2.5.2 Compliance Controls
For enterprise subscribers to feel secure and safe in the vCloud services domain, and to have the information and visibility into the service needed for their own internal audit requirements, providers of vCloud services must actively pursue one of the following certifications as part of their general service availability plans:
ISO 27001 certification, which certifies that security management processes are in place and have a relevant subset of the ISO 27001 controls
, as specified by VMware’s Compliance Architecture and Control Matrix.SSAE 16, SOC 2 report based on the same relevant set of controls.
VMware can provide documented guidance on how to meet the standard set of compliance controls, but providers are directly responsible for achieving ISO 27001 and/or SSAE 16, SOC 2 certification status for their service environments through third-party audit. vCloud providers should make compliance certification types and status available so that subscribers understand what standards both the hosting environment and the services have been audited against.