About IBM Cloud global compliance programs

As cloud computing markets continue to expand, so does the challenge of compliance and data protection across international boundaries. To help you meet global guidelines, IBM Cloud® provides programs and certifications that help you establish and strengthen compliance for a wide range of internationally recognized standards.

CIS

Center for Internet Security® (CIS) Benchmarks are a collection of industry best practices for securely configuring IT systems, software, and networks. Benchmark guidance is informed by CIS controls that map to other security frameworks, including HIPAA, the ISO 27000 family, NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF), NIST SP 800-53, PCI DSS, and others. IBM Cloud supports the development of the CIS Benchmarks™.

The CIS® IBM Cloud Foundations Benchmark is available to help clients securely adopt IBM Cloud services for executing digital transformation strategies with compliance management consistency. The benchmark controls can be configured to monitor resources through the IBM Cloud Security and Compliance Center, which has also been awarded CIS security software certification.

View the CIS IBM Cloud Foundations Benchmark (link resides outside of ibm.com)

View the CIS security software certification for the CIS Benchmark for IBM Cloud Foundations v1.0.0, Level 1 and Level 2 (link resides outside of ibm.com).

Services in the CIS IBM Cloud Foundations Benchmark include:
IBM Cloud Activity Tracker (via Mezmo)
IBM Cloud Block Storage for Virtual Private Cloud
IBM Cloud Certificate Manager
IBM Cloud Container Registry
IBM Cloud Databases for DataStax 
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Internet Services
IBM Cloud Kubernetes Service
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Platform - Public - Identity and Access Management (IAM)
IBM Cloud Security and Compliance Center
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Cloud - VPN for VPC – Site-to-site gateway
IBM Cloud Virtual Server for VPC
IBM Cloudant® for IBM Cloud
IBM Key Protect for IBM Cloud

CSA STAR

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote security assurance best practices within cloud computing. CSA provides the Security, Trust and Assurance Registry (STAR) — a free, publicly accessible registry that documents the security controls provided by cloud computing offerings.

IBM publishes several CSA STAR Level 1 Self-Assessment Consensus Assessments Initiative Questionnaires, including IBM Cloud Infrastructure, IBM Cloud Platform, IBM Cloud Services, and IBM Watson® on IBM Cloud.

ISO

The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal: to ensure that products and services are safe, reliable and of good quality.

ISO 9001 - IBM Cloud infrastructure certificate (PDF, 1.1 MB)

ISO 20243 – IBM self-assessment certifications - Open Trusted Technology Provider™ Standard (O-TTPS)

ISO 22301 - IBM Cloud infrastructure certificate (PDF, 619 KB)

ISO 27001 - IBM Cloud infrastructure certificate (PDF, 618 KB)

ISO 27001 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 613 KB)

ISO 27001 / 27017 / 27018 / 27701 - IBM Enterprise & Technology Security (PaaS and SaaS) certified product listing (PDF, 133 KB)

ISO 27001 - IBM Cloud platform certificate - China (PDF, 408 KB)

ISO 27001 - IBM Watson Cloud technology and support certificate

ISO 27017 - IBM Cloud infrastructure certificate (PDF, 567 KB)

ISO 27017 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 475 KB)

ISO 27018 - IBM Cloud infrastructure certificate (PDF, 482 KB)

ISO 27018 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 475 KB)

ISO 27701 - IBM Enterprise & Technology Security (PaaS and SaaS) certificate (PDF, 557 KB)

ISO 31000 - IBM Cloud infrastructure certificate (PDF, 566 KB)

Contact an IBM representative to request the ISO 27001 Statement of Applicability (SOA) for an offering with ISO 27001 certification.

IBM Cloud services: ISO

IBM Cloud platform services certified with ISO 9001, ISO 22301 and ISO 31000 include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

IBM Cloud ISO-certified services

See a list of IBM Cloud services certified with ISO 27001, ISO 27017 and ISO 27018.

View listing (PDF, 133 KB)

IBM corporate certifications

IBM has obtained corporate certifications for ISO 9001, ISO 14001, ISO 20243, ISO 50001 and OHSAS 1800.

View more information

SOC

The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protect information stored in the cloud. Certified public accountants (CPAs) audit cloud service providers (CSPs), resulting in internal control reports on the services provided by a service organization. SOC reports can help users assess and address the risks associated with an outsourced service.

See the IBM Cloud infrastructure system description (PDF, 695 KB)

SOC 1 is an audit of the internal controls at a service organization implemented to protect client-owned data involved in client financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

SOC 2 audits, based on the AICPA Trust Service Principles and Criteria, gauge service organization internal controls implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls.

Contact an IBM representative to request the IBM® public cloud (infrastructure, VPC, and PaaS) SOC 1 and  and SOC 2 reports.

A SOC 3 report is a condensed, publicly available version of the SOC 2 Type 2 audit report of controls put in place by service organizations. SOC 3 reports are intended for users that don't need the full details of an SOC 2 report.

See the IBM Cloud infrastructure SOC 3 report (PDF, 406 KB)

See the IBM Cloud platform as a service (PaaS) SOC 3 report (PDF, 722 KB)

See the IBM Cloud platform as a service (PaaS) Additional Offerings SOC 3 report (PDF, 593 KB)

See the IBM Cloud Foundry Public SOC 3 report (PDF, 269 KB)

Learn more about the IBM Cloud platform services listed below.

