Compliance certifications

ISO 27001

ISO 27001 is a widely-adopted global security standard outlining the requirements for information-security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments.

View our certificates


IBM Cloud™ IaaS certificate – ISO 27001 (PDF, 368 KB)

IBM Cloud Services (PaaS and SaaS) certificate - ISO 27001 (PDF, 576KB)

IBM Cloud Services (PaaS and SaaS) certified cloud product listing (PDF, 23.2 KB)

IBM Cloud PaaS certificate – China - ISO 27001 (PDF, 186 KB)

IBM Watson Cloud Technology & Support certificate (PDF, 135 KB)

ISO 27001

ISO 27017

ISO 27017 gives guidelines for information-security controls applicable to the provisioning and use of cloud services, as well as implementation guidance for both cloud service providers and cloud service customers. 

View our certificates

IBM Cloud IaaS certificate – ISO 27017 (PDF, 357 KB)

IBM Cloud Services (PaaS and SaaS) certificate - ISO 27017 (PDF, 358KB)

ISO 27017

ISO 27018
ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

View our certificates

IBM Cloud IaaS certificate – ISO 27018 (PDF, 357 KB)

IBM Cloud Services (PaaS and SaaS) certificate - ISO 27018 (PDF, 358KB)

ISO 27018

ISO 9001

ISO 9001 provides requirements for a quality management system. This standard helps ensure that customers get consistent, good quality products and services.


IBM Cloud IaaS Certificate - ISO 9001 (PDF, 412 KB)

ISO 9001

ISO 22301
ISO 22301 provides requirements for the planning, establishment, implementation, operation, monitoring, review and maintenance of business continuity management systems (BCMS) within an organization. The BCMS help an organization prepare for, protect against and recover from disruptive incidents when they arise.


IBM Cloud IaaS certificate – ISO 22301 (PDF, 375 KB)

ISO 22301

ISO 31000
ISO 31000 provides principles, framework and a process for managing risk. The ISO 31000 guide’s purpose is to help an organization’s subject matter experts to compare their risk management practices with the internationally recognized benchmark and align their practices according to the international standard.


IBM Cloud IaaS certificate – ISO 31000 (PDF, 377 KB)

ISO 31000

SOC 1, SOC 2 and SOC 3

An SOC 1 report focuses on controls at the service organization that would be useful to user entities and their auditors for planning a financial statement audit of the user entity and evaluating internal control over financial reporting at the user entity. SOC 2 and SOC 3 reports are designed to allow service organizations to communicate information about their system description in accordance with specific criteria related to availability, security and confidentiality.

Request the IBM Cloud IaaS SOC 1 Bridge Letter through the client portal (link resides outside IBM).

To request the IBM Cloud SOC 1 Bridge Letter for all other cloud services, contact an IBM Sales representative (link resides outside IBM).

Request the IBM Cloud IaaS SOC 1 or SOC 2 — or both — report through the client portal (link resides outside IBM).

To request the IBM Cloud SOC1 or SOC 2 — or both — report for all other cloud services, contact an IBM Sales representative (link resides outside IBM).

View our IBM Cloud IaaS SOC 3 report (PDF, 495 KB)

SOC 1, SOC 2 and SOC 3 (PDF, 162 KB)

To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council (link resides outside IBM) established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA).

Request the IBM Cloud IaaS certificate through IBM's client portal (link resides outside IBM).

To request the IBM PCI certificate for all other cloud services, contact an IBM Sales representative.



The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (link resides outside IBM), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.


View the IBM Cloud IaaS certificate (PDF, 66 KB)



FedRAMP (the Federal Risk and Authorization Management Program) (link resides outside IBM) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.


View the IBM Cloud IaaS Cert – FedRAMP Authorization certificate (link resides outside IBM)

IRAP (Australia)
The Information Security Registered Assessors Program (IRAP) (link resides outside IBM) is an initiative created by the Australian Signals Directorate (ASD) to provide high-quality information and communications technology services to government in support of Australia’s security. IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments.


View the ASD certificate (link resides outside IBM)

IBM ISO Management System Certification
IBM has obtained corporate-wide certifications for ISO 9001, ISO 14001, ISO 50001 and OHSAS 1800. Read the IBM Management System certifications.

