

If you store or process credit card data then PCI Compliance and network security are of primary concern to your business. To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). We help our customers meet their PCI compliance needs by providing an Attestation on Compliance from an independent QSA. The Attestation on Compliance can be used in conjunction with our SOC 2 report and ISO 27001 certification to demonstrate that the infrastructure meets the PCI controls. Customers and their auditors can use our reports to verify the PCI controls that are SoftLayer’s responsibility are met.


HIPAA Compliance

The Bluemix IaaS/SoftLayer cloud platform is designed to be HIPAA ready for these purposes, and to conform to the security settings the customer selects for their particular environment.

Read more about HIPAA Compliance

The U.S. Health Insurance Portability and Accountability Act covers the storing and processing of protected health information (PHI and e-PHI). Companies and individuals falling under HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information.

Bluemix IaaS/SoftLayer’s HIPAA-ready cloud platform is available to covered entities and business associates to support their HIPAA workloads. Clients should also be aware that Bluemix IaaS/SoftLayer regularly performs assessments of the HIPAA ready controls which apply to Bluemix IaaS/SoftLayer, in order to test their effectiveness. In accordance with HIPAA, Bluemix IaaS/SoftLayer offers a standard Business Associate Agreement* to its clients who intend to place HIPAA workload in Bluemix IaaS/SoftLayer cloud.

* Please note that Bluemix IaaS/SoftLayer’s managed services or public (multi-tenant) virtual hosting services are not designed to be HIPAA ready and so not proper repositories of PHI.


HITRUST Assessment

IBM Bluemix IaaS has completed a corporate-wide HITRUST CSF Self-Assessment. The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.



The GSMA's Security Accreditation Scheme for Subscription Management (SAS-SM) ensures industry confidence in the security of remote provisioning for embedded SIMs.

The following sites have been awarded SAS-SM certification for data centre operations and management, enabling them to offer cloud hosting to subscription management service providers:

Dallas Data Center DAL09
Paris Data Center PAR01


CJIS Standards

For more information about how to leverage Bluemix IaaS/SoftLayer for Criminal Justice Information workloads, download our guide on Leveraging SoftLayer for CJIS workloads.

Read more about CJIS Standards

The Criminal Justice Information Systems (CJIS) Division is a division of the United States Department of Justice Federal Bureau of Investigation. CJIS Division created and published a Security Policy (CJISD-ITS-DOC-08140-5.4), which contains minimum information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).


EU Model Clauses

Bluemix IaaS/SoftLayer offers its customers the ability to choose precisely where to locate data, with data centers on five continents. For more information and delivery of the EU Model Clauses for your Bluemix IaaS/SoftLayer environment, please contact our sales team.

Read more about EU Model Clauses

For customers who wish to transfer data originating in the European Economic Area to a country outside the EEA, SoftLayer offers European Model Clauses in the form approved by the European Commission and European Union's data protection authorities. The European Model Clauses guarantee European customers that SoftLayer supports the necessary data privacy protections in every location on the globe.


Privacy Shield

IBM Bluemix is an approved member of the EU-US Privacy Shield Framework. Read the IBM Privacy Shield Privacy Policy for Certified IBM Cloud Services for more information.


IBM ISO Management System Certifications

IBM has obtained corporate-wide certifications for ISO 9001, ISO 14001, ISO 50001 and OHSAS 1800. Read the IBM Management System certifications.