About IBM Cloud regional compliance programs

Leaders of international organizations are faced with a growing landscape of region-specific compliance standards as they move their IT infrastructures to the cloud. IBM Cloud® platform services can help you meet these regional compliance standards.

Asia Pacific

FISC (Japan)

The Center for Financial Industry Information Systems (FISC) was created by the Japanese Ministry of Finance with the purpose of conducting research on topics related to financial information systems in Japan. FISC created guidelines to promote the security of information systems within the banking and financial industries. These FISC guidelines, though not mandated by law, are recognized and used by most Japanese financial institutions in the design and maintenance of their information systems.

IRAP (Australia)

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative providing high-quality information and communications technology (ICT) services to government. Administered by the Australian Cyber Security Center (ACSC), IRAP assessments help Australian Government clients verify that appropriate controls are in place for addressing ICT requirements detailed in the Australian Government Information Security Manual produced by the ASD. 

IBM Cloud infrastructure services successfully completed an IRAP PROTECTED level assessment, enabling Australian Government clients to establish a highly secure and compliant PROTECTED level environment within IBM Cloud. The IBM Cloud infrastructure PROTECTED assessment included Security Construction and Equipment Committee (SCEC) Zone 3 level data centers with video surveillance. 

The Australian Taxation Office certified IBM Cloud infrastructure services for the processing, storing, and transmitting of Australian Government information classified up to, and including, PROTECTED for the IaaS services detailed within the IRAP assessment scope.

Australian Government clients may request the IBM Cloud Infrastructure IRAP PROTECTED Assessment and Certification Package:

Log in to IBM Cloud or contact an IBM representative.

IRAP logo

K-ISMS (South Korea)

The Korea Information Security Management System (K-ISMS) is a Korean government-backed certification sponsored by the Korea Internet and Security Agency (KISA). K-ISMS is a certification system designed to assess if an organization's information security management system is properly established, managed and operated. Achieving this certification means IBM Cloud infrastructure clients in South Korea can more easily demonstrate adherence to local legal requirements for protection of key digital information assets and meet KISA compliance standards.

View the IBM Cloud infrastructure services K-ISMS certificate in English (PDF, 317 KB)

View the IBM Cloud infrastructure services K-ISMS certificate in Korean (PDF, 280 KB)

ISMS logo

MTCS (Singapore)

Multi-Tier Cloud Security (MTCS), also known as Singapore Standard SS 584, is a multi-tiered security standard for cloud service providers operating in Singapore.

To request the IBM Cloud infrastructure certificate: Visit the client portal (link resides outside IBM)

My Number Act (Japan)

The Social Security and Tax Number System (My Number Act) went into effect in Japan starting in January 2016. Under this act, a unique number is assigned to every resident in Japan, whether Japanese or foreign, to be used mainly for taxation and social security purposes. The Personal Information Protection Commission (PPC) created guidelines to help companies properly handle and protect their My Number information.

My Number Act logo

SCEC

The Security Construction and Equipment Committee (SCEC) is an interdepartmental committee that evaluates security equipment and tools that are used by Australian Government departments and agencies.  SCEC guidelines are managed through the Australian Security and intelligence Organization (ASIO) T4 Protective Security directorate, which evaluates protective security products to determine their suitability for use in Australian Government facilities. 

IBM public cloud data centers in Sydney, Australia were evaluated and certified by an accredited SCEC security zone consultant as having the appropriate protective security controls in compliance with the principles of the Australian Government Protective Security Policy Framework, and provide the operational environment necessary for the confident and secure conduct of Australian Government business.

View the SCEC Certificates (PDF, 770 KB)

Europe and United Kingdom

BaFin (Germany)

BaFin, formally known as the German Federal Financial Supervisory Authority, oversees all financial services firms in Germany. BaFin has published a specification for the regulatory framework for cloud computing services provided to financial services firms.

C5 (Germany)

The Cloud Computing Compliance Controls Catalog (C5), introduced by the German Federal Office for Information Security (BSI), is a cloud-specific attestation scheme. This scheme outlines the requirements cloud service providers must meet in order to ensure a minimum-security level for their cloud services. C5 elevates the demands on cloud providers by combining existing security standards such as ISO 27001, with additional requirements for increased transparency in data processing.

