// Trust & Security Report
International Business Machines Corporation (IBM)
IBM Cognos Analytics - enterprise business intelligence and data analytics platform with agentic AI, available in cloud-hosted (SaaS), on-premises, and containerized (Cloud Pak for Data) deployment models
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on community.ibm.com“IBM Cognos Analytics on Cloud expands compliance posture with availability of SOC 1 Type 2, SOC 2 Type 2 Reports. These services were assessed throughout the period May 1, 2020 to October 31, 2020 with auditor PricewaterhouseCoopers LLP.”
Verify on community.ibm.com“IBM Cognos Analytics on Cloud holds SOC 1 Type 2 certification, assessed May 1, 2020 to October 31, 2020 by PricewaterhouseCoopers LLP.”
Verify on ibm.com“IBM has obtained business unit certifications for ISO 27001 (information security management system). IBM maintains ISO 27001 certifications by country and business unit.”
Verify on ibm.com“IBM has obtained business unit certifications for ISO 27017 (information security for cloud services).”
Verify on ibm.com“IBM has obtained business unit certifications for ISO 27018 (information security for PII in public clouds).”
Verify on ibm.com“IBM Cloud's PaaS and SaaS offerings have implemented a Privacy Information Management System (PIMS) under ISO/IEC 27701:2019.”
Verify on ibm.com“IBM provides GDPR process automation for Cognos Analytics. The IBM Cognos GDPR tool facilitates discovery and analysis of Cognos content for personal information and has capabilities to optionally delete or modify Cognos objects or outputs that contain personal and sensitive information.”
> Show 4 unconfirmed / not-held certifications
source: ibm.comIBM Cloud supports HIPAA and provides BAA agreements. HIPAA-eligible services include Watson Studio, Watson Machine Learning, and Watson Knowledge Catalog in specific regions. IBM Cloud Pak for Data has HIPAA considerations documented, but Cognos Analytics is not explicitly listed as HIPAA-ready in publicly available documentation.
source: ibm.comNo public evidence of ISO/IEC 42001 certification for IBM Cognos Analytics or IBM Cloud services found.
source: ibm.comNo evidence of FedRAMP certification for IBM Cognos Analytics in public documentation.
source: ibm.comNo evidence of PCI DSS certification for IBM Cognos Analytics in public documentation.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU and US data residency options available; customers can select EU or US hosting in cloud deployment
Customer data is used for necessary processing within the tool. Data is not used to train IBM's AI models without explicit customer consent. IBM Cognos Analytics includes agentic AI capabilities (AI assistant, reporting agents) but does not train on customer data by default.
// Security controls
Encryption in transit
TLS/SSL (Transport Layer Security) configurable; can configure specific TLS versions and cipher suites
ibm.comEncryption at rest
Supported via AES-256 encryption on cloud platforms (Azure, IBM Cloud); database passwords encrypted when saved
ibm.comFIPS mode
Can be enabled to use only FIPS 140-2 certified security modules; uses IBM Crypto for C and OpenSSL. Not enabled by default due to performance considerations.
ibm.comAccess control
Role-based access control (RBAC), fine-grained permissions, integration with external authentication (LDAP, Active Directory), granular administrative controls
ibm.comAudit and governance
Centralized governance, audit trails, certified data models, compliance-ready reporting
ibm.comData handling
Data retention policies allow secure deletion upon customer request or at contract termination. Complies with GDPR and regional privacy laws.
ibm.com// Products & data scope
data: Single-tenant cloud deployment on IBM Cloud data centers; SOC 2 Type 2 and SOC 1 Type 2 certified
Managed by IBM; guaranteed uptime, automatic backups, dedicated IBM Cloud Ops; can access on-premises data via VPN
data: Customer-hosted and managed; full control over data and infrastructure
Ideal for organizations prioritizing data security and governance; customer responsible for security implementation
data: Fully containerized; deployable in any cloud (IBM Cloud, Azure, AWS, GCP) or on-premises
Full Kubernetes support; flexible, scalable, cost-efficient; customer manages deployment security
data: Deployment via AWS Marketplace in AWS infrastructure
Leverages AWS security and compliance controls
// What to watch
- SOC 2 Type 2 certification is from 2020 (assessment period May-Oct 2020) - now 5+ years old and should be refreshed with current audit
- Product-specific ISO 27001 certification not explicitly documented; corporate and business unit certifications exist but product applicability unclear
- HIPAA eligibility unclear: IBM Cloud supports HIPAA with BAA, but Cognos Analytics not explicitly listed as HIPAA-ready; Cloud Pak for Data has HIPAA considerations but Cognos not specifically mentioned
- Marketing claims 'compliance-ready reporting' and 'certified data models' but specific certifications not exhaustively documented across all deployment types (on-premises, containers)
- Trust center and compliance pages mostly unavailable (403 Forbidden) for direct verification; information gathered from community posts and support pages
- FIPS mode can be enabled but product is not FIPS-certified by default; some configuration files not encrypted with FIPS-certified providers
- Over-claim risk: Vendor marketing emphasizes compliance and governance but specific product certifications less clearly delineated than corporate certifications
// At a glance
Pricing model
Per-authorized-user SaaS subscription (cloud-hosted); Standard ($11.25/user/month) and Premium ($44.90/user/month); on-premises requires licensing; container deployment available
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on International Business Machines Corporation (IBM)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
ibm.com