The Standards Keyfactor Upholds

In the world of cybersecurity and digital trust, there are few hard and fast rules, yet many ever-evolving best practices. 

PKI and digital certificates are the DNA of digital trust, enabling the encryption and safe exchange of data among humans and machines. AI, quantum, IoT adoption, and other innovations are making PKI an even higher-stakes feature of the enterprise infrastructure. Yet organizations of all stripes still find themselves plagued by outages and sprawl. Their visibility and their knowledge are limited. 

PKI entails a niche domain expertise that is affected obliquely by security standards that touch on data protection and encryption. While the financial industry, healthcare, and other high-governance fields are no stranger to regulations, compliance is coming for mainstream industries, too. 

To meet compliance demands, lower insurance costs, and build operational resilience, working with vendors and solutions built to meet and empower cybersecurity frameworks are vital to success. 

At Keyfactor, we want to realize our full potential as an organization and offer nothing short of excellence to our clients and partners. That’s why we not only meet the following standards, but use them as a baseline to go above and beyond.

The System and Organizations Control (SOC) framework offers a series of reports that validate effective information security controls. 

SOC 2 reports assess controls for security, confidentiality, processing integrity, privacy, and the availability of customer data. SOC 2 is relevant to organizations that store, process, or transmit any type of customer data — like SaaS, data hosting, and cloud storage providers. 

Meeting the SOC 2 standards ensures a few key security controls:

• The organization has data security controls that protect customer data from unauthorized access.
• The organization can detect anomalies and security incidents across the entire IT landscape.
• In the wake of a breach or outage, the organization can quickly bring systems back to a functional state. 

Within the SOC 2 designation, Type I reports assess controls and processes in a single glance, while Type II reports assess them over a timeframe of 3-12 months. Type II reports carry more weight and cover infrastructure, software, personnel, data, and procedures.

These audits are carried out by an independent auditor, and passing them reflects a true culture of security and an effective ongoing security strategy.

The International Organization for Standardization (ISO) is an independent, non-government standard development organization. Globally, more countries are members of the ISO than not, each with a voting representative who develop standards for quality and security in the global market. These standards lay the groundwork for national and international regulations. 

ISO releases a high volume of standards and frameworks. At Keyfactor, we comply with ISO 27001, 9001, and 14001. Even though these standards aren’t mandatory, implementing them by definition brings organizations within compliance with GDPR and other data protection laws.

One of the most highly regarded standards in the world, ISO 27001 assesses whether a company can effectively safeguard its data. 

The 27001 audit assesses the hardware and software an organization uses to protect its data, as well as the governance for storing and retrieving that data. It also gauges policies for responding to breaches and continually improving data protection strategies.

ISO 9001 is one of the most widely used quality management standards in the world. It helps ensure quality control in regard to goods, services, and software.

The ISO 9001 audit assesses customer satisfaction, process and product improvement, risk management, operational efficiency, internal quality auditing, and other protocols.

ISO 14001 lays out best practices for organizations to reduce their environmental impact by adopting an environmental management system (EMS). These systems monitor and report the environmental sustainability of an organization. 

Meeting this standard can help organizations avoid penalties and increase efficiency by, for example, lowering waste produced through the manufacturing process.

Built on several technical standards employed by various government agencies in the U.S. and Europe, the Common Criteria framework unifies several ISO technical standards so that businesses selling IT products to governments would only need to evaluate them against one set of assessment criteria. 

The Common Criteria vets whether a product is as secure as it claims. To get Common Criteria certified, organizations must submit an overview of the product, an inventory of its security features, and a description of the context in which it will be deployed. It must also evaluate potential threats against the product. Then, an independent laboratory tests the product to determine if it lives up to the organization’s claims and functions well within the intended environment.

At the time of this writing, these standards aren’t mandatory. However, even if they never become mandatory, they will continue to matter and will in fact matter more. Consumers are paying more attention to cyberattacks, breaches, and outages in deciding where to place their business. Organizations, in their search for partners to flesh out their IT supply chains, are applying greater scrutiny to the security of tools and vendors. 

We believe the future isn’t possible without digital trust. In our products, our service, and our people, we’ll continue to strive for excellence and help our clients cultivate trust, win loyalty, and win in the marketplace.