To reiterate its commitment to the highest standards of customer data security and secure software development, Kaspersky has successfully passed the Service Organisation Control (SOC 2) Type II audit for service organisations. The assessment evaluated the security of Kaspersky’s antivirus database development and release processes, as well as its protection against unauthorised alterations.
Kaspersky has been continuously providing assurances of the integrity of its solutions through regular third-party assessments, including SOC 2 audits, which the company has been undergoing since 2019. The Service Organisation Controls (SOC) framework is an international reporting standard for cybersecurity risk management systems, which was established by the American Institute of Certified Public Accountants (AICPA). It evaluates security control processes based on five fundamental principles: security, availability, process integrity, confidentiality, and privacy.
For the first time the SOC 2 audit completed by the company covered a year-long period — from August 2023 to July 2024 — while earlier assessments looked into 3 to 6-month periods. Conducted by an independent service auditor, the assessment checked Kaspersky’s process of the development and implementation of anti-virus databases for Windows and Unix OS systems based on the criteria of security and availability, including the following elements:
· Kaspersky AV bases development and compilation services that are used for the source code development and its compilation;
· Kaspersky AV bases code storage and review systems that are used for the source code storage and review process;
· Kaspersky AV bases test and release system that is used for the implementation of the AV bases;
· Kaspersky AV bases test system that is used for the verification of the AV bases;
· Information systems supporting the above-mentioned processes.
The audit involved interviews with responsible management, supervisory, and staff personnel. It also involved the observation of Kaspersky activities and operations, and the inspection of Kaspersky documents and policies. As a result of the check, auditors concluded that Kaspersky’s controls ensuring automated antivirus database updates comply with applicable trust services criteria, while the process of the development and implementation of antivirus databases is protected from tempering. The comprehensive audit report is available upon request.
“Kaspersky always aims to provide its customers and partners with firm assurances of the reliability and integrity of the company’s products and services. In addition to implementing strict security controls, it is crucial for us to get an outside expert opinion confirming that the measures in place are sufficient and comply with the industry standards. The latest SOC 2 audit has once again confirmed that our control methods are functioning correctly, and the process for development and release of antivirus databases is protected against unauthorised changes,” noted Alexander Liskin, Head of Threat Research at Kaspersky.
Regular audits of internal processes form a key component of Kaspersky’s Global Transparency Initiative (GTI), whose goal is to foster trust with the company’s stakeholders while demonstrating Kaspersky’s commitment to transparency and accountability. In addition to the SOC 2 audit, Kaspersky has certified its information security management system against the ISO/IEC 27001:2013 international standard and obtained Common Criteria certifications for the company’s flagship enterprise products, Kaspersky Endpoint Security and Kaspersky Security Center, a control console for all enterprise products.