About IBM Cloud global compliance programs

As cloud computing markets continue to expand, so does the challenge of compliance and data protection across international boundaries. To help you meet global guidelines, IBM Cloud® provides programs and certifications that help you establish and strengthen compliance for a wide range of internationally recognized standards.

CIS

Center for Internet Security® (CIS) Benchmarks are a collection of industry best practices for securely configuring IT systems, software, and networks. Benchmark guidance is informed by CIS controls that map to other security frameworks, including HIPAA, the ISO 27000 family, NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF), NIST SP 800-53, PCI DSS, and others. IBM Cloud supports the development of the CIS Benchmarks™.

The CIS® IBM Cloud Foundations Benchmark is available to help clients securely adopt IBM Cloud services for executing digital transformation strategies with compliance management consistency. The benchmark controls can be configured to monitor resources through the IBM Cloud Security and Compliance Center, which has also been awarded CIS security software certification.

View the CIS IBM Cloud Foundations Benchmark (link resides outside IBM)

View the CIS security software certification for the CIS Benchmark for IBM Cloud Foundations v1.0.0, Level 1 and Level 2 (link resides outside IBM).

Services in the CIS IBM Cloud Foundations Benchmark include:
IBM Cloud Activity Tracker with LogDNA
IBM Cloud Block Storage for Virtual Private Cloud
IBM Cloud Container Registry
IBM Cloud Databases for DataStax 
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for MongoDB Enterprise 
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Internet Services
IBM Cloud Object Storage
IBM Cloud Platform - Public - Identity and Access Management (IAM)
IBM Cloud Platform - Public - Security and Compliance Center
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Server for VPC
IBM Cloudant® for IBM Cloud
IBM Key Protect for IBM Cloud

CSA STAR

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote security assurance best practices within cloud computing. CSA provides the Security, Trust and Assurance Registry (STAR) — a free, publicly accessible registry that documents the security controls provided by cloud computing offerings.

IBM publishes several CSA STAR Level 1 Self-Assessment Consensus Assessments Initiative Questionnaires, including IBM Cloud Infrastructure, IBM Cloud Platform, IBM Cloud Services, and IBM Watson® on IBM Cloud.

ISO

The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal: to ensure that products and services are safe, reliable and of good quality.

ISO 9001 - IBM Cloud infrastructure certificate (PDF, 1.1 MB)

ISO 20243 – IBM self-assessment certifications - Open Trusted Technology Provider™ Standard (O-TTPS)

ISO 22301 - IBM Cloud infrastructure certificate (PDF, 619 KB)

ISO 27001 - IBM Cloud infrastructure certificate (PDF, 618 KB)

ISO 27001 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 558 KB)

ISO 27001 / 27017 / 27018 / 27701 - IBM Enterprise & Technology Security (PaaS and SaaS) certified product listing (PDF, 168 KB)

ISO 27001 - IBM Cloud platform certificate - China (PDF, 408 KB)

ISO 27001 - IBM Watson Cloud technology and support certificate

ISO 27017 - IBM Cloud infrastructure certificate (PDF, 567 KB)

ISO 27017 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 475 KB)

ISO 27018 - IBM Cloud infrastructure certificate (PDF, 482 KB)

ISO 27018 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 475 KB)

ISO 27701 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 557 KB)

ISO 31000 - IBM Cloud infrastructure certificate (PDF, 566 KB)

Contact an IBM representative to request the ISO 27001 Statement of Applicability (SOA) for an offering with ISO 27001 certification.

IBM Cloud services: ISO

IBM Cloud platform services certified with ISO 9001, ISO 22301 and ISO 31000 include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

IBM Cloud ISO-certified services

See a list of IBM Cloud services certified with ISO 27001, ISO 27017 and ISO 27018.

View listing (PDF, 168 KB)

IBM corporate certifications

IBM has obtained corporate certifications for ISO 9001, ISO 14001, ISO 20243, ISO 50001 and OHSAS 1800.

