Compliance resource center

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with an international membership of 163 national standards bodies. The ISO/IEC 27000 family of standards helps organizations keep their information assets secure.

ISO/IEC 27001:2022 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.

Google Cloud Platform, Google Workspace, Apigee and our Common Infrastructure are certified as ISO/IEC 27001:2022 compliant. The 27001 standard does not mandate specific information security controls, but the framework and checklist of controls it lays out allow Google to ensure a comprehensive and continually improving model for security management.

View Chrome Enterprise’s ISO/IEC 27001 certificates here: Core & Premium. Potential customers can reach out to sales for more information.

The International Organization for Standardization (ISO) is an independent, non-governmental organization with an international membership of 163 national standards bodies.

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

• Additional implementation guidance for relevant controls specified in ISO/IEC 27002
• Additional controls with implementation guidance that specifically relate to cloud services

This standard provides controls and implementation guidance for both cloud service providers like Google and our cloud service customers.

ISO/IEC 27017 provides cloud-based guidance on 37 ISO/IEC 27002 controls, along with seven new cloud controls that address:

• Who is responsible for what between the cloud service provider and the cloud customer
• The removal/return of assets when a contract is terminated
• Protection and separation of the customer’s virtual environment
• Virtual machine configuration
• Administrative operations and procedures associated with the cloud environment
• Customer monitoring of activity within the cloud
• Virtual and cloud network environment alignment

Chrome Enterprise Core & Chrome Enterprise Premium are certified as ISO/IEC 27017 compliant.

View Chrome Enterprise’s ISO/IEC 27017 certificates here: Core & Premium. Potential customers can reach out to sales for more information.

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies.

ISO/IEC 27018 relates to one of the most critical components of cloud privacy: the protection of personally identifiable information (PII). This standard focuses in two ways on security controls for public-cloud service providers that process PII:

• Builds upon existing ISO/IEC 27002 controls by adding specific items for cloud privacy
• Provides entirely new security controls for personal data

Chrome Enterprise Core & Premium are certified as ISO/IEC 27018 compliant.

View Chrome Enterprise’s ISO/IEC 27018 certificates here: Core & Premium. Potential customers can reach out to sales for more information.

The Service and Organization Controls (SOC) 1 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) SSAE 18, which evaluates the service organization’s controls relevant to financial reporting. This report is beneficial for organizations that rely on Chrome Enterprise services to support their financial reporting process.

Looking for Google Cloud and Google Workspace SOC 1 reports? Customers can request the reports by reaching out to your account manager or making a request here.

Chrome Enterprise and SOC 1 compliance

Accessing Chrome Enterprise’s SOC 1 reports

Chrome Enterprise regularly undergoes third-party audits for our products, systems, and infrastructure related to this standard. The SOC 1 reports are generated by an objective third party attesting to a set of assertions made by Chrome Enterprise about its controls that are in place to protect customer data. The audit firm’s evaluation includes comprehensive testing of the design and operating effectiveness of the controls within the audit period. 

Customers may use the SOC 1 report to assess the risks arising from interactions with the assessed Chrome Enterprise systems throughout the period.

Chrome Enterprise’s SOC 1 timelines

Chrome Enterprise’s SOC 1 Type II reports are issued semi-annually and can be requested by reaching out to your account manager or making a request here. The coverage periods and issuance dates for these reports are:

• First half of the year
  • Coverage period: May 1 - April 30
  • Estimated issuance: mid-June
• Second half of the year
  • Coverage period: November 1 - October 31
  • Estimated issuance: mid-December

The Service and Organization Controls (SOC) 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) SSAE 18, which evaluates the service organization’s controls relevant to the Trust Services Criteria of security, availability, processing integrity, confidentiality, or privacy.

Looking for Google Cloud and Google Workspace SOC 2 reports? Customers can request the reports by reaching out to your account manager or making a request here.

Chrome Enterprise and SOC 2 compliance

Accessing Chrome Enterprise’s SOC 2 reports

Chrome Enterprise regularly undergoes third-party audits for our products, systems, and infrastructure related to this standard. The SOC 2 reports are generated by an objective third party attesting to a set of assertions made by Chrome Enterprise about its controls that are in place to protect customer data. The audit firm’s evaluation includes comprehensive testing of the design and operating effectiveness of the controls within the audit period.

Customers may use the SOC 2 report to assess the risks arising from interactions with the assessed Chrome Enterprise systems throughout the period.

Chrome Enterprise’s SOC 2 timelines

Chrome Enterprise’s SOC 2 Type II reports are issued semi-annually and can be requested by reaching out to your account manager or making a request here. The coverage periods and issuance dates for these reports are:

• First half of the year
  • Coverage period: May 1 - April 30
  • Estimated issuance: mid-June
• Second half of the year
  • Coverage period: November 1 - October 31
  • Estimated issuance: mid-December

Like SOC 2, the Service and Organization Controls (SOC) 3 report is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) SSAE 18, which evaluates the service organization’s controls relevant to the Trust Services Criteria of security, availability, processing integrity, confidentiality, or privacy. The SOC 3 is a public report which is based on the same scope as the related SOC 2 report.

Looking for Google Cloud and Google Workspace SOC 3 reports? See here.

Chrome Enterprise and SOC 3 compliance

Accessing Chrome Enterprise’s SOC 3 reports

Chrome Enterprise regularly undergoes third-party audits for our products, systems, and infrastructure related to this standard. The SOC 3 reports are generated by an objective third party attesting to a set of assertions made by Chrome Enterprise about its controls that are in place to protect customer data. The audit firm’s evaluation includes comprehensive testing of the design and operating effectiveness of the controls within the audit period.

Customers may use the SOC 3 report to assess the risks arising from interactions with the assessed Chrome Enterprise systems throughout the period.

Chrome Enterprise’s SOC 3 timelines

Chrome Enterprise’s SOC 3 reports are issued semi-annually and can be accessed here. The coverage periods and issuance dates for these reports are:

• First half of the year
  • Coverage period: May 1 - April 30
  • Estimated issuance: mid-June
• Second half of the year
  • Coverage period: November 1 - October 31
  • Estimated issuance: mid-December