It’s one thing to tell a customer you can protect their data and another to actually be able to do so — and K2 knows the difference. That’s why, in 2017, we underwent the process to achieve the gold standard in security certifications: ISO/IEC 27001:2013 and SOC 2 Type 2.
ISO/IEC 27001:2013 is a well-known set of international standards relating to the secure management of information, particularly in a cloud-based environment. The K2 Cloud platform has been independently verified to meet all ISO/IEC 27001:2013 standards for cloud security and information management. ISO (The International Organization for Standardization) was founded in 1947 as an independent non-governmental organization. Today, ISO has a membership of 164 national standards bodies, and over 23,000 standards covering almost all aspects of technology and manufacturing.
Statement on Standards for Attestation Engagements (SSAE) 16 Service Organization Control 2 (SOC2), reports on various organizational controls related to security, availability, processing integrity, confidentiality, or privacy performed by the American Institute of Certified Public Accountants (AICPA) as a third-party audit. A SOC 2 Type 2 report is not a state-in-time audit but a full review of performance based on defined policies and processes, looking backward over the past year.
It provides a detailed review by an independent audit firm of K2 Cloud’s security, availability, and confidentiality controls. K2 Cloud also operates within SOC 2-attested Azure datacenters to ensure that all services are independently evaluated and the proper controls are used. For the past three years, we’ve maintained both rigorous certifications and are proud to have achieved recertification through 2023.
We undertook these activities to assure that we have the necessary technology and controls to ensure that we can adequately protect and secure our customers’ most precious asset: their data. Both the ISO/IEC 27001:2013 and the SOC 2 certifications assure current and prospective customers that they can entrust their data to us with absolute certainty.
Our initiative started with our move to the cloud. We transitioned from an on-premises model, where customers would purchase and install our product in their own environments, to a model where they purchase a service from us and we host and manage that service for them. If we expected our customers to make the move to the cloud with us, they needed to have the confidence that we could keep their environment safe.
Since we’re using a recognized international industry standard, there’s no guesswork. The process is validated and a third party conducts a rigorous audit. In the case of SOC 2, the standards must be met every day, every week, every month, and every quarter; the auditors look back to see what’s been done and we must provide evidence. The closest analogy is financial auditing, where an auditing firm produces a report verifying that the auditor went through independently and certifies the financials of a company or organization.
But it’s about more than an auditor giving us a piece of paper. We don’t perform these operations because an auditor asked us to do so. It’s about keeping our company and our customers safe, and in today’s cybersecurity environment, customers want to understand that we are handling their data correctly. Without these certifications, customers may have a long list of requests for information regarding our security posture, which can be very time consuming for the customer and K2.
Many of those questions are answered just by providing SOC 2 reports and being ISO certified, showing that we are following these guidelines or these controls within our organization.
With safety and security, we can show people how secure the K2 cloud is by having the certification and audits in place.
Some of the key requirements include:
- We ensure that there is adequate system access control.
- We ensure that the systems are kept up to date.
- We monitor the systems in terms of logging activity within the customer environment and our own.
- We ensure that all our employees and third-party contractors are well-vetted, especially if they are in contact with our customer environments.
- We identify risk areas and implement plans to address them.
Think of the ISO standards as rules of engagement; what we need to have in place to have what is considered to be a functional information security program (or an information security management system). This includes risk management, vulnerability management, vendor management, software acquisition, and penetration testing. The certification requirements also include HR, legal, and governance controls to ensure that information security is addressed at the board level.
At K2, we’re innovating and looking at new opportunities to improve our operational information security. Achieving and maintaining these international security standards is among our highest priorities.