Global regulations

EU Model Clauses
EU Model Clauses are available to controllers and processors of EU citizens' Personally Identifiable Information (PII).  These clauses obligate non-EU companies to follow the laws and practices mandated by the EU in all global locations.  The clauses provide enforcement rights and comfort to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws.

EU Model Clauses

Security is central to compliance with the Family Educational Rights and Privacy Act (FERPA) (link resides outside IBM), which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor will appropriately manage sensitive student data.

The US Health Insurance Portability and Accountability Act HIPAA covers the storing and processing of protected health information (PHI and e-PHI). Companies and individuals falling under HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information.

Request the list of IaaS HIPAA-ready services through IBM's client portal (link resides outside IBM).

To request the list of all other IBM Cloud HIPAA-ready services, contact an IBM Sales representative.


My Number Act (Japan)
The Social Security and Tax Number System ("My Number") (PDF, 770 KB; link resides outside IBM) went into effect in Japan in January 2016. Under this act, a unique number is assigned to every resident in Japan, whether Japanese or foreign, to be used mainly for taxation and social security purposes. The Personal Information Protection Commission (PPC) (link resides outside IBM) has created guidelines (link resides outside IBM) to make sure companies properly handle and protect My Number information.

My Number Act (Japan)

IBM Cloud provides offerings both in the federal and commercial space that support United States International Traffic in Arms Regulations (ITAR) compliance (link resides outside IBM). ITAR is an export control regulation designed to protect United States defense articles, defense services and related technical data handled by US manufacturers, exporters and brokers. ITAR states that only a US person can have physical or logical access to the articles stored in the ITAR environment unless authorization from the Department of State or a special exemption is received.

Itar logo

Cloud Computing Compliance Controls Catalog (C5) (Germany)
The Cloud Computing Compliance Controls Catalog (C5) (link resides outside IBM) introduced by the German Federal Office for Information Security (BSI) is a cloud-specific attestation scheme that outlines the requirements cloud service providers must meet in order to ensure a minimum security level of their cloud services. C5 elevates the demands on cloud providers by combining existing security standards (that is, ISO 27001) with additional requirements for increased transparency in data processing.

Request the IBM Cloud IaaS C5 Attestation through the IBM Cloud client portal (link resides outside IBM).

Or contact an IBM Sales representative.

Alignments and frameworks

The Criminal Justice Information Systems (CJIS) Division is a division of the US Department of Justice Federal Bureau of Investigation. CJIS Division created and published a security policy, which contains minimum information security requirements, guidelines and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage and generation of Criminal Justice Information (CJI).


View IBM's guide (2.9 MB)


The Cloud Security Alliance CSA (link resides outside IBM) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the CSA uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR) — a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.


View the questionnaire

CSA (link resides outside

EU-US Privacy Shield
The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data-protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.


View IBM's policy

To address emerging threats, the Federal Financial Institutions Examination Council (FFIEC) requires financial organizations to continuously perform risk assessments, adjust control mechanisms as appropriate in response and implement a layered approach to security. In compliance with FFIEC, IBM Cloud IaaS identifies key controls required to meet the FFIEC guidance, identify emerging threats, address their impact and apply layered security to prevent client fraud. 

The Center for Financial Industry Information Systems (FISC) (link resides outside IBM) was created by the Japanese Ministry of Finance with the purpose of conducting research on topics related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industry. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

The Federal Information Security Management Act of 2002 (FISMA) (link resides outside IBM) ensures the security of data in the federal government. FISMA requires program officials and agency heads to conduct annual reviews of information security programs to keep risks at or below specified acceptable levels in a cost-effective, timely and efficient manner.



When you partner with IBM, you gain access not only to a full stack of IBM Cloud security services, but also to a security team supporting more than 12,000 customers in 133 countries. As a proven leader in enterprise security, we hold more than 3,500 security patents. And by combining the security immune system with advanced cognitive computing, we let organizations like yours continue to innovate while reducing risk.


IBM is committed to protecting the privacy and confidentiality of personal information about its employees, clients, IBM Business Partners (including contacts within client and IBM Business Partner ecosystems) and other identifiable individuals. Uniform practices for collecting, using, disclosing, storing, accessing, transferring or otherwise processing such information assists IBM to process personal information fairly and appropriately, disclosing it or transferring it — or both — under appropriate circumstances, only.