This chapter covers GCP compliance frameworks: ISO 27001, SOC 2, FedRAMP, and HIPAA. Understanding how Google Cloud achieves and maintains these certifications is critical for the GCDL exam, as compliance is a key factor in cloud adoption decisions. Approximately 10-15% of exam questions touch on compliance, shared responsibility, and regulatory requirements. We will explore each framework's requirements, how GCP implements controls, and what customers must do to remain compliant.
Jump to a section
Imagine a bank vault that must meet multiple security standards: ISO 27001 is like having a documented security policy that every employee must follow, with regular audits to ensure compliance. SOC 2 is like a report from an independent auditor that confirms the vault's controls are designed and operating effectively, specifically for security, availability, and confidentiality. FedRAMP is a government-issued certification that the vault meets strict requirements for protecting federal data, including continuous monitoring and incident response. HIPAA is a set of rules specifically for handling medical records, requiring encryption, access controls, and audit logs to protect patient privacy. In Google Cloud, these compliance frameworks are like pre-built vault configurations: Google Cloud's infrastructure is audited and certified against these standards, so customers can inherit those controls by using the right services and configurations. Just as a bank doesn't need to build its own vault from scratch, GCP customers don't need to implement all controls from scratch—they leverage Google's certifications and shared responsibility model to achieve compliance.
What is Compliance in Cloud Computing?
Compliance means adhering to a set of standards, laws, or regulations. In cloud computing, it involves meeting specific security, privacy, and operational controls defined by external bodies. GCP undergoes independent audits to certify its infrastructure against multiple frameworks. Customers then inherit these certifications by using GCP services in a compliant manner. The shared responsibility model dictates that Google secures the infrastructure (physical security, network, hypervisor), while customers secure their data, access, and configurations.
ISO 27001: Information Security Management
ISO 27001 is an international standard for an Information Security Management System (ISMS). It requires organizations to establish, implement, and continuously improve a security framework. GCP has been ISO 27001 certified since 2011. The certification covers all GCP services, data centers, and operations. Key controls include risk assessment, asset management, access control, cryptography, and incident management. GCP publishes its ISO 27001 certificate and Statement of Applicability (SoA) in compliance reports. Customers can use GCP's ISMS to support their own certification by mapping GCP controls to their requirements.
SOC 2: Service Organization Controls
SOC 2 is an auditing procedure developed by the American Institute of CPAs (AICPA). It evaluates controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports come in two types: Type I (design of controls at a point in time) and Type II (operating effectiveness over a period, typically 6-12 months). GCP undergoes SOC 2 Type II audits annually. The SOC 2 report is available to customers under NDA. It details control activities like data encryption, access management, and incident response. For exam purposes, remember that SOC 2 is about service-level controls, not financial reporting (that's SOC 1).
FedRAMP: Federal Risk and Authorization Management Program
FedRAMP is a US government program that standardizes security assessment, authorization, and continuous monitoring for cloud products. It is mandatory for federal agencies using cloud services. FedRAMP has three impact levels: Low, Moderate, and High. GCP has a FedRAMP Moderate Authorization (Joint Authorization Board - JAB) and is pursuing High. The authorization covers over 100 GCP services. Key requirements include vulnerability scanning, incident response, and continuous monitoring. FedRAMP requires a Third-Party Assessment Organization (3PAO) to evaluate the cloud service provider. GCP's FedRAMP package is available on the FedRAMP marketplace. For the exam, know that FedRAMP is specific to US federal data and that GCP holds a Moderate authorization.
HIPAA: Health Insurance Portability and Accountability Act
HIPAA regulates the protection of protected health information (PHI). It requires administrative, physical, and technical safeguards. GCP offers a Business Associate Agreement (BAA) to covered entities and business associates. The BAA contractually obligates Google to safeguard PHI. Many GCP services are HIPAA-eligible, including Compute Engine, Cloud Storage, BigQuery, and Cloud SQL. Customers must configure these services correctly—for example, enabling encryption at rest and in transit, implementing access controls, and logging access. GCP does not automatically make a customer HIPAA compliant; the customer must implement controls for their specific use case. The exam tests that GCP provides a BAA and that certain services are HIPAA-eligible.
Shared Responsibility Model and Compliance
Compliance is a shared responsibility. Google is responsible for the security of the cloud: physical infrastructure, network, hypervisor, and compliance certifications for its platform. Customers are responsible for security in the cloud: data classification, access management, encryption of data in transit and at rest, and configuration of services. For example, GCP's SOC 2 report covers Google's controls, but the customer must ensure their own use of GCP does not violate SOC 2 principles. Similarly, FedRAMP authorization covers GCP's infrastructure, but the customer must implement agency-specific controls. The exam heavily emphasizes this shared model.
