The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.
See the IBM Cloud infrastructure system description (PDF, 788 KB)
SOC 1 is an audit of the internal controls at a service organization implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge service organization internal controls implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.
Contact an IBM representative to request the IBM® public cloud (infrastructure, VPC, and PaaS) SOC 1 and and SOC 2 reports.
A SOC 3 report is a condensed, publicly available version of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don't need the full details of an SOC 2 report.
See the IBM Cloud Virtual Private Cloud SOC 3 report (PDF, 381 KB)
See the IBM Cloud infrastructure SOC 3 report (PDF, 605 KB)
See the IBM Cloud platform as a service (PaaS) SOC 3 report (PDF, 443 KB)
See the IBM Cloud Foundry Public SOC 3 report (PDF, 356 KB)
Learn more about the IBM Cloud platform services listed below.