Cloud Compliance and Security

VMware is committed to delivering a cloud service that adopts industry best practices in order to meet a comprehensive set of international and industry-specific security and compliance standards. VMware adheres to rigorous security standards and is expanding coverage for various industry-specific security and compliance measures. VMware makes independent third-party examination and audit reports available to customers that will satisfy a wide range of customer-specific compliance requirements. For more details on any of the reports and certifications listed, please contact your VMware representative.

To learn more about vCloud Air Security, please read the solution brief or read the vCloud Air Privacy Overview.

Cloud Compliance and Security Certifications

ISO/IEC 27001 (Global)

ISO/IEC 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). VMware continues to maintain a current ISO/IEC 27001 Certification for vCloud Air and has recently issued updated certification for ISO/IEC 27001:2013. Achieving certification means that VMware has implemented a holistic security program that conforms with the ISO 27001 standard requirements, both in the security management system and control activities. The audit of the ISMS was completed by Schellman, formerly Brightline, an ANSI-ASQ National Accreditation Board (ANAB). View the certificate verification and contact your VMware sales representative for a copy of the ISO 27001 Certificate, the AT101 Report, and Statement of Applicability.

ISO/IEC 27017:2015 Code of Practice for Information Security Controls


The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.


This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks referring to clauses 5 to 18 in ISO/IEC 27002: 2013 for controls, implementation guidance, and other information.  ISO/IEC 27017 is unique in providing guidance for both cloud service providers and cloud service customers. It also provides cloud service customers with practical information on what they should expect from cloud service providers. Customers can benefit directly from ISO/IEC 27017 by ensuring they understand the shared responsibilities in the cloud.  

ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud

The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world’s largest developer of voluntary international standards. The ISO/IEC 27000 family of standards helps organizations of every type and size keep information assets secure.


In 2014, the ISO adopted ISO/IEC 27018:2014, an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.


Annually, VMware vCloud Air is audited for compliance with ISO/IEC 27001 and ISO/IEC 27018 by an accredited third party certification body, providing independent validation that applicable security controls are in place and operating effectively. As part of this compliance verification process, the auditors validate in their statement of applicability that vCloud Air has incorporated ISO/IEC 27018 controls for the protection of PII. To remain compliant, vCloud Air must be subject to annual third-party reviews.  By following the standards of ISO/IEC 27001 and the code of practice embodied in ISO/IEC 27018, VMware vCloud Air demonstrates that its privacy policies and procedures are robust and in line with its high standards.  


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which incorporated requirements from the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, established national standards for the security and privacy of Protected Health Information (PHI) in the United States. To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to all interested customers using our US-based data centers. The BAA was designed in conjunction with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for healthcare providers, insurers and other organizations. VMware has completed an independent third-party examination of vCloud Air against applicable controls of HIPAA. Current or potential customers interested in the vCloud Air HIPAA examination or BAA may contact their VMware representative.

SOC 1 (SSAE16/ISAE 3402)

Service Organization Control (SOC) 1 reports are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). The SOC 1 framework reports on internal controls over financial reporting for any service organization such as VMware vCloud Air. SOC 1 aligns to the International Standard on Assurance Engagements (ISAE) 3402 international reporting standards. SOC 1 examinations are specifically intended to meet the needs of vCloud Air customers and vCloud Air customers’ auditors, as they evaluate the effect of the controls at vCloud Air on the clients’ financial statement assertions. VMware has completed an independent third-party examination of vCloud Air which spans a twelve (12) month review period. To review our SOC 1 controls in more detail, please review the vCloud Air SOC1 Matrix. To review a copy of the SOC1 Type 2 Independent Service Auditor’s report, interested customers may contact their VMware representative.


The Service Organization Control 2 (SOC 2) report is composed of a comprehensive set of criteria on security, availability, processing integrity, confidentiality, and privacy and is similarly set forth by the American Institute of Certified Public Accountants (AICPA). The SOC 2 reports are intended for use by stakeholders (e.g. customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. VMware has completed an independent third-party examination of vCloud Air that also spans a twelve (12) month review period. To review a copy of the SOC 2 Type 2 Independent Service Auditor’s report, customers may contact their VMware representative.


Trust Services Report for Service Organizations Control 3 (SOC 3) reports are designed to meet the needs of customers who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy. VMware has completed an independent third-party SOC 3 examination of vCloud Air. SOC 3 is composed of a comprehensive set of trust principles including security, availability, processing integrity, confidentiality and privacy. The vCloud Air SOC 3 report is publicly available for customer review.

Cloud Security Alliance

VMware vCloud Air has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. Visit the CSA STAR Registry to view VMware’s response to more than 250 questions related to cloud security, trust principals, and assurance controls. You can also download it here.


N3SP is leading the way on convergence, VOIP and customized service solutions, which enable the NHS to make the most of a single NHS network and maximize on cost savings, reflecting a move away from tactical opportunities to strategic services. VMware is an approved and compliant Commercial Third Party (National Code: 8JF88). As part of the process to provide an N3-connected vCloud Air Service, VMware completed a Healthcare Information Governance Connectivity Assurance Process (HIGCAP) application for connection to the N3 Network. Additionally, VMware has signed an Information Governance Assurance Statement and will comply with the N3 Acceptable Use Policy.

Please see the VMware blog here.

UK G-Cloud 8

VMware vCloud Air is part of the UK G-Cloud 8 program. Operating under the G-Cloud framework ensures that VMware has been vetted by the UK government and is available for authorized use by the government and public sector organizations in that region. vCloud Air can be found on the Digital Marketplace, which is a publicly accessible, searchable database of services offered under G-Cloud. For a particular vCloud Air service, please see the resources below.