The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified Public Accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.
See the IBM Cloud infrastructure system description (PDF, 511 KB)
SOC 1 is an audit of the internal controls at a service organization implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge service organization internal controls implemented to protect customer-owned data relevant to security, availability and processing integrity. SOC 2 reports provide details about the nature of those internal controls.
Register or log in to request the IBM public cloud (infrastructure and PaaS) SOC 1 and SOC 2 reports.
Contact an IBM representative to request the SOC 1 and SOC 2 reports for all other IBM Cloud services.
A SOC 3 report is a condensed, publicly available version of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don't need the full details of an SOC 2 report.
See the IBM Cloud infrastructure SOC 3 report (PDF, 417 KB)
See the IBM Cloud platform as a service (PaaS) SOC 3 report (PDF, 242 KB)
Learn more about the IBM Cloud platform services listed below.