Kaspersky consistently completed a Service Organization Control for Service Organizations (SOC 2) Type 1 audit conducted by an international Big Four accounting firm.
The American Institute of Certified Public Accountants (AICPA) Reporting Framework confirms that Kaspersky’s security controls conform with AICPA’s Trust Services Criteria (TSC), namely security, availability, processing integrity, confidentiality, and privacy. In 2019, Kaspersky first completed the same audit as part of its Global Transparency Initiative (GTI).
During the examination, Big Four auditors, among other things, scrutinized the company’s policies and procedures related to the development and release of antivirus (AV) bases, the network and physical security of the infrastructure involved in this process, and the monitoring tools used by the Kaspersky team. The examination also covered how the company communicates the terms and conditions of the AV bases release process to its employees and users, and customers.
The audit results showed that the company’s internal controls for protecting the development and release process of antivirus bases for Windows and Unix OS systems are suitably designed to meet all five trust categories covered by the TSC. In addition, the scope of the current audit has been expanded compared to the 2019 assessment, as Kaspersky has since introduced new security tools and controls.
“This new independent assessment provides the necessary assurance and verifies the trustworthiness of the solutions and services we offer. The report is a confirmation of Kaspersky’s commitment to proactively protecting its infrastructure and guaranteeing the security of its customers and partners,” said Anton Ivanov, Chief Technology Officer at Kaspersky.
The renewal of the SOC 2 Type 1 report falls within a broader range of activities that are part of Kaspersky’s GTI, demonstrating the company’s ongoing commitment to accountability. Kaspersky is among the first in the industry to start operating Transparency Centers, in which the company’s stakeholders can review Kaspersky’s source code, software updates, and threat detection rules. It regularly seeks independent third-party assessments of the company’s engineering practices, data services, and compliance with existing industry standards.
Earlier this year, the company renewed its ISO 27001* certification, an internationally recognized applicable security standard issued by the independent certification body TÜV AUSTRIA.