IBM Cloud® compliance: SOC 1
Illustration showing a person interacting with a computer interface, around which are a security shield and a globe on a pedestal
What is SOC 1?

Service Organization Control (SOC) reports are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA), address the risks associated with an outsourced service.

An SOC 1 report details the organization’s internal controls over client-owned data involved in client financial reporting. Report usage is restricted and intended for organizations and the auditors who audit financial statements. SOC 1 reports are not intended for the general public.

SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

Reports and other documentation

Contact an IBM representative to request SOC 1 reports.

IBM position

A SOC 1 report may be provided for IBM services that have implemented controls in accordance with selected Trust Service Principles. The SOC report demonstrates that IBM has appropriately designed its controls for the selected Trust Service Principles and that the controls operated effectively for the report period.

The services listed below have an SOC 1 Type 2 report available, representing a period of time during which controls were assessed. As such reports represent an assessment period in the past, a bridge letter may accompany an SOC 1 Type 2 report, in which IBM attests to service control and continued performance since the last reporting period ended.

IBM Service Descriptions (SD) indicate if a given offering maintains SOC 1 Type 2 compliance status. Services below issue SOC 1 Type 2 reports at least once each year.

See the IBM Cloud infrastructure system description 


Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs