IBM Cloud continues to expand its compliance posture for Platform as a Service (PaaS) offerings with the System and Organization Controls (SOC) framework.
The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified Public Accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.
- SOC 1 is an audit of the internal controls at a service organization that were implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
- SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge the internal controls at a service organization that were implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.
- SOC 3 reports are condensed, publicly available versions of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don’t need the full details of a SOC 2 report.
A full list of IBM Cloud services with SOC reports available (published SOC 3 reports and options to request SOC 1 and SOC 2 reports) can be found here.
IBM Cloud Services newly audited for SOC
For SOC 1 Type 2:
- IBM Cloud App Service
- IBM Cloud Certificate Manager
- IBM Cloud Continuous Delivery
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for MongoDB EE
- IBM Cloud Functions
- IBM Cloud Schematics
- IBM Cloud Event Streams for IBM Cloud Standard
For SOC 2 Type 1:
- IBM Cloud Hyper Protect Crypto Services
- IBM Cloud Hyper Protect DBaaS for MongoDB
- IBM Cloud Hyper Protect DBaaS for PostgreSQL
- IBM Cloud Hyper Protect Virtual Servers
For SOC 2 Type 2:
- IBM Cloud App Service
- IBM Cloud Certificate Manager
- IBM Cloud Continuous Delivery
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for MongoDB EE
- IBM Cloud Functions
- IBM Cloud Monitoring with Sysdig
- IBM Cloud Schematics
- IBM Cloud Event Streams for IBM Cloud Standard
For SOC 3 (reports published here):
- IBM Cloud App Service
- IBM Cloud Certificate Manager
- IBM Cloud Continuous Delivery
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for MongoDB EE
- IBM Cloud Functions
- IBM Cloud Schematics
- IBM Cloud Event Streams for IBM Cloud Standard