In early 2022, Celonis completed two important information security achievements. Most notably, Celonis became the first execution management and process mining vendor to reach SOC 1® compliance. Secondly, the company successfully completed an ISO 27001 extension audit in March, expanding the scope of Celonis’s ISO 27001 certification.
“Celonis' addition of a SOC 1 Type 2 attestation and expansion of our ISO 27001 certification continue to demonstrate our commitment to customer trust and enhancing transparency of our security controls and operations used to protect customer data,” said Omesh Agam, CISO at Celonis.
Verifiable, independent standards are crucial for building and maintaining trust between organizations and their service providers, especially for software-as-a-service (SaaS), process analysis and automation vendors with deep access to customer data and business processes.
System and Organization Controls (SOC) reports, developed by the American Institute of Certified Public Accountants (AICPA), are designed to demonstrate that service providers are meeting high standards for security, confidentiality, privacy, availability and processing integrity. SOC reports are also important for evaluating the effect of the service provider’s controls on the customer’s financial statements.
Completing SOC audits and the subsequent attestations play an important role in vendor selection for many companies. For example, the Sarbanes–Oxley Act of 2002, often referred to as Sarbox or SOX, requires that public companies in the United States follow specific financial record keeping and reporting practices. Many U.S. public companies will therefore require that vendors supply a SOC 1 report so they or their auditors may evaluate the effect of the vendor’s controls on their own internal controls over financial reporting.
SOC 1 and SOC 2 audits may look at similar controls, but the scope of the testing is different. As mentioned above, a SOC 1 audit tests internal controls for systems that can affect financial reporting. A SOC 2 audit tests controls related to the service provider’s operations and compliance, which for Celonis includes security, availability and confidentiality controls.
Within SOC 1 and SOC 2 reporting, there are also Type 1 and Type 2 attestations. A Type 1 report includes an audit of the design of controls to meet SOC control objectives as of a particular point in time. A Type 2 report evaluates the controls’ design over a period of time, usually 6 or 12 months.
Celonis passed the SOC 2 Type 1 audit in 2020 and became the first process mining vendor to achieve SOC 2 Type 2 accreditation in 2021. The company is now the first process mining and execution management vendor to achieve SOC 1 Type 2 compliance. According to Omesh, achieving this latest milestone is integral to supporting customers’ financial statement audit and compliance needs. He said:
“Celonis' addition of our SOC 1 Type 2 independent audit provides additional assurance to our customers that industry-leading security, operational controls and safeguards are built into every layer of our Execution Management System.”
ISO/IEC 27001:2013 (ISO 27001) is an internationally-recognized information security management standard published by the ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission).
Celonis German entities acquired ISO 27001 certification in 2018. With the successful completion of an ISO 27001 extension audit in March, the scope of Celonis’ ISO 27001 certification is now expanded to include two new entities (Celonis Inc. and Celonis SL) and the following locations:
Celonis Inc. operating at the locations of:
One World Trade Center, 87th Floor, New York, NY, USA
1 Glenwood Ave, 5th Floor, Raleigh, NC, USA
Celonis SL operating at the location:
WeWork, Paseo de la Castellana 77, Madrid, Spain
According to Omesh, this expansion of certification scope demonstrates a high level of security maturity and security in-depth at Celonis.
“As we continue to grow internationally, the extension of our ISO 27001 certifications proves that Celonis is committed to upholding the required standards of information security across its entities, teams and locations that are essential to operate and support our product offering,” he said.
To date, Celonis has achieved and successfully attested its compliance with the ISO 9001:2015 (quality management), ISO 27001:2013 (information security management), ISO 27701:2019 (privacy information management), Cloud Security Alliance CSA-STAR Level 1, SOC 1 Type 2 audit, SOC 2 Type 1 and Type 2 audits (secure data management), GDPR (data processing) and the automotive industry Trusted Information Security Assessment Exchange (TISAX).
A detailed overview of the company’s compliance, security and privacy resources, visit the Celonis Security & Trust Center.