VMware Cloud on AWS

VMware Cloud on AWS – Unlocking Cloud Compliance Globally

VMware Cloud on AWS has achieved a number of industry leading compliance certifications and is able to support a wide variety of customer use cases and compliance requirements. Our compliance offerings cover a wide range of global certifications from ISO 27001/17/18 certifications to various region specific certifications covering North America, EMEA and Asia Pacific regions. VMware has also published a number of compliance whitepapers addressing the various regional governmental and financial services industry compliance requirements.

At VMware we understand that changes in cloud regulatory requirements, particularly in industries such as Finance, Healthcare and Government have put increased pressure in managing security and compliance risks. Our compliance offerings provide robust assurance to customers on the capabilities and controls we have implemented to secure customer workloads and leverage cloud capabilities to build, run and manage modern apps.  Our ongoing efforts in this area enable VMware Cloud on AWS customers to meet diverse needs with cloud resources and enable faster service delivery at lower cost and risk.


Global Compliance Offerings



ISO 27001, ISO270017 and ISO27018

VMware Cloud on AWS has obtained the three primary International Organization for Standardization (ISO) certifications for cloud – ISO 27001, ISO 27017 and ISO 27018. The ISO certifications are a globally recognized set of certifications providing requirements for operating and maintaining an international standard information security management system (ISMS) as well as implementing cloud specific security controls and privacy controls addressing key requirements from the EU data protection laws. The ISO certifications demonstrate our commitment towards maintaining high security standards across both technical and organizational security measures as well as maintaining ongoing monitoring of the security controls.  For further details on the ISO certifications, please visit  VMware Cloud Trust Center



SOC2 Type 2

VMware Cloud on AWS has successfully undergone a rigorous external audit to obtain the AICPA – System and Organization Controls (SOC)  2 Type 2 audit report for 2019-20. The SOC 2 report provides assurance over the design and operating effectiveness of controls we operate to secure the VMware Cloud service offering. A SOC 2 report is beneficial for customers who wish to understand our security posture and need an independent opinion on our internal controls. Please reach out to your VMware Sales/Account representative for a copy of our latest SOC 2 report.




VMware Cloud on AWS has achieved the Payment Card Industry Data Security Standard (PCI DSS 3.2.1) Service Provider Level 1 certification, the highest level available for a cloud provider. By being certified as PCI DSS service Provider, VMware has demonstrated that the VMware Cloud on AWS service operates PCI DSS compliant security measures and controls, thereby serving the needs for a broader range of customers and workloads. With VMware Cloud on AWS, customers can leverage PCI compliant SDDCs to minimize risk, effort, costs, and time associated with implementing and maintaining a cardholder environment or PCI DSS solution.  For more information see our Migrating PCI Workloads White Paper

Cloud Security Alliance – Level 1

VMware participates at CSA STAR Level 1 by completing the Consensus Assessment Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. Customers commonly utilize CSA STAR criteria in their cloud security assessments.  STAR Self-Assessments are updated annually, and you can view the latest CAIQ documents at VMware, Inc. | Cloud Security Alliance

EMEA Compliance Offerings


Cyber Essentials Plus

Cyber Essentials is a UK Government-backed, industry-supported framework that helps organizations manage their cyber security risks. It provides a set of controls that enable organizations to demonstrate their commitment towards cyber security and protecting internal and customer data.

Cyber Essentials Plus mandates a set of technical controls and governance controls, the related assurance process and penetration and vulnerability testing by auditors authorized by UK National Cyber Security Centre (NCSC).

VMware Cloud on AWS has implemented the mandated controls and has undergone an extensive external assessment to achieve the Cyber Essentials Plus certification.



G – Cloud 12

G-Cloud is a framework agreement published by the UK Crown Commercial Service – a government body responsible for managing the procurement policy and processes for public sector entities in the UK.  It is an online catalogue of cloud computing services, including hosting, software and cloud support that UK public sector bodies can use to purchase any cloud services.

VMware Cloud on AWS is now listed on the G-Cloud digital marketplace. Customers wishing to purchase this cloud service can find us on the digital marketplace at VMware Cloud on AWS – Digital Marketplace

The portal includes detailed overview of our service, support, relevant pricing documents, terms and conditions and sales contacts.


European Banking Authority (EBA) Outsourcing Guidelines

European Banking Authority (EBA) Outsourcing Guidelines prescribe the governance framework and guidelines for financial institutions within the scope of the EBA’s mandate when outsourcing internal functions to service providers (including cloud outsourcing). VMware supports our European banking customers in addressing the contractual requirements stipulated by the EBA guidelines. Please reach out to your VMware Sales/Account representative for a copy of EBA addendum.


The General Data Protection Regulation (GDPR)  is a privacy and security law that applies to organizations that target or collect data related to people in the European Union. VMware’s obligations and commitments as a processor under GDPR are set forth in VMware’s Data Processing Addendum. VMware has achieved Binding Corporate Rules (“BCR”) approval for Personal Data it processes. For more information see VMware Cloud Trust Center – Privacy



Asia Pacific and Japan Compliance Offerings

VMware has also published a range of compliance whitepapers covering APJ compliance requirements. Some of the prominent ones include:

Japan – Three Guidelines from Three Ministries (3G3M)

The 3 Guidelines from 3 Ministries are a collection of security and compliance guidelines published by the three ministries in Japan – Ministry of Health, Labor and Welfare, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry.

In Japan, medical institutions that store medical data such as patient records and medical images in an external facility such as a public cloud should align to the requirements published in these guidelines to ensure security and reliability of medical data.

In response to these guidelines, VMware has published a set of reference guides that describe how VMware Cloud on AWS meets the requirements in these guidelines and how customers can address various security and compliance risks when migrating workloads to VMware Cloud on AWS. To complement the security reference guides, VMware has also published a whitepaper that provides a high-level overview on our compliance with 3 Guidelines from 3 Ministries. Please reach out to your VMware sales/account representatives for copy of the security reference guides. You can view the 3G3M whitepaper at Japan 3G3M Whitepaper – VMware Cloud on AWS


Australia APRA – Information Paper on Cloud

The Australian Prudential Regulatory Authority (APRA) is the regulator of the financial services sector in Australia.  In Sep 2018 APRA published the “Information Paper: Outsourcing involving cloud computing services” which provides guidelines for the financial services entities for adopting cloud computing.  The VMware Cloud on AWS APRA whitepaper demonstrates our response to APRA’s Information Paper describing how Australian financial services organizations can leverage VMware Cloud services to address APRA’s requirements for outsourcing involving cloud computing.  You can view the APRA whitepaper at APRA Whitepaper – VMware Cloud on AWS


Australia ISM Consumer Implementation Guide

Australian Cyber Security Center (ACSC) leads the cyber security responsibilities for Australian government agencies. ACSC has published an Information Security Manual (ISM) that describes the security control requirements for Australian government agencies. VMware has undergone a gap assessment against the ISM requirements by a qualified IRAP assessor. This whitepaper demonstrates various controls and security procedures implemented by VMware Cloud on AWS and how customers can architect their systems and leverage their controls and processes to address ISM requirements. Please reach out to your VMware Sales/Account representatives for a copy of the ISM consumer implementation guide.


Singapore – Multi-Tier Cloud Security Standard (MTCS) whitepaper


The Singapore Multi-Tier Cloud Security Standard (MTCS)  is a three-tier security framework describing the cloud computing security practices and controls for public cloud users and public cloud service providers. The MTCS whitepaper describes the various security practices implemented by VMware Cloud on AWS to address the key MTCS requirements. While VMware is yet to obtain the full certification, customers wishing to migrate workloads to VMware Cloud on AWS can use our whitepaper to assess how we address the relevant security and compliance risks and enable them to seamlessly migrate workloads to VMware Cloud on AWS. You can view the whitepaper at Singapore MTCS Whitepaper – VMware Cloud on AWS


Singapore – Outsourced Service Provider Audit Report (OSPAR) whitepaper


In Singapore, the Association of Banks (ABS) have established a set of guidelines and control procedures that outsourced service providers should meet when servicing a financial institution based in Singapore. These are called Outsourced Service Providers Audit Report (OSPAR) guidelines.

VMware has published a comprehensive whitepaper supported by a detailed mapping of our controls and security procedures against the OSPAR requirements. While VMware is yet to obtain the full certification, customers wishing to migrate workloads to VMware Cloud on AWS can use our whitepaper and mapping to assess how we address the relevant security and compliance risks and enable them to seamlessly migrate workloads to VMware Cloud on AWS. You can view the OSPAR whitepaper at Singapore OSPAR Whitepaper – VMware Cloud on AWS




If you would like to learn more about VMware Cloud on AWS, here are some learning resources for you: