Officebeacon, a US-based software solutions provider, is globally renowned for its virtual staffing solution, which is trusted by thousands of companies and leading institutions all over. With over 2000 employees and offices that span geographies, Officebeacon bears the capabilities to service businesses across markets and sectors.
Challenge
Officebeacon was planning to ramp up customer acquisition efforts across markets. A time-bound, strategic move, this exercise brought ashore the need to get ISO 27001 certification to prove both product security and operational maturity.
A pre-covid gap assessment carried out by one of the Big 4 audit firms had revealed policy implementation shortcomings that needed to be addressed by way of a formal security compliance program. But to continue on the path outlined by their assessor would mean investing an exhausting amount of time and effort, something Officebeacon wanted to actively avoid. “Following their recommendations would mean committing to almost a year of our time to just getting processes set up and policies implemented. We had a strict timeline to meet, and this approach was not feasible,” recalls Anil Varma, CISO at Officebeacon.
An audit is not just about producing correct documents. You need to link evidence to the controls being tested to clearly show your policies are functioning as they are meant to do.
As the CISO, Anil was also keen on using this opportunity to refresh compliance processes altogether – applying technical rigor to eliminate silos, enforce policies, and monitor controls against policies. “Controls tell you how good your policy implementation is,” says Anil.
Effective implementation involves translating policies into specific control measures, mapping them to the right entities, assigning clear roles and responsibilities, and then monitoring their effectiveness to ensure they are working as intended.
When Officebeacon began exploring vendors, they were looking for “specialists” who could identify and consolidate information in a single place. They found that Sprinto was a good fit almost immediately. “No other tool gave us the confidence that Sprinto did,” notes Anil. “Just by looking at the dashboard, I could tell that the platform is comprehensive. Unlike other platforms where you have to go through 2-3 pages to get information, Sprinto presents all relevant information in a single place. The platform is also more user-friendly compared to others,” he adds.
Sprinto’s fundamentals are really remarkable!
Officebeacon decided to partner with Sprinto to address three things:
- Improve the implementation of security policies
- Meet rigorous ISO 27001 compliance requirements and receive certification
- Establish a technology-enabled practice for managing compliance
Solution
Officebeacon kicked off ISO 27001 implementation with policy documentation using Sprinto’s policy templates. “We spent almost 10 days on this,” notes Anil. “Once the policies accurately reflected Officebeacon’s ethos and commitments, we published them in Sprinto and made them available to the entire organization.” With the employee email provider integrated with Sprinto, Officebeacon could trigger emails for security training and policy acknowledgment org-wide.
Turning policies into controls and mapping each control to suitable checks followed right after. Control owners were identified, and a monitoring and remediation exercise was immediately launched to fill compliance gaps. As part of the integrated risk assessment exercise, tasks ranging from device encryption and multifactor authentication to vulnerability management and vendor management practices were scoped out. “We realized that while many of these tasks were emphasized in our policies, they were not effectively implemented. Primarily because we lacked the tools to enforce them at the entity level as strictly as needed,” notes Anil.
Sprinto’s dashboard is very interactive. With a single click, you can see where you stand, and how many things are compliant and pending across different levels such as infrastructure, people, devices, and more.
Technical factors aside, Anil notes that one of the biggest hurdles was getting an organization of over 2000 employees to come together at once to meet compliance requirements. “It’s a mindset challenge, really,” he says. “Coaching your teams on the importance of compliance helps. Senior leadership’s championship is key,” he adds.
To enable prompt actions, Officebeacon leveraged Sprinto’s automation capabilities to the fullest. Armed with clear, time-bound compliance workflows and period triggers, Officebeacon was able to move steadily towards its goal of achieving ISO 27001 compliance. Anil remarks,
We began operating at a granular level. Using Sprinto we configured checks in a detailed manner. