SOC 2 and ISO: A conversation with Pelion’s Head of Compliance and Risk

Q: Introduce yourself and your role within Pelion?

My name is Krishna Gorjilla. I work for Pelion as the Head of the Compliance and Risk, mostly focused on driving the cyber security framework and implementation of compliance programmes like ISO and SOC 2. In addition to this, my team is also responsible for driving business continuity and the internal audit function for the organisation.

Q: How has compliance evolved within Pelion over the last few years?

Pelion leadership team, all the execs, are fully committed to compliance and security. It all started sometime in the year 2018 when the C-level came to me and said “Krishna, we want to implement an NIST framework or whatever is needed to be in the business of IoT."

That was an interesting challenge, but I have the expertise from the past, so we did some fieldwork, some researching the market and then we came and gave a presentation to the leadership team that these are the things that we can implement.

And then in the end the leadership team went ahead and accepted that we should sponsor and move forward implementing a SOC2 Type 2 as well as ISO 27001 certification. If you didn’t know, ISO 27001 is accepted in the world as the de facto framework for information security and cyber security implementation.

So, we went ahead with that vision and as always, the leadership team at Pelion, as was Arm, is totally committed to compliance and security.

Q: Can you explain the recent milestones that your team achieved, specifically around SOC 2?

As recent as a few months back - April/May to be precise - we successfully completed SOC 2 Type 2 report, working in partnership with our AICPA vender, which is PwC. This SOC 2 Type 2 was for a total assurance period of January 2020 to December 2020. That was one of the biggest milestones of this year.

A lot of our key customers were happy to see that report. The reason being it was a non-qualified report. This is the second time we have achieved a non-qualified report which is a great accomplishment and milestone for the company.

In addition to that, we completed ISO 27001 for the whole Pelion company, covering all the locations and sites we have. We have Israel site, we have Finland, we have Glasgow in Scotland as well as here in North America and we have in India as well as in Japan.

We received the ISO 27001 certification as recently as January/ February this year. We successfully delivered what we call our enterprise risk management framework, which follows a COSO framework. It is being implemented for the monitoring of business risk, which is very important because it ensures Pelion manages its risk management process effectively.

Tired of reading? Listen to Krishna instead

Q. Can you tell us a little more about the SOC 2 process and what parts of Trust Services Criteria (TSC) Pelion are implementing?

Sure, SOC 2, it was in the year of 2019 when we really started. We worked with all our control owners to go through a thorough planning. Then we called for a workshop where we got PwC, a subject matter expert, as well as our control owners together under the same roof. We went through each and every control then did what we call readiness assessment.

Based on the readiness assessment we came out with the areas we needed to improve upon. In fact, we did the remediation work within a short period of three to six months. Then we went on to do what we call a SOC 2 Type 1 assurance report, which is nothing but a snapshot of current controls effectiveness. We found those to be very effective hence we went ahead and did a SOC 2 Type 2. So that was the process what we followed for the SOC 2 Type 2.

I'm going back and little bit deeper into the SOC 2 Type 2, there is Trust Services Criteria based on which we select controls. Out of the five trust services criteria: security, availability, confidentiality, privacy and process integrity we went ahead and implemented the first three. This is security, availability and confidentiality, because those are the most important from our customers point of view.

Q. And what is next for Pelion’s compliance team?

Wow, we have a lot of things lined up as a part of the compliance and risk roadmap for Pelion. All the things we do is purely for our customer’s needs, so right now we are expanding our business continuity plan.

We're also going to implement the business continuity plan (BCP) to second level based on the experience what we had during the Covid timeframe.

Besides this – this is the interesting part - we're going to build out the enterprise security team for Pelion, collaborating with our parent company Arm, who bring a lot of knowledge and guidance to us.  In fact, I'm very happy and proud to share that Arm received what we call CISO 50 award for the year 2021. Really this simply demonstrates that Arm’s security programmes are some of the best in the world and we are going to adopt those to build out our own security operation centre. That’s a challenging part but I’m looking forward to it, my team is looking forward to it.

And the best thing is that I'm surrounded by some very competent, intelligent security subject matter experts in the product security side as well as the information technology side.  So, we're going to collaborate horizontally with all these people, including people services and legal, to build state of art enterprise security for the Pelion business which in the end will help our customers to trust us.