AWS compliance programs - AWS User Guide to Financial Services Regulations and Guidelines in Australia

AWS compliance programs

AWS has obtained certifications and independent third-party attestations for a variety of industry specific workloads; however, the following are of particular importance to ARIs:

  • ISO 27001 – ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls that follow the ISO 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System, which defines how AWS perpetually manages security in a holistic, comprehensive manner. For more information or to download the AWS ISO 27001 certification, see ISO 27001 Compliance.

  • ISO 27017 – ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27002 and ISO 27001 standards. This code of practice provides additional implementation guidance for information security controls that's specific to cloud service providers. For more information or to download the AWS ISO 27017 certification, see ISO 27017 Compliance.

  • ISO 27018 – ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It's based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls that are applicable to storing personally identifiable information (PII) in public cloud services. It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements that aren't addressed by the existing ISO 27002 control set. For more information, or to download the AWS ISO 27018 certification, see ISO 27018 Compliance.

  • ISO 27701 – Specifies requirements and guidelines to establish and continuously improve a Privacy Information Management System (PIMS), including processing of PII. It is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management and provides a set of additional controls and associated guidance intended to address public cloud PIMS and PII management requirements for both processors and controllers not addressed by the existing ISO/IEC 27002 control set. For more information or to download the AWS ISO 27701 certification, see the ISO 27701 Compliance webpage.

  • ISO 22301 – Specifies the structure and requirements to implement, maintain, and improve a business continuity management system (BCMS) to protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from disruptions when they arise. Compliance with this standard underscore the business continuity and resiliency of AWS services. For more information or to download the AWS ISO 22301 certification, see the ISO 22301 Compliance webpage.

  • ISO 42001 – ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or using AI-based products or services, facilitating responsible development and use of AI systems. For more information or to download the AWS ISO 42001 certification, see the ISO 42001 Compliance webpage

  • ISO 9001 – ISO 9001 outlines a process-oriented approach to documenting and reviewing the structure, responsibilities, and procedures that are required to achieve effective quality management within an organization. The key to the ongoing certification under this standard is establishing, maintaining, and improving the organizational structure, responsibilities, procedures, processes, and resources in a manner where AWS products and services consistently satisfy ISO 9001 quality requirements. For more information or to download the AWS ISO 9001 certification, see ISO 9001 Compliance.

  • PCI DSS Level 1 – The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. For more information or to request the AWS PCI DSS Attestation of Compliance and Responsibility Summary, see PCI DSS Compliance.

  • SOC – AWS System and Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help customers and their auditors understand the AWS controls that have been established to support operations and compliance. For more information, see SOC Compliance. There are five types of AWS SOC Reports:

    • SOC 1 – Provides information about the AWS control environment that might be relevant to a customer's internal controls over financial reporting, in addition to information for assessment of the effectiveness of internal controls over financial reporting.

    • SOC 2 – Provides customers and their service users who have a business need with an independent assessment of the AWS control environment relevant to system security, availability, and confidentiality.

    • SOC 2 (Amazon DocumentDB) – Provides customers and their service users who have a business need with an independent assessment of the AWS control environment relevant to Amazon DocumentDB system security, availability, and confidentiality.

    • SOC 2 Privacy Type I Report – Provides customers with an independent assessment of AWS systems and the suitability of the design of AWS privacy controls.

    • SOC 3 – Provides customers and their service users who have a business need with an independent assessment of the AWS control environment relevant to system security, availability, and confidentiality, without disclosing AWS internal information.

By tying together governance-focused, audit-friendly service features with such certifications, attestations, and audit standards, AWS Compliance builds on traditional programs; helping customers to establish and operate in an AWS security control environment.

For more information about other AWS certifications and attestations, see the AWS Compliance Programs webpage. For information about general AWS security controls and service-specific security, see Best Practices for Security, Identity, and Compliance.