SOC logo

IBM Cloud platform services with SOC 1 Type 2 reports include:

IBM Cloud App ID
IBM Cloud App Service
IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for
Virtual Private Cloud
IBM Cloud Certificate Manager
IBM Cloud Code Engine
IBM Cloud Container Registry
IBM Cloud Continuous Delivery
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB Enterprise
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
IBM Cloud Direct Link Connect (2.0)
IBM Cloud Direct Link Dedicated (2.0)
IBM Cloud DNS Services
IBM Cloud File Storage
IBM Cloud Flow Logs for VPC
IBM Cloud Functions
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud for VMware Solutions Shared
IBM Cloud Foundry Public
IBM Cloud Hardware Security Module
IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
IBM Cloud Load Balancer
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Platform – Public: BSS,
IBM Cloud Catalog, IBM Cloud Global Search & Tagging, IBM Cloud Console, IBM Cloud Identity and Access Management and IBM Cloud Shell
IBM Cloud Satellite
IBM Cloud Schematics
IBM Cloud Security and Compliance Center
IBM Cloud Secrets Manager
IBM Cloud Transit Gateway
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Cloud (VPC) -
Load Balancer for VPC: Application Load Balancer
IBM Cloud Virtual Private Cloud (VPC) - VPN for VPC Site-to-site gateway
IBM Cloud Virtual Private Endpoint for VPC
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Server for VPC - Auto Scale for VPC
IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
IBM Cloud Virtual Servers
IBM Cloudant Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Event Streams for IBM Cloud Standard
IBM Key Protect for IBM Cloud

IBM Cloud platform services with SOC 2 Type 1 reports include:

IBM Cloud Hyper Protect Crypto Services
IBM Cloud Hyper Protect DBaaS for MongoDB
IBM Cloud Hyper Protect DBaaS for PostgreSQL
IBM Cloud Hyper Protect Virtual Servers

IBM Cloud platform services with SOC 2 Type 2 reports include:

IBM Cloud Activity Tracker (via Mezmo)
IBM Cloud App ID
IBM Cloud App Service
IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Block Storage for
Virtual Private Cloud
IBM Cloud Certificate Manager
IBM Cloud Code Engine
IBM Cloud Container Registry
IBM Cloud Continuous Delivery
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud Databases for MongoDB Enterprise
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
IBM Cloud Direct Link Connect (2.0)
IBM Cloud Direct Link Dedicated (2.0)
IBM Cloud DNS Services
IBM Cloud File Storage
IBM Cloud Flow Logs for VPC
IBM Cloud Functions
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud for VMware Solutions Shared
IBM Cloud Foundry Public
IBM Cloud Hardware Security Module
IBM Cloud Internet Services Enterprise Package (via Cloudflare)
IBM Cloud Internet Services Enterprise Usage Package (via Cloudflare)
IBM Cloud Internet Services Standard (via Cloudflare)
IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
IBM Cloud Load Balancer
IBM Cloud Messages for RabbitMQ
IBM Cloud Monitoring (via Sysdig)
IBM Cloud Object Storage
IBM Cloud Object Storage (IaaS)
IBM Cloud Platform – Public: BSS, IBM Cloud Catalog, IBM Cloud Global Search & Tagging, IBM Cloud Console, IBM Cloud Identity and Access Management and IBM Cloud Shell
IBM Cloud Satellite
IBM Cloud Schematics
IBM Cloud Secrets Manager
IBM Cloud Security and Compliance Center
IBM Cloud Transit Gateway
IBM Cloud Virtual Private Cloud
IBM Cloud Virtual Private Cloud (VPC) - Load Balancer for VPC: Application Load Balancer
IBM Cloud Virtual Private Cloud (VPC) - VPN for VPC Site-to-site gateway
IBM Cloud Virtual Private Endpoint for VPC
IBM Cloud Virtual Server for VPC
IBM Cloud Virtual Server for VPC - Auto Scale for VPC
IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
IBM Cloud Virtual Servers
IBM Cloudant Dedicated Cluster
IBM Cloudant for IBM Cloud
IBM Event Streams for IBM Cloud Enterprise
IBM Event Streams for IBM Cloud Standard
IBM Key Protect for IBM Cloud
IBM Log Analysis (via Mezmo)

Offerings in the IBM Cloud PaaS SOC 3 report include:

IBM Cloud App ID
IBM Cloud App Service
IBM Cloud Certificate Manager
IBM Cloud Code Engine
IBM Cloud Continuous Delivery
IBM Cloud Container Registry
IBM Cloud Databases for DataStax
IBM Cloud Databases for Elasticsearch
IBM Cloud Databases for EnterpriseDB
IBM Cloud Databases for etcd
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud Databases for MongoDB Enterprise
IBM Cloud Databases for MongoDB Standard
IBM Cloud Databases for PostgreSQL
IBM Cloud Databases for Redis
IBM Cloud for VMware Solutions (Dedicated)
IBM Cloud Functions
IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
IBM Cloud Messages for RabbitMQ
IBM Cloud Object Storage
IBM Cloud Platform – Public, IBM Cloud Console, IBM Cloud Identity and Access Management, and IBM Cloud Shell
IBM Cloud Schematics
IBM Cloud Security and Compliance Center
IBM Event Streams for IBM Cloud Enterprise
IBM Event Streams for IBM Cloud Standard
IBM Key Protect for IBM Cloud

Offerings in the IBM Cloud PaaS Additional Offerings SOC 3 report include:

IBM Cloud for VMware Solutions Shared
IBM Cloud Platform Public: BSS, IBM Cloud Catalog, IBM Cloud Global Search and Tagging
IBM Cloud Satellite
IBM Cloud Secrets Manager

Offerings in the IBM Cloud infrastructure services SOC 3 report include:

IBM Cloud Backup
IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Load Balancer
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

Offerings in the IBM Cloud Foundry Public SOC 3 report include:

IBM Cloud Foundry Public