To reiterate its commitment to the highest standards of customer data security and secure software development, Kaspersky has successfully passed the Service Organization Control (SOC 2) Type II audit for service organizations. The assessment evaluated the security of Kaspersky’s antivirus database development and release processes, as well as its protection against unauthorized alterations.
Kaspersky has been continuously providing assurances of the integrity of its solutions through regular third-party assessments, including SOC 2 audits, which the company has been undergoing since 2019. The Service Organization Controls (SOC) framework is an international reporting standard for cybersecurity risk management systems, which was established by the American Institute of Certified Public Accountants (AICPA). It evaluates security control processes based on five fundamental principles: security, availability, process integrity, confidentiality, and privacy.
For the first time the SOC 2 audit completed by the company covered a year-long period — from August 2023 to July 2024 — while earlier assessments looked into 3 to 6-month periods. Conducted by an independent service auditor, the assessment checked Kaspersky’s process of the development and implementation of anti-virus databases for Windows and Unix OS systems based on the criteria of security and availability, including the following elements:
- Kaspersky AV bases development and compilation services that are used for the source code development and its compilation;
- Kaspersky AV bases code storage and review systems that are used for the source code storage and review process;
- Kaspersky AV bases test and release system that is used for the implementation of the AV bases;
- Kaspersky AV bases test system that is used for the verification of the AV bases;
- Information systems supporting the above-mentioned processes.
The audit involved interviews with responsible
management, supervisory, and staff personnel. It also involved the observation
of Kaspersky activities and operations, and the inspection of Kaspersky
documents and policies. As a result of the check, auditors concluded that
Kaspersky’s controls ensuring automated antivirus database updates comply with
applicable trust services criteria, while the process of the development and implementation
of antivirus databases is protected from tempering. The comprehensive audit
report is available upon request.
“Kaspersky always aims to provide its
customers and partners with firm assurances of the reliability and integrity of
the company’s products and services. In addition to implementing strict
security controls, it is crucial for us to get an outside expert opinion
confirming that the measures in place are sufficient and comply with the
industry standards. The latest SOC 2 audit has once again confirmed that our
control methods are functioning correctly, and the process for development and
release of antivirus databases is protected against unauthorized changes,” noted
Alexander Liskin, Head of Threat Research at Kaspersky.
Regular audits of internal processes form a key component of Kaspersky's Global Transparency Initiative (GTI), whose goal is to foster trust with the company’s stakeholders while demonstrating Kaspersky’s commitment to transparency and accountability. In addition to the SOC 2 audit, Kaspersky has certified its information security management system against the ISO/IEC 27001:2013 international standard and obtained Common Criteria certifications for the company’s flagship enterprise products, Kaspersky Endpoint Security and Kaspersky Security Center, a control console for all enterprise products.
