Enabling People Flow with cybersecurity
Cybersecurity at KONE is a strategic enabler of trust, innovation, and more sustainable urban living.
We are committed to cybersecurity
Security and safety are embedded by design across our products, services, and operations, guided by global standards and continuous improvement.
As we drive digital transformation with our customers, safeguarding data and ensuring the integrity of connected services are essential. We implement robust cybersecurity measures and maintain digital trust through transparent data practices, secure platforms, and continuous threat monitoring.
By embedding security into everything we do, we help customers operate with confidence, unlock new value from services, and shape smarter, safer cities in the future together.
Cybersecurity stories
How we work
Managing cybersecurity
KONE manages cybersecurity through a risk-based approach that protects our solutions, data, and operations across their lifecycle. Our global cybersecurity management system is ISO 27001 certified.
KONE maintains technological and organizational measures to protect solutions, networks, devices, and information from unauthorized access or criminal use and to ensure the confidentiality, integrity, and availability of information.
Governance: KONE has business driven security governance, defined security management system, incl. security policies, processes, guidelines, and monitoring and metrics to follow security performance throughout KONE's business operations.
Asset Management: KONE maintains an asset inventory of technology assets, such as applications, platforms, servers, workstations, and mobile devices. The asset inventory includes the asset lifecycle, owner, and criticality. The assets are disposed of in a secure and sustainable manner.
Information Protection: KONE uses information classification to ensure information is protected in accordance with its importance. The protection measures include access controls, cryptography, data masking etc.
Identity and Access Management: KONE’s IAM controls enable the right individuals to access the right resources at the right times for the right reasons. All KONE employees, externals and customers have a unique identifier to separate them from other users. The User IDs must be coming from identified master data systems and have a lifecycle.
Application Security: KONE’s secure development lifecycle ensures that application security requirements are identified early in the lifecycle.
System and Network Security: The outgoing internet traffic in KONE network is secured by cloud-based proxy solution, on-premise firewalls on larger locations and/or by central firewalls in regional hub locations.
Secure Configuration: KONE requires hardware, software, services, and network configurations to be hardened according to the best security practices, for example using the Center of Internet Security’s (CIS) benchmarks.
Threat and Vulnerability Management: KONE’s vulnerability management process defines how the vulnerabilities are identified, remediated and reported. KONE uses Centralized Vulnerability Management System (CVMS) to process vulnerability information from various sources. Regular vulnerability scans cover internet-facing services and infrastructure. Penetration tests are conducted on a case-by-case basis for prioritized solutions, including IoT devices.
Information Security Event Management: KONE’s Security Operations Center (SOC) monitors Security Information and Event Management System’s (SIEM) logs, analyzes events and detects and responds to security incidents. The SOC operates 24/7.
Human Resource Security: Reference and other background checks are performed to ensure the candidate is eligible and suitable for the role for which the candidate is considered. All employees are enrolled to regular, role-based cybersecurity training program.
Physical Security: KONE premises are classified based on a risk assessment. The classification sets the minimum amount of physical security requirements that must be implemented at the site. All KONE premises have physical security perimeters and physical entry controls.
Supplier Relationships Security: KONE has global and unified supplier segmentation model which includes identifying supplier cyber risk profile. Based on the supplier cybersecurity profile, KONE defines mandatory security requirements.
Legal & Compliance: KONE monitors the legal, statutory, regulatory, and contractual requirements impacting KONE and our products and services offered to customers. KONE is actively participating in industry standardization work, such as ISO 8102-20:2022 Electrical requirements for lifts, escalators and moving walks — Part 20: Cybersecurity.
Continuity: KONE Business Impact Assessments set the requirements for recovery time objectives (RTO) and recovery point objectives (RPO). The solutions with high criticality require a documented Disaster Recovery Plan (DRP) which is regularly rehearsed. KONE has requirements towards backup management and capacity management which support KONE’s continuity objectives.
Information Security Assurance: KONE has an annual internal audit program for security and a KONE-wide process and supporting system to manage corrective actions. KONE has IEC 62443 4-1 certification for secure development lifecycle. External security audits and assurance are conducted regularly.Read our Cybersecurity management principles here
Standards and certifications
Our cybersecurity standards and certifications
KONE products and solutions are developed with cybersecurity in mind from the start. We follow secure software development processes to embed cybersecurity and privacy into our digital solutions throughout their lifespan. Our secure development lifecycle (SDL) process is certified to IEC 62443-4-1 issued by TÜV Rheinland.
