VMware is committed to delivering a cloud service that adopts industry best practices in order to meet a comprehensive set of international and industry-specific security and compliance standards. VMware adheres to rigorous security standards and is expanding coverage for various industry-specific security and compliance measures. VMware makes independent third-party examination and audit reports available to customers that will satisfy a wide range of customer-specific compliance requirements. For more details on any of the reports and certifications listed, please contact your VMware representative.
ISO/IEC 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). VMware continues to maintain a current ISO/IEC 27001 Certification for vCloud Air and has recently issued updated certification for ISO/IEC 27001:2013. Achieving certification means that VMware has implemented a holistic security program that conforms with the ISO 27001 standard requirements, both in the security management system and control activities. The audit of the ISMS was completed by Schellman, formerly Brightline, an ANSI-ASQ National Accreditation Board (ANAB). View the certificate verification and contact your VMware sales representative for a copy of the ISO 27001 Certificate, the AT101 Report, and Statement of Applicability.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which incorporated requirements from the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, established national standards for the security and privacy of Protected Health Information (PHI) in the United States. To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to all interested customers using our US-based data centers. The BAA was designed in conjunction with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for healthcare providers, insurers and other organizations. VMware has completed an independent third-party examination of vCloud Air against applicable controls of HIPAA. Current or potential customers interested in the vCloud Air HIPAA examination or BAA may contact their VMware representative.
Service Organization Control (SOC) 1 reports are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SOC 1 framework reports on internal controls over financial reporting for any service organization such as VMware vCloud Air. SOC 1 aligns to the International Standard on Assurance Engagements (ISAE) 3402 international reporting standards. SOC 1 examinations are specifically intended to meet the needs of vCloud Air customers and vCloud Air customers’ auditors, as they evaluate the effect of the controls at vCloud Air on the clients’ financial statement assertions. VMware has completed an independent third-party examination of vCloud Air which spans a twelve (12) month review period. To review our SOC 1 controls in more detail, please review the vCloud Air SOC1 Matrix. To review a copy of the SOC1 Type 2 Independent Service Auditor’s report, interested customers may contact their VMware representative.
The Service Organization Control 2 (SOC 2) report is composed of a comprehensive set of criteria on security, availability, processing integrity, confidentiality, and privacy and is similarly set forth by the American Institute of Certified Public Accountants (AICPA). The SOC 2 reports are intended for use by stakeholders (e.g. customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. VMware has completed an independent third-party examination of vCloud Air that also spans a twelve (12) month review period. To review a copy of the SOC 2 Type 2 Independent Service Auditor’s report, customers may contact their VMware representative.
Trust Services Report for Service Organizations Control 3 (SOC 3) reports are designed to meet the needs of customers who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy. VMware has completed an independent third-party SOC 3 examination of vCloud Air. SOC 3 is composed of a comprehensive set of trust principles including security, availability, processing integrity, confidentiality and privacy. The vCloud Air SOC 3 report is publicly available for customer review.
VMware vCloud Air has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. Visit the CSA STAR Registry to view VMware’s response to more than 250 questions related to cloud security, trust principals, and assurance controls. You can also download it here.
N3SP is leading the way on convergence, VOIP and customized service solutions, which enable the NHS to make the most of a single NHS network and maximize on cost savings, reflecting a move away from tactical opportunities to strategic services. VMware is an approved and compliant Commercial Third Party (National Code: 8JF88). As part of the process to provide an N3-connected vCloud Air Service, VMware completed a Healthcare Information Governance Connectivity Assurance Process (HIGCAP) application for connection to the N3 Network. Additionally, VMware has signed an Information Governance Assurance Statement and will comply with the N3 Acceptable Use Policy.
Please see the VMware blog here.
VMware vCloud Air is part of the UK G-Cloud 8 program. Operating under the G-Cloud framework ensures that VMware has been vetted by the UK government and is available for authorized use by the government and public sector organizations in that region. vCloud Air can be found on the Digital Marketplace, which is a publicly accessible, searchable database of services offered under G-Cloud. For a particular vCloud Air service, please see the resources below.