Kinde achieves ISO certification

Kinde is now ISO 27001:2022 certified! Woooo. Our public listing is available on the JASANZ certified organisations register by searching for Kinde Australia Pty Ltd. Reach out to our team if a copy of the certificate is required.

Moving on past the abundance of enthusiasm for auditing and compliance, this is a huge milestone for us at Kinde and our growing customer base.

Straight from the horse’s mouth:

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO 27001 is a tool that helps address risk and incorporates positive security habits into the day to day running of a business.

Our internal wiki has a landing page talking about all things Kinde, with this at the top of the page:

Our purpose - To create a world with more founders

Our mission - Reinventing the way software companies get started

The core of that purpose and mission is to enable founders and startups to authenticate their users, known as customer authentication, safely without having to build complicated infrastructure. Almost all of our other product features relied on the success of that piece since it provided the foundation to add value in so many more places.

Using a third party for customer authentication requires a lot of trust. To help build that trust, we planned from the start to be compliant with an industry standard to show that we’re being serious about how we secure our product and business.

We also recognize that compliance isn’t a security silver bullet. However, in our view, the fact that an external auditor has baselined us against a globally recognized standard is an important part of building a secure and trustworthy business.

There were two obvious choices for us, SOC2 and ISO 27001. We had originally planned to do SOC2 since our earliest expansion plans were aimed at the US market. On the face of it, SOC2 is the preferred choice in the US and ISO 27001 is the preferred choice for the rest of the world. Both have similar goals in that they provide an information security framework against which a company can measure themselves.

The customer is king

We took part in a readiness audit to prepare for our Type 1 at the end of 2022. The end of 2022 was also the time our team were doing in-depth customer research calls across all the contacts we’ve made over the year. The results when filtering for compliance needs were clear. Our prospective and ideal customer personas were firmly in favour of ISO 27001.

A quick pivot over the new year shifted our focus to resolving gaps against ISO 27001 and tidying up our documentation to suit an audit.

The heart of our ISMS is built in Notion, which is also where we keep all our documentation.

If it’s not written down, it doesn’t exist

Using Notion to manage the ISMS wasn’t always the case though. When we agreed that now (October 2022 to be precise) would be the time for SOC2 preparation, we felt like we needed an external tool to help organize the Trust Services Criteria and to help us find a suitable auditor, especially since the auditors needed to be an American certified CPA. Tugboat Logic was a big help here. They offer a very attractive license designed for startups, have a ton of good information in their Helm Community, and have a large auditor network for referral.

However, once we switched to ISO 27001, there wasn’t a need to use Tugboat Logic anymore since a few of us were already comfortable with the standard. We purchased both the ISO 27001 and ISO 27002 documents, merged them into a Notion database, and went about our day mapping our policies, procedures, and commentary to the management clauses and annex controls. This was honestly a breath of fresh air.

I’ve always found tools that organize information security and compliance are a few steps removed from where the action actually is. The Notion database allowed us to map documentation in both directions between their policies and controls, filter and group based on categories, assign ownership, and link them to the risk register. The risk register, also a Notion database, was linked to the assurance activities and task schedules. The assurance activities, you guessed it - a Notion database, were linked to metrics. Blah blah blah you get the point. It ended up being an ISMS in a box.

I’ve been fortunate enough to have helped implement systems that align with both ISO 27001 and SOC2. I’ve also been fortunate enough to have worked with Kinde in some form for just over a year now.

Experience and time are great allies

We drip-fed procedures, controls, and best practices since day 1 to would help keep our startup secure and eventually aid us with our external audit. No big bang changes. No major overhauls. Every time a process was being developed or changed, we would consider how to implement it in a safe and secure way that was measured appropriately to who we are. You can catch a glimmer of this in an earlier blog post - Security at Kinde.

The biggest change we encountered along the way was the change from SOC2 to ISO 27001. As mentioned earlier, this required a re-mapping exercise and a shift of some tooling to get us back on track.

Our CTO Evgeny even remarked how smoothly the certification audit was going. “Smooth” is a good way to describe it. I think “well prepared” is also accurate.

Preparing for an audit will make the whole thing go a lot smoother

We stepped into the auditor’s shoes and asked ourselves what kind of explanation and evidence they would want and captured it along side the relevant clause or control.

We sent the certification auditor our Statement of Applicability along with the responses and related evidence. The certification auditor was able to step through all the information we provided in their own time with an occasional meeting or email when there were questions or further clarification needed.

This also saved us from having to sit in a full day’s long virtual meeting with screen sharing. It felt modern and in line with the remote work style that both Kinde and the certification auditor have embraced.

There were a lot of highlights along the way, but I really need to call out three anonymous examples.

There was a cohort of suspects in a group discussion that turned policy drafting into a comedy afternoon picking apart “shall” vs “should” and foregoing the legalese for plain text. The lesson here is to involve other people throughout the business when creating these policies. They may not be directly impacted by some of them, but their context, past experience, and unique perspectives will be invaluable. And at worst, they will make fun of the boring text and keep you on your toes.

A certain product manager and I sat down for a brain dump of how Kinde manages product changes. The process document is amazing. It’s great to be able to see the full lifecycle our team uses to track an idea inspired by the product triad, identifying the various stages of development, and releasing into production. The coolest thing I learned here was how our team uses feature flags to perform safe and non-destructive testing of new product features, which is also something our customers will soon be able to experience for themselves.

Everyone was onboard to help where they could to achieve certification. The founders made sure it was a company goal from the beginning and provided their support publicly in our weekly all hands. Any adjustment or change was met with a positive attitude for how we can improve on what we have. Our project_iso Slack channel, where a group coordinated efforts, never had a comment about how something can’t be done. Having this level of commitment and understanding from your peers makes doing tedious work a whole lot easier.

Maintaining our ISO 27001 certification and continuously improving the ISMS will be our focus for the next few years.

A big shout out to Compass Assurance Services for performing the certification audit. And a big shout out to SeComPass who helped with our original SOC2 readiness and were flexible enough to pivot with us to do an ISO 27001 internal audit along the way.

And of course a massive shout out to the entire Kinde team. The combined efforts of everyone here are what helped us gain certification.

For any founders and startups who have questions about ISO 27001 or anything compliance in general, please feel free to reach out because we would be more than happy to chat.