KRM22 Completes SOC2 Type II Audit

KRM22 Completes SOC2 Type II Audit


October 26, 2021

At the beginning of 2021, we announced that we successfully passed the SOC 2 Type I examination.  This proved that KRM22 has suitably designed policies, procedures, and controls in place to secure the systems and data our customers rely on.

Having now just completed a detailed and thorough follow-up audit,  we are pleased to announce we are now SOC2 Type II compliant as well! 

This means that KRM22adheres to the effective policies, processes, and controls we defined as part of the SOC2 Type I examination. Once again, during the process, the Auditors repeatedly complemented our level of compliance maturity.

Being a software-as-a-service (SaaS) platform that handles sensitive customer data, we have always believed that information security is fundamental to the success of our Global Risk Platform (GRP).

Pursuing SOC 2Compliance

KRM22 has instilled a strong security ethos during our short 3-year history, implementing good practices in information security around firewalls, code reviews, and the like.  To leverage that commitment, it is important for us to prove to our customers that we do everything we claim to do. Like us, our customers really value compliance.

This led KRM22 to pursue the Service Organizational Control 2 (SOC 2) accreditation, the widely recognized and coveted gold standard for information security. It requires organizations to establish and follow strict information security policies and procedures, covering:

  • A secure software development lifecycle
  • Access control that follows “least privilege” best practices
  • Detailed logging, monitoring and alerting
  • Encryption controls that meet or exceed best practices
  • Completion of internal and external penetration testing
  • Active monitoring for intrusion events and security incident handling
  • Data backup and disaster recovery

The certification is built on a set of five specific Trust Services Criteria, we focused on two:

  • Security: That information and systems are protected against unauthorized access, with security referring to both information and information systems
  • Confidentiality: That various types of sensitive information deemed confidential is protected

Risk Cockpit to the rescue!

Our key vendor choices of AWS for the cloud hosting platform of the GRP and Microsoft Azure AD for our internal identity and access management service made the process easier, the secret to our success was using our very own Enterprise Risk Cockpit; a web-based, enterprise-grade risk management application that provides a real-time view of our enterprise risk profile based on an aggregation of risks and controls from across all company security-related touchpoints.

The cockpit allowed us to define our Information Security objectives based on the NIST Cyber Security Framework, we created our company risk strategy, and link that to the ITL4 processes and procedures best practices; all underpinned by a mapped set of ISO27011 Appendix A controls. The ARIC accountabilities model that is embedded throughout the Risk Cockpit ensured System Information Owners are reminded to score their systems using the CIA rating method, prompted to provide an Effectiveness score for their controls and define the severity for their risks. These are then all rolled up using metrics into visually stunning dashboards that allow for the easy tracking of progress.

What’s next?

While obtaining Type II attestation is an important milestone in our efforts to be the most secure risk platform in the market, we understand that our work is never done. To continue to show our commitment to information security, we’re looking to supercharge our Risk Cockpit in 2022 to demonstrate NIST, ITLIL 4, and ISO27001 watch this space….

And finally…

Here at KRM22, we continue to believe effective security is a team effort, which involves the participation and support of all of us. We continue to be vigilant and understand that keeping our customer’s data secure is everyone’s job!