View more information

SOC

The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.

See the IBM Cloud infrastructure system description (PDF, 788 KB)

SOC 1 is an audit of the internal controls at a service organization implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge service organization internal controls implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.

Contact an IBM representative to request the IBM® public cloud (infrastructure, VPC, and PaaS) SOC 1 and  and SOC 2 reports.

A SOC 3 report is a condensed, publicly available version of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don't need the full details of an SOC 2 report.

See the IBM Cloud Virtual Private Cloud SOC 3 report (PDF, 381 KB)

See the IBM Cloud infrastructure SOC 3 report (PDF, 605 KB)

See the IBM Cloud platform as a service (PaaS) SOC 3 report (PDF, 443 KB)

See the IBM Cloud Foundry Public SOC 3 report (PDF, 356 KB)

Learn more about the IBM Cloud platform services listed below.

SOC logo

IBM Cloud platform services with SOC 1 Type 2 reports include:

IBM Cloud App ID
IBM Cloud App Service
IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for
Virtual Private Cloud
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Continuous Delivery
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Dedicated
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Flow Logs for VPC
IBM Cloud Functions
IBM Cloud for VMware Solutions
IBM Cloud Foundry Public
IBM Cloud Hardware Security Module
IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
IBM Cloud Load Balancer
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Platform – Public
IBM Cloud Schematics
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Endpoint for VPC
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Servers
IBM Cloudant Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Event Streams for IBM Cloud Standard
IBM Key Protect for IBM Cloud
IBM Push Notifications for IBM Cloud

IBM Cloud platform services with SOC 2 Type 1 reports include:

IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect DBaaS for MongoDB
IBM Cloud Hyper Protect DBaaS for PostgreSQL
IBM Cloud Hyper Protect Virtual Servers

IBM Cloud platform services with SOC 2 Type 2 reports include:

IBM Cloud Activity Tracker with LogDNA (via LogDNA)
IBM Cloud App ID
IBM Cloud App Service
IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for
Virtual Private Cloud
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Continuous Delivery
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Dedicated
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Flow Logs for VPC
IBM Cloud Functions
IBM Cloud for VMware Solutions
IBM Cloud Foundry Public
IBM Cloud Hardware Security Module
IBM Cloud Internet Services (via Cloudflare)
IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
IBM Cloud Load Balancer
IBM Cloud Messages for RabbitMQ
IBM Cloud Monitoring with Sysdig
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Platform – Public
IBM Cloud Schematics
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Endpoint for VPC
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Servers
IBM Cloudant Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Event Streams for IBM Cloud Standard
IBM Key Protect for IBM Cloud
IBM Log Analysis with LogDNA (via LogDNA)
IBM Push Notifications for IBM Cloud

Offerings in the IBM Cloud Virtual Private Cloud SOC 3 report include:

IBM Cloud Block Storage for
Virtual Private Cloud
IBM Cloud Flow Logs for VPC
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Endpoint for VPC
IBM Cloud Virtual Server for VPC

Offerings in the IBM Cloud PaaS SOC 3 report include:

IBM Cloud App ID
IBM Cloud Container Registry
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Dedicated
IBM Cloud for VMware Solutions
IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Platform - Public
IBM Event Streams for IBM Cloud Enterprise
IBM Event Streams for IBM Cloud Standard
IBM Key Protect for IBM Cloud
IBM Push Notifications for IBM Cloud

Offerings in the IBM Cloud PaaS Additional Offerings SOC 3 report include:

IBM Cloud App Service
IBM Cloud Certificate Manager
IBM Cloud Continuous Delivery
IBM Cloud Functions
IBM Cloud Schematics

Offerings in the IBM Cloud infrastructure services SOC 3 report include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

Offerings in the IBM Cloud Foundry Public SOC 3 report include:

IBM Cloud Foundry Public