2.5.6 Compliance Controls
For enterprise subscribers to feel secure and safe in the public cloud services domain and to have the information and visibility into the service for their internal audit requirements, providers of public cloud services must actively pursue one of the following certifications as part of their general service availability plans:
• ISO 27001 certification, which certifies that security management processes are in place and have a relevant subset of the ISO 27001 controls, as specified in the VMware Compliance Architecture and Control Matrix.
• SSAE 16, SOC 2 report based on the same relevant set of controls.
VMware can provide documented guidance on how to meet the standard set of compliance controls, but providers are directly responsible for achieving ISO 27001 and/or SSAE 16, SOC 2 certification status for their service environments through a third-party audit. VMware Powered Public Cloud providers must make compliance certification types and status available so that subscribers understand which standards both the hosting environment and the services have been audited against.