Kaspersky has successfully passed the Service Organisation Control (SOC 2) Type II audit for service organisations. The assessment evaluated the security of Kaspersky’s antivirus database development and release processes, as well as its protection against unauthorised alterations.
The Service Organisation Controls (SOC) framework is an international reporting standard for cybersecurity risk management systems, which was established by the American Institute of Certified Public Accountants (AICPA). It evaluates security control processes based on five fundamental principles: security, availability, process integrity, confidentiality, and privacy.
For the first time the SOC 2 audit completed by the company covered a year-long period — from August 2023 to July 2024 — while earlier assessments looked into 3 to 6-month periods. Conducted by an independent service auditor, the assessment checked Kaspersky’s process of the development and implementation of anti-virus databases for Windows and Unix OS systems based on the criteria of security and availability, including the following elements:
- Kaspersky AV bases development and compilation services that are used for the source code development and its compilation;
- Kaspersky AV bases code storage and review systems that are used for the source code storage and review process;
- Kaspersky AV bases test and release system that is used for the implementation of the AV bases;
- Kaspersky AV bases test system that is used for the verification of the AV bases;
- Information systems supporting the above-mentioned processes.
The audit involved interviews with responsible management, supervisory, and staff personnel. It also involved the observation of Kaspersky activities and operations, and the inspection of Kaspersky documents and policies. As a result of the check, auditors concluded that Kaspersky’s controls ensuring automated antivirus database updates comply with applicable trust services criteria, while the process of the development and implementation of antivirus databases is protected from tempering
“Kaspersky always aims to provide its customers and partners with firm assurances of the reliability and integrity of the company’s products and services,” says Alexander Liskin, head of threat research at Kaspersky. “In addition to implementing strict security controls, it is crucial for us to get an outside expert opinion confirming that the measures in place are sufficient and comply with the industry standards. The latest SOC 2 audit has once again confirmed that our control methods are functioning correctly, and the process for development and release of antivirus databases is protected against unauthorised changes.”