To request the IBM Cloud infrastructure C5 attestation, do one of the following:
Visit the client portal (link resides outside IBM)
Contact an IBM representative

European Banking Authority - EBA (EU)

As part of its mission to establish consistent, efficient and effective supervisory practices across the EU and ensure uniform application of Union law, the European Banking Authority (EBA) issues regulatory guidelines and recommendations in its fields of competence.

Learn how IBM Cloud platform supports EBA recommendations (PDF, 1.5 MB)

ENISA IAF (EU)

The European Union Agency for Network and Information Security (ENISA) issued the Information Assurance Framework (IAF), a set of assurance criteria designed to assess the risk of adopting cloud services, comparing different cloud provider offers, obtaining assurance from the selected cloud providers, and reducing their assurance burden.

ENS (Spain)

The National Security Framework of Spain (ENS) is a legal decree that develops provisions about security, and applies them to all public administrations in Spain. The ENS establishes the security policy for eGovernment services. It establishes the basic principles and minimum requirements to enable adequate protection of information to be followed by all public administrations.

View the IBM Cloud infrastructure ENS High certificate (PDF, 704 KB)

IBM Cloud platform services with an ENS High certificate include:

IBM Cloud Bare Metal
IBM Cloud Block Storage
IBM Cloud Direct Link
IBM Cloud File Storage
IBM Cloud Hardware Security Module
IBM Cloud Object Storage (IaaS)
IBM Cloud Virtual Servers

ENS Spain certificate

EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' Personally Identifiable Information (PII). These clauses obligate non-EU companies to follow the laws and practices mandated by the EU Data Protection Directive in all global locations. The clauses provide enforcement rights and assurance to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws. In May 2018, the EU Data Protection Directive was replaced by the General Data Protection Regulation (GDPR).

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration. These frameworks provide companies on both sides of the Atlantic with a mechanism that helps them comply with data-protection requirements when they transfer personal data from the European Union (EU) and Switzerland to the United States in support of transatlantic commerce.

View the IBM policy and list of privacy-shield certified IBM Cloud services

GDPR (EU)

As part of the European Union's General Data Protection Regulation (GDPR), IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes. This work also strengthens existing controls to limit access to personal data, including mobile applications that rely on default settings to prevent sharing of personal data.

Learn about the IBM GDPR Framework

G-Cloud (UK)

The government of the United Kingdom created the G-Cloud framework to enable a faster and less expensive process for UK government organizations to enter into procurement contracts with cloud providers. G-Cloud services are divided into three categories: cloud hosting, cloud software, and cloud support.

Hébergeurs de Données de Santé - HDS; Health Data Hosting (France)

Hébergeurs de Données de Santé (HDS) is designed to describe the conditions under which personal health data initially collected in France must be protected. Data hosting must include security controls commensurate with the critical nature of the data.

Any individual or legal person who hosts personal health data collected in France must be approved or certified for this purpose.

View the IBM Cloud infrastructure services HDS certificate (PDF, 448 KB)

IT-Grundschutz (Germany)

The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information in an organization. IT-Grundschutz uses a holistic approach to this process, and provides guidance for the application of technical, organizational, personnel and infrastructural safeguards.

NIS Directive (EU)

The Network and Information Systems (NIS) Directive (EU 2016/1148) is the first cybersecurity law to cover the entire the European Union, and is intended to boost the overall cybersecurity level for critical infrastructure in the EU.

IBM maintains standard technical and organizational measures appropriate and proportionate to manage the risks posed to the security of network and information systems. This includes a security monitoring program and a global incident response process to respond to cybersecurity threats and attacks. In addition, IBM utilizes a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among its workforce.  More information on these technical and organizational measures is available in IBM certifications and audit reports such as ISO 27001 and SOC 2.

 

United States

FERPA

Security is central to compliance with the Family Educational Rights and Privacy Act (FERPA), which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor will appropriately manage sensitive student data.