Skip to content
Governance, Risk and Compliance
Protect your mission-critical assets in the cloud

Virtustream gives you peace of mind when it comes to governance, risk, and compliance practices, which encompass several critical areas of our cloud service. Virtustream provides customers an in-depth look into our compliance practices, including our rigorous approach to information security management.

Information Security

Virtustream has implemented an Information Security Management System (ISMS) policy that is certified to the ISO 27001:2013 standard. Additionally, information security is delivered in the form of third-party auditing and certifications for rigorous international industry standards. Virtustream cloud services are certified to ISO 9001 for quality, ISO 22301 for business continuity, and ISO 27001 for information security, as well as ISO 27017 for cloud services security and ISO 27018 for protection of personally identifiable information (PII). In addition, Virtustream’s cloud services are audited for attestations to SOC 1, SOC 2, SOC 3, and HIPAA/HITECH/HITRUST, and are certified to PCI DSS and CSA STAR. The public sector Virtustream Federal Cloud is certified to FedRAMP Moderate.

Business Continuity

The Virtustream Governance, Risk, and Compliance (GRC) team is dedicated to ensuring all functions that support Virtustream cloud services adhere to the policies and procedures established by executive management and meet the control requirements of the standards. Throughout the year, the GRC team conducts internal audits, risk assessments, business impact analysis, tests business continuity plans, and reviews findings with senior management to continually improve the management system that governs Virtustream operations.


Virtustream follows the ISO 27001, FedRAMP, and other standards for risk assessment, risk treatment, and risk reporting. Risks that are identified throughout the IaaS during an assessment, audit, or vulnerability assessment are identified, tracked, and then either mitigated or remediated. Remediation of vulnerabilities within the IaaS management zone are addressed according to the PCI DSS standard.