Compliance Reports and Resources
GCP provides compliance documentation through the Compliance Reports Manager and the Google Cloud Compliance Resource Center. Customers can download ISO certificates, SOC reports, FedRAMP packages, and HIPAA BAA. These documents are essential for auditors. GCP also publishes a list of services in scope for each certification. For example, not all GCP services are FedRAMP authorized—only those listed. The exam may ask which services are in scope for a given certification.
Key Numbers and Terms
ISO 27001: Certified since 2011, covers all GCP services.
SOC 2: Type II report annually, covers security, availability, processing integrity, confidentiality, privacy.
FedRAMP: Moderate authorization (JAB), over 100 services, continuous monitoring required.
HIPAA: BAA available, services must be HIPAA-eligible, customer must configure controls.
Shared responsibility: Google secures infrastructure, customer secures data and configurations.
Compliance reports: Available in Compliance Reports Manager.
How Compliance Interacts with Other GCP Services
Compliance is integrated with other GCP offerings: - Cloud Audit Logs: Enable logging for compliance auditing. - Cloud KMS: Manage encryption keys to meet HIPAA and ISO requirements. - Access Transparency: Provides logs of Google admin access to customer data, supporting SOC 2 and FedRAMP. - VPC Service Controls: Prevent data exfiltration, supporting FedRAMP and HIPAA. - Security Command Center: Helps detect misconfigurations that could violate compliance.
Exam Focus: Common Scenarios
The exam often presents scenarios where a customer needs to achieve compliance. For example: "A healthcare provider wants to store PHI in GCP. What must they do?" Answer: Sign a BAA, use HIPAA-eligible services, and configure encryption and access controls. Another scenario: "A federal agency needs to use GCP for sensitive data. What certification does GCP have?" Answer: FedRAMP Moderate authorization. The exam may also ask about the difference between SOC 2 Type I and Type II, or which report is needed for operating effectiveness over time (Type II).
Identify Applicable Compliance Frameworks
Determine which regulations and standards apply to the customer's industry and data. For example, healthcare organizations handling PHI must comply with HIPAA; US federal agencies must use FedRAMP-authorized services; any organization seeking information security management certification may pursue ISO 27001. This step involves reviewing data classification, regulatory requirements, and contractual obligations. GCP's Compliance Resource Center helps map frameworks to GCP services. The exam tests the ability to match scenarios to the correct framework.
Review GCP Compliance Certifications
Check which GCP certifications cover the needed frameworks. GCP maintains a compliance documentation page listing in-scope services and certifications. For FedRAMP, only certain services are authorized; for HIPAA, a BAA must be signed. The customer should verify that the services they plan to use are included in the certification scope. The exam may ask: 'Which GCP service is NOT FedRAMP authorized?' requiring knowledge of the authorized services list.
Configure Services for Compliance
Implement necessary controls on the customer side. For HIPAA, enable encryption at rest (using CMEK or CSEK) and in transit (TLS), configure VPC firewalls, and enable audit logging. For FedRAMP, use VPC Service Controls, Access Transparency, and Security Command Center. For ISO 27001, implement access controls and incident response plans. This step is customer responsibility. The exam emphasizes that GCP provides the tools, but the customer must configure them correctly.
Sign Business Associate Agreement (if HIPAA)
If the customer is a covered entity or business associate under HIPAA, they must sign a BAA with Google. The BAA is a contract that outlines Google's responsibilities for protecting PHI. It is available online via GCP Console. Without a BAA, the customer cannot legally store PHI on GCP. The exam tests that a BAA is required and that not all GCP services are covered by the BAA; only HIPAA-eligible services are included.
Monitor and Audit Continuously
Compliance is not a one-time event. Customers must continuously monitor configurations, access logs, and security events. GCP provides tools like Security Command Center, Cloud Audit Logs, and Cloud Monitoring. For FedRAMP, continuous monitoring is mandatory and includes vulnerability scanning and incident response. Auditors will request evidence of ongoing compliance. The exam may ask about tools used for continuous compliance monitoring.
