IBM Cloud® compliance: SOC 2
Illustration showing a person interacting with a computer interface, around which are a security shield and a globe on a pedestal
What is SOC 2?

Service Organization Control (SOC) reports are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA) addressing the risk associated with an outsourced service. The AICPA has established Trust Services Criteria (TSC) for security, availability, processing integrity, confidentiality and privacy, against which service organizations may be assessed.

A SOC 2 report evaluates the internal controls that an organization has put in place to protect customer-owned data and provides details about the nature of those internal controls.

Contact an IBM representative to request SOC 2 reports.


IBM position

A SOC 2 report may be provided for IBM services that have implemented controls in accordance with their selected Trust Service Principles. The SOC 2 report demonstrates that IBM designed controls for the selected Trust Service Principles appropriately and that the controls operated effectively for the report period.

The services listed below have a SOC 2 Type 2 report available, representing a period of time during which controls were assessed. As such reports represent an assessment period in the past, a bridge letter may accompany a SOC 2 Type 2 report, in which IBM attests to service control continued performance since the last reporting period ended. 

IBM Service Descriptions (SDs) indicate if a given offering maintains SOC 2 Type 2 compliance status. Services below issue SOC 2 Type 2 reports at least once each year.

See the IBM Cloud infrastructure system description 


Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs