Independent Audits of Infrastructure, Services, and Operations
Our customers and regulators expect independent verification of security, privacy and compliance controls. Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations.
Google has annual audits for the following standards:
- SSAE16 / ISAE 3402 Type II:
- ISO 27001, one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Cloud Platform. The ISO 27001 Certificate for Google Cloud Platform is here. Google has also earned the ISO 27001 certification for Google's shared Common Infrastructure. The ISO 27001 Certificate for Common Infrastructure is here.
- ISO 27017, Cloud Security, This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services.
Our ISO 27017 Certificate is here.
- ISO 27018, Cloud Privacy, This is an international standard of practice for protection of personally identifiable information (PII) in public clouds services.
Our ISO 27018 Certificate is here.
- FedRAMP ATO for Google App Engine
- PCI DSS v3.2
Google’s third party audit approach is designed to be comprehensive in order to provide assurances of Google’s level of information security with regard to confidentiality, integrity and availability. Customers may use these third party audits to assess how Google’s products can meet their compliance and data-processing needs.
Google Cloud Platform will also support HIPAA covered customers by entering into a Business Associates Agreement. The Cloud Platform BAA currently covers Compute Engine, Cloud Storage, Cloud SQL for MySQL, Cloud SQL for PostgreSQL, Cloud Dataproc, Genomics, BigQuery, Kubernetes Engine, Container Registry, Cloud Dataflow, Cloud Bigtable, Cloud Pub/Sub, Cloud Translation API, Cloud Speech API, Stackdriver Logging, Stackdriver Error Reporting, Stackdriver Trace, Stackdriver Debugger, Cloud Datalab, Cloud Machine Learning Engine, Cloud Natural Language, Cloud Data Loss Prevention API, Cloud Vision API, and Cloud Spanner. Learn more about HIPAA compliance.
Google Cloud has completed the Cloud Security Alliance (CSA) STAR Self-Assessment. Learn more here.
MTCS Tier 3 Certification (Singapore)
The Multi-Tier Cloud Security (MTCS) Singapore Standard (SS) 584 is a cloud security certification managed by the Singapore Info-comm Media Development Authority (IMDA). The standard has 3 tiers designed to certify cloud service providers at different levels of operational security, with Tier 3 having the most stringent requirements. At the conclusion of the assessment, which included an audit by an independent MTCS Certifying Body, 114 Google Cloud services and 20 datacenter sites received Tier 3 certification. The scope of services included in the certification highlights Google Cloud’s ongoing and continuous commitment to ensuring sound operational and security controls across all three service models--Infrastructure-as-a-Service (Iaas), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The certificate can be downloaded here.
Google Cloud Platform and the EU Data Protection Directive
As part of Google’s rigorous privacy and compliance standards and commitment to our customers, Google Inc. is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. In addition, Google offers Cloud Platform customers EU model contract clauses as a method to meet the adequacy and security requirements of the EU Data Protection Directive.
The European Union's data protection authorities have concluded that Google's model contract clauses meet EU regulatory expectations, confirming that Google Cloud services provide sufficient commitments to frame international data
flows from Europe to the rest of the world. For details on the approval of the Google Cloud from the Article 29 Working Party, please see the respective decisions for G Suite and the Google Cloud Platform.
Learn more about EU Data Protection.
Google Cloud Platform and G Suite comply with NIST 800-171
National Institute of Standards and Technology Special Publication 800-171
was released in June 2015. It focuses on protecting the confidentiality of Controlled
Unclassified Information (CUI) in non-federal information systems and organizations,
and defines security requirements to achieve that objective. The security controls
of NIST 800-171 can be mapped directly to NIST 800-53.
This mapping is available on page D-2 of the publication NIST.SP.800-171.
The services below have undergone an independent third party assessment that confirmed
compliance with NIST 800-53 controls in scope for FedRAMP, which includes all requisite
controls described in NIST 800-171.
The list of services covered include:
- G Suite editions: G Suite Basic, G Suite Business, G Suite for Education, G Suite Enterprise, G Suite for Nonprofits and G Suite for Governments.
- G Suite services: Gmail (incl. Talk), Hangouts, Hangouts Chat, Hangouts Meet, Calendar, Drive, Docs, Sheets, Slides, Forms, Drawings, Vault, Sites, Groups, Contacts, Classroom, Cloud Search, Keep, Admin Console, Cloud Identity, App Maker, Android and Chrome Device Management and ChromeSync.
- Google Cloud Platform services: App Engine, BigQuery, Cloud Datastore, Cloud Storage, Cloud Console, Genomics, Cloud Dataflow, Cloud Dataproc, Cloud Pubsub, Cloud Datalab, Compute Engine, Kubernetes Engine, Container Registry, App Engine Flexible Environment, Cloud Functions, Cloud SQL, Cloud Bigtable, Cloud Spanner, Machine Learning Platform, Cloud Jobs API, Natural Language API, Speech API, Translate API, Vision API, Cloud Video Intelligence API, Cloud CDN (Content Delivery Network), Cloud DNS (Domain Name Service), Cloud Load Balancing, Cloud Virtual Network Core, Stackdriver Logging, Error Reporting, Stackdriver Trace, Debugger, Deployment Manager, Cloud Endpoints, Cloud Shell, Cloud Mobile App, Cloud Billing API, Cloud SDK, Container Builder, Cloud Source Repositories, DLP API, Cloud Identify-Aware Proxy, Cloud Resource Manager, Cloud Security Scanner, Cloud Key Management Service, Google Service Control (Chemist), Cloud Launcher, Cloud IAM.
Protection of Personal Information and My Number Data (Japan)
The Japanese government issues a unique number to every resident of Japan (both foreign and domestic).
This number, also referred to as the Social Benefits or Tax Number, is protected by the “My Number Act”.
The responsibility to protect personal information and “My Number” data lies with our customers when using Google Cloud Platform.
Google Cloud Platform products are ISO 27001 and ISO 27018 certified. These are international certifications related to practices to protect information (such as personal information and “My Number” data) and include appropriate access control measures.
FISC (Center for Financial Industry Information Systems)
is a public interest incorporated
foundation tasked with conducting research related to technology, utilization, control,
and threat/defense related to financial information systems in Japan. One of the key
documents created by the organization is the "FISC Security Guidelines on Computer Systems for
Banking and Related Financial Institutions". The document describes controls related to
facilities, operations, and technical infrastructure.
Google has developed a guide to help customers understand how Google’s control environment
aligns with the FISC guidelines. Most of the controls outlined in our guide are part of our
third-party audited compliance programs, including ISO 27001,
ISO 27017, and
ISO 27108 certifications. View our response to the FISC controls:
MPAA Best Practices Guidelines
Picture Association of America (MPAA) has created a best practices guideline
for cloud providers. Under a shared security model, customers using Google Cloud
Platform can configure their cloud services to support these best practices.
While not a formal certification, the control aspects of the guidelines map closely
to Google’s existing third party audited core compliance programs, including
ISO 27108, and
CSA STAR certifications.
This document details the MPAA
controls that Google Cloud Platform supports. Google contracts with a third party
auditor to validate these controls on a regular basis.
Sarbanes-Oxley Act (SOX)
As part of SOX requirements, each US public company is responsible
for establishing and monitoring internal controls, including those maintained by a
third party, such as a cloud service provider. Therefore, if a (potential) cloud
customer is a US public company or planning to become public, they should think
about how using a cloud provider impacts their financial reporting controls.
If a customer processes accounting or financial information on Google Cloud
Platform, the customer's management may determine that some Google Cloud Platform
services are in scope for their SOX obligations. The customer's management must
make their own judgement regarding Google Cloud Platform's SOX applicability. If the
customer requests information about controls over specific GCP products, we refer
them to the Google Cloud Platform Service Organization Control (SOC) 1 Type II
report. This report includes Google's descriptions of GCP systems and controls, an
independent auditor opinion on the accuracy of management's description, an
independent auditor opinion on appropriateness of the controls described in meeting
the stated objectives, and an indepedent auditor opinion on the effectiveness of
those controls in meeting the stated objectives.
Australian Privacy Principles
Privacy Act 1988 (Cth) (Privacy Act), which includes the
Australian Privacy Principles (APPs), regulates the way APP entities collect,
use, and manage individuals’ personal and sensitive information.
While customers are responsible for ensuring that they comply with their obligations
under the Privacy Act (including the APPs), this
paper helps customers understand how information is stored, processed, maintained,
accessed, and secured in Google Cloud when using Google Cloud Platform and G Suite.
Esquema Nacional de Seguridad (Spain)
The ENS (Esquema Nacional de Seguridad) accreditation scheme has been developed by
ENAC in close collaboration with the Ministry of Finance and Public
Administration and the
National Cryptologic Centre (CCN). The ENS was established as part of
Royal Decree 3/2010.
This decree, and its updated amendment
Royal Decree 951/2015
serve to establish principles and requirements for the adequate protection of
information for public sector entities. Google Cloud (GCP and G Suite) has
successfully met all requirements to comply at the High level with the ENS,
Royal Decree 3/2010, and Royal Decree 951/2015.