Scenario 1: Healthcare Provider Moving EHR to GCP A large hospital chain wants to migrate its electronic health records (EHR) to GCP to reduce on-premises costs. They need HIPAA compliance. The engineering team first signs a BAA with Google. They then select HIPAA-eligible services: Cloud Storage for backups, Cloud SQL for patient databases, and Compute Engine for application servers. They enable encryption at rest using Cloud KMS with customer-managed keys (CMEK) and enforce TLS 1.2 for in-transit encryption. They configure VPC firewalls to restrict access to authorized IPs only and enable Cloud Audit Logs for all data access. They also set up Security Command Center to detect misconfigurations like public buckets. During an audit, they provide the BAA, configuration screenshots, and audit logs. A common misconfiguration is leaving a Cloud Storage bucket public, which would violate HIPAA. They use VPC Service Controls to prevent data exfiltration. The system handles 10,000 concurrent users and petabytes of data. Performance is maintained by using regional Cloud Storage and Cloud SQL with read replicas.
Scenario 2: Federal Agency Deploying FedRAMP Workload A US federal agency needs to deploy a citizen-facing application on GCP. They require FedRAMP Moderate authorization. The agency's security team reviews GCP's FedRAMP package and confirms that over 100 services are authorized. They use only authorized services: App Engine for the web app, Cloud SQL for the database, and Cloud Storage for static assets. They implement VPC Service Controls to prevent data exfiltration and enable Access Transparency logs to monitor Google admin access. They also set up continuous monitoring with Security Command Center and integrate with their SIEM. The agency must also implement their own controls like identity and access management (IAM) with least privilege and multi-factor authentication. An auditor will review the system's continuous monitoring reports. A common mistake is using an unauthorized service like a beta feature not yet FedRAMP-authorized. The agency must ensure all services are on the authorized list.
Scenario 3: Global Enterprise Obtaining ISO 27001 Certification A multinational corporation wants to use GCP as part of its ISMS for ISO 27001 certification. They leverage GCP's ISO 27001 certification to cover infrastructure controls. Their internal security team documents how GCP controls (e.g., physical security, network security) map to their ISMS. They use GCP's IAM to enforce access control, Cloud Audit Logs for monitoring, and Cloud KMS for key management. They also implement their own incident response plan using GCP's Security Command Center and Cloud Functions automation. During the ISO audit, they present GCP's SoA and their own control mappings. A common pitfall is assuming GCP's certification covers all customer responsibilities; the customer must still implement controls for their applications and data. The exam tests this shared responsibility nuance.
The GCDL exam tests compliance under Objective 2.5: 'Identify the purpose of compliance and regulatory requirements, including HIPAA, SOC 2, FedRAMP, and ISO 27001.' Expect 2-4 questions on this topic. The exam focuses on:
Matching frameworks to scenarios: Given a scenario (healthcare, federal, financial), identify the correct framework. Wrong answers often confuse SOC 2 with SOC 1 or mix HIPAA with PCI DSS. Remember: SOC 2 is for service organizations (security, availability, etc.), not for financial reporting. HIPAA is for healthcare data, not payment card data (that's PCI DSS).
Shared responsibility: Many candidates mistakenly think GCP's certifications make the customer automatically compliant. The exam tests that the customer must also implement controls. For example, a question: 'A company uses GCP and has signed a BAA. Are they HIPAA compliant?' The correct answer is 'No, they must also configure services correctly.' The trap answer is 'Yes, because GCP is HIPAA compliant.'
FedRAMP specifics: The exam may ask what level of FedRAMP authorization GCP has (Moderate). Some candidates confuse FedRAMP with FISMA or think GCP has High authorization. GCP has Moderate (JAB) and is working on High. Also know that FedRAMP requires a 3PAO assessment.
SOC 2 Type I vs Type II: Questions may ask which report validates controls over time. Type II is the answer. Type I is only at a point in time. Candidates often pick Type I because they think 'I' is more comprehensive.
HIPAA BAA: The exam asks whether a BAA is required for PHI. The answer is yes. Also know that not all GCP services are covered by the BAA; only HIPAA-eligible services.
ISO 27001: The exam may ask what ISO 27001 covers (ISMS). Candidates sometimes confuse it with ISO 27017 (cloud security) or ISO 27018 (PII protection). Stick to the basics.
Compliance reports location: Questions may ask where to find compliance documentation (Compliance Reports Manager).
Elimination strategy: When you see a compliance question, first identify the industry (healthcare -> HIPAA, federal -> FedRAMP, any -> ISO/SOC). Then look for keywords like 'BAA', 'authorization', 'audit report'. Eliminate answers that mix frameworks (e.g., using FedRAMP for healthcare). Also eliminate answers that claim GCP makes the customer fully compliant without customer action.
GCP holds ISO 27001 certification covering all services since 2011.
SOC 2 Type II report is available annually and covers security, availability, processing integrity, confidentiality, and privacy.
GCP has FedRAMP Moderate authorization (JAB) for over 100 services.
HIPAA requires a signed BAA and use of HIPAA-eligible services; customer must implement safeguards.
Compliance is a shared responsibility: Google secures infrastructure, customer secures data and configurations.
Compliance documentation is available in the Compliance Reports Manager.
FedRAMP requires continuous monitoring and a 3PAO assessment.
SOC 2 Type II validates controls over time, Type I only at a point in time.
These come up on the exam all the time. Here's how to tell them apart.
ISO 27001
International standard for ISMS.
Focuses on security management processes.
Certification is issued by an accredited body.
Covers all aspects of information security.
Requires continuous improvement of ISMS.
SOC 2
US-based auditing standard by AICPA.
Focuses on controls for security, availability, processing integrity, confidentiality, privacy.
Report is issued by a CPA firm, not a certification.
Often required by service providers for customer trust.
Type II report validates controls over time.
FedRAMP
US federal government program for cloud security.
Mandatory for federal agencies using cloud.
Three impact levels: Low, Moderate, High.
Requires 3PAO assessment and JAB authorization.
Continuous monitoring required.
HIPAA
US healthcare privacy and security law.
Applies to covered entities and business associates.
Requires administrative, physical, technical safeguards.
Requires BAA with cloud provider.
Customer must configure services for PHI protection.
Mistake
GCP's HIPAA compliance automatically makes my application HIPAA compliant.
Correct
HIPAA compliance is shared. GCP provides a BAA and HIPAA-eligible services, but the customer must configure encryption, access controls, logging, and other safeguards. Simply using GCP does not guarantee compliance.
Mistake
SOC 2 Type I is more comprehensive than Type II.
Correct
Type I evaluates controls at a single point in time. Type II evaluates operating effectiveness over a period (usually 6-12 months). Type II is more rigorous and is what most customers require.
Mistake
FedRAMP is only for cloud services used by the military.
Correct
FedRAMP applies to any US federal agency using cloud services. It covers civilian agencies as well. The Department of Defense has its own process (DoD CC SRG), but FedRAMP is for all federal agencies.
Mistake
ISO 27001 certification covers all aspects of data security.
Correct
ISO 27001 covers the Information Security Management System (ISMS), which includes policies, procedures, and controls. It does not automatically cover specific data privacy laws like GDPR or HIPAA, though it can be mapped.
Mistake
All GCP services are FedRAMP authorized.
Correct
Only a subset of GCP services are FedRAMP authorized (over 100 as of 2023). Services in beta or newer services may not be authorized. Customers must check the authorized services list.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SOC 2 Type I reports on the design of controls at a specific point in time. Type II reports on the operating effectiveness of controls over a period (usually 6-12 months). Type II is more rigorous and commonly required by customers. For the exam, remember that Type II is about effectiveness over time.
As of the latest update, GCP has FedRAMP Moderate authorization (JAB). It is pursuing High authorization but has not yet achieved it. The exam tests that GCP has Moderate, not High. Some services may have High authorization through agency-specific processes, but the platform-wide authorization is Moderate.
No. Only HIPAA-eligible services are covered by the BAA. Google publishes a list of HIPAA-eligible services. Using a non-eligible service for PHI violates the BAA and HIPAA. The exam may ask which services are HIPAA-eligible; common ones include Compute Engine, Cloud Storage, BigQuery, and Cloud SQL.
Google is responsible for security of the cloud: physical security, network, hypervisor, and certifications. Customers are responsible for security in the cloud: data, access, encryption, and configuration. For compliance, Google provides certified infrastructure, but the customer must use it correctly to maintain compliance.
Compliance reports can be accessed via the Compliance Reports Manager in the GCP Console. You can download ISO certificates, SOC reports, FedRAMP packages, and HIPAA BAA. The exam may ask about the location of these documents.
No, ISO 27001 is not required. It is a voluntary certification that GCP holds. Customers may use GCP's certification to support their own ISO 27001 certification efforts. The exam tests that GCP is ISO 27001 certified, not that customers must be.
A Third-Party Assessment Organization (3PAO) is an independent auditor accredited to assess cloud services for FedRAMP. GCP's FedRAMP authorization involves a 3PAO evaluation. The exam may test this term.
You've just covered GCP Compliance: ISO, SOC2, FedRAMP, HIPAA — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?