VMware is committed to delivering a cloud service that meets a comprehensive set of international and industry-specific security and compliance standards. VMware adheres to very rigorous security development and operational standards and is actively conducting third-party audits in order to expand the list of certifications, attestations and adoptions of frameworks.
We’re excited to share our progress in this area for VMware Cloud on AWS. In addition to the certifications below, we’re also pleased to announce that the service is GDPR ready. You can read more about VMware Cloud on AWS GDPR readiness here. And for a full recap of the latest update to VMware Cloud on AWS read, the blog post VMware Cloud on AWS Delivers More…of Everything!
ISO/IEC 27001 (Global)
ISO/IEC 27001:2013 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). Achieving certification means that VMware has implemented a holistic security program that conforms with the ISO 27001 standard requirements.
ISO/IEC 27017:2015 Code of Practice for Information Security Controls
VMware Cloud on AWS is ISO 27017 compliant. The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.
This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks. ISO/IEC 27017 is unique in providing guidance for both cloud service providers and cloud service customers. It also provides cloud service customers with practical information on what they should expect from cloud service providers. Customers benefit directly from ISO/IEC 27017 by ensuring they understand shared responsibilities in the cloud.
ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
ISO/IEC 27018:2014 is the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.
The audit of the ISMS and ISO standards was completed by Schellman & Company, LLC. View the certificate.
HIPAA Business Associate Agreement
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which incorporated requirements from the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, established national standards for the security and privacy of Protected Health Information (PHI) in the United States. To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to all interested customers. The BAA was designed in conjunction with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for healthcare providers, insurers and other organizations. VMware has completed an independent third-party examination of VMware Cloud on AWS against applicable controls of HIPAA. Current or potential customers interested in the VMware Cloud on AWS HIPAA BAA may contact their VMware representative.
SOC 1 (SSAE16/ISAE 3402)
Service Organization Control (SOC) 1 reports are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SOC 1 framework reports on internal controls over financial reporting for any service organization such as VMware Cloud on AWS. SOC 1 aligns to the International Standard on Assurance Engagements (ISAE) 3402 international reporting standards. SOC 1 examinations are specifically intended to meet the needs of VMware Cloud on AWS customers and VMware Cloud on AWS customers’ auditors, as they evaluate the effect of the controls at VMware Cloud on AWS on the clients’ financial statement assertions.
The SOC 2 report is composed of a comprehensive set of criteria on security, availability, processing integrity, confidentiality, and privacy and is similarly set forth by the AICPA. The SOC 2 reports are intended for use by stakeholders (e.g. customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls.
Trust Services Report for Service Organizations Control 3 (SOC 3) reports are designed to meet the needs of customers who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy. VMware has completed an independent third-party SOC 3 examination of VMware Cloud on AWS. SOC 3 is composed of a comprehensive set of trust principles including security, availability, processing integrity, confidentiality and privacy.
To review a copy of the SOC Independent Service Auditor’s report, customers may contact their VMware representative.