Service Organization Control (SOC) reports are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA), address the risks associated with an outsourced service.
An SOC 1 report details the organization’s internal controls over client-owned data involved in client financial reporting. Report usage is restricted and intended for organizations and the auditors who audit financial statements. SOC 1 reports are not intended for the general public.
SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
Reports and other documentation
A SOC 1 report may be provided for IBM services that have implemented controls in accordance with selected Trust Service Principles. The SOC report demonstrates that IBM has appropriately designed its controls for the selected Trust Service Principles and that the controls operated effectively for the report period.
The services listed below have an SOC 1 Type 2 report available, representing a period of time during which controls were assessed. As such reports represent an assessment period in the past, a bridge letter may accompany an SOC 1 Type 2 report, in which IBM attests to service control and continued performance since the last reporting period ended.
IBM Service Descriptions (SD) indicate if a given offering maintains SOC 1 Type 2 compliance status. Services below issue SOC 1 Type 2 reports at least once each year.
Services
- IBM Cloud App ID
- IBM Cloud App Configuration
- IBM Cloud Backup
- IBM Cloud Backup for VPC
- IBM Cloud Bare Metal
- IBM Cloud Bare Metal Servers for VPC
- IBM Cloud Block Storage
- IBM Cloud Block Storage for Virtual Private Cloud
- IBM Cloud Block Storage Snapshots for VPC
- IBM Cloud Code Engine
- IBM Cloud Container Registry
- IBM Cloud Continuous Delivery
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for Elasticsearch
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for etcd
- IBM Cloud Databbases for MongoDB
- IBM Cloud Databases for MySQL
- IBM Cloud Databases for PostgreSQL
- IBM Cloud Databases for Redis
- IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
- IBM Cloud Direct Link Connect (2.0)
- IBM Cloud Direct Link Dedicated (2.0)
- IBM Cloud DNS Services
- IBM Cloud Event Notifications
- IBM Cloud File Storage
- IBM Cloud Flow Logs for VPC
- IBM Cloud Functions
- IBM Cloud for VMware Solutions (Dedicated)
- IBM Cloud for VMware Solutions Shared
- IBM Cloud Foundry Public
- IBM Cloud Hardware Security Module
- IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
- IBM Cloud Load Balancer
- IBM Cloud Messages for RabbitMQ
- IBM Cloud Object Storage
- IBM Cloud Object Storage (IaaS)
- IBM Cloud Platform – Core Services: Account Management and Billing, IBM Cloud Catalog, IBM Cloud Global Search & Tagging, IBM Cloud Console, IBM Cloud Identity and Access Management and IBM Cloud Shell
- IBM Cloud Satellite
- IBM Cloud Schematics
- IBM Cloud Security and Compliance Center
- IBM Cloud Secrets Manager
- IBM Cloud Transit Gateway
- IBM Cloud Virtual Private Cloud
- IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
- IBM Cloud Virtual Private Cloud - VPN for VPC Client-to-Site Server and Site-to-Site Gateway
- IBM Cloud Virtual Private Endpoint for VPC
- IBM Cloud Virtual Server for VPC
- IBM Cloud Virtual Server for VPC - Auto Scale for VPC
- IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
- IBM Cloud Virtual Servers
- IBM Cloudant Dedicated Cluster
- IBM Cloudant for IBM Cloud
- IBM Event Streams for IBM Cloud (Standard)
- IBM Event Streams for IBM Cloud (Enterprise)
- IBM Key Protect for IBM Cloud
- IBM Power Virtual Server on IBM Cloud
- IPSec VPN
- SAP-Certified Cloud Infrastructure