We’re excited to announce that Kion recently achieved SOC 2® (System and Organization Controls) Type 1 compliance on Kion’s controls relevant to security. Achieving this milestone is reaffirmation of our commitment to be a trustworthy and reliable partner for our customers.
Becoming SOC 2 compliant is a journey that demands meticulous planning, rigorous evaluation, and no small amount of perseverance. But all this work is necessary to ensure Kion is meeting the highest standards of security, availability, processing integrity, confidentiality, and customer data privacy. In this blog post, we'll take you behind the scenes of our SOC 2 compliance journey and share a few lessons learned along the way.
Our full SOC 2 Type 1 audit report is available to customers and prospects under NDA upon request. To request a copy and get additional details on Kion’s current security compliance status and Corporate Security Policies, visit our Trust Center.
Three Key Steps to Prepare for the SOC 2 Journey
Before we started the ‘hands on keyboard’ phase of our SOC 2 journey, we prioritized the following three steps.
1. Clearly Define Scope
Our first step was to define the scope and parameters of our SOC 2 assessment. It's crucial to identify which aspects of your organization will undergo scrutiny and which domains are most relevant to your business. The starting point for scope is to select from amongst the five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. Kion selected security, which allowed us to then specify the services that fall within this scope and the pertinent policies, procedures, systems, and people.
2. Get the Selection of a Third-Party Auditor Right
Selecting the right third-party auditor is a pivotal decision. The auditor not only reviews your compliance efforts – and ultimately proves your achievement – but also guides you through the process. Finding an auditor who understands your organization's operations and goals is critical.
3. Consider Using a Third-Party Compliance Tool
While not mandatory, third-party compliance tools simplify the SOC 2 process by aggregating information, tracking compliance checks, and providing visibility into your organization's status. We evaluated several solutions and selected Drata as the solution that best met our needs.
Teams evaluating Kion occasionally ask us to compare the Kion solution with Drata. While both Kion and Drata can help you achieve SOC2 compliance, these solutions tackle unique challenges.
Kion focuses on ensuring that your cloud infrastructure is complaint and stays compliant with SOC 2 requirements. Kion specializes in preventative security controls for AWS, Azure, and Google Cloud environments; automatically configuring cloud environments to a secure baseline; providing least privileged identity; and continuously monitoring to ensure security controls are enforced. In addition, Kion delivers account setup and provisioning as well as financial management functionality across these cloud environments.
Drata helps with collecting evidence of a company’s security controls to ensure audit readiness.
Using Kion and Drata together, you have a very powerful and automated approach to achieving SOC 2.
Once you’ve completed these three steps, you’re ready to get into the policy details.
The SOC 2 Journey: All About the Policy
If you were to boil down the process to achieve SOC 2 Type 1 compliance, you’d arrive at:
- Define your policies.
- Map your policies to controls.
- Prove you’re meeting your controls.
Policies define the systems and processes that must be in place to be compliant with SOC 2. Your auditor will review your policies to determine if your documentation aligns with the requirements within SOC 2.
Developing our policies, while time-intensive, was really the most straightforward activity in our policy efforts. Aligning the broader team and ensuring a successful rollout are a bit more complicated.
It’s easy to get overly invested in the ‘technology’ of the SOC 2 efforts – the nitty gritty of policy writing, using compliance tools, and working with the auditor. However, as with any technology rollout, forgetting the people aspect will doom the initiative. Getting buy-in from team members and leadership on your policies is crucial. It's essential to involve stakeholders early in the process, allowing them time to review and understand the policies.
Rolling your policies out to the broader team of employees for acknowledgement is the last step. We released our policies to team members based on policy relevance to team member roles. This approach ensured that everyone was aware of their responsibilities and commitments regarding compliance, but didn’t burden team members with policies that don’t impact their day-to-day.
Lessons Learned
Having achieved this important milestone, we have a few lessons learned and advice if you’re looking to embark on the SOC 2 journey.
Make SOC 2 your starting point. If your organization is new to compliance frameworks, SOC 2 can be an ideal starting point. It offers a manageable number of controls compared to other frameworks, making it an attainable goal for organizations of various sizes.
Get policies in front of people as soon as possible. Early exposure to policies helps leadership better understand compliance requirements and allows for ample time to ask questions and make necessary adjustments. Try to build in sufficient time for your ‘comment period’ so your reviewers can fit the review process into their workload.
Issues aren’t failures. Finding issues or areas of improvement isn’t bad. This is the precise reason you undertake an assessment against a framework.
Use compliance tools wisely. Compliance tools such as Drata are incredibly valuable, especially for tracking and aggregating evidence. However, as with any technology you’re evaluating, ensure that your tool meets your needs and integrates with the rest of your tech stack.
Conclusion
Achieving SOC 2 compliance is a rigorous journey. For Kion, this journey has not only strengthened our security posture but also positioned us as a trustworthy and reliable partner for our customers.
Next up: we’ll be pursuing our SOC 2, Type 2, and ‘drinking our own champagne’ by using the Kion platform’s compliance checks to detect if we drift out of scope.
Our full SOC 2 Type 1 audit report is available to customers and prospects under NDA upon request. To request a copy and get additional details on Kion’s current security compliance status and Corporate Security Policies, visit our Trust Center.
About the Author
Marianna Noll
Marianna is the Senior Director of Marketing at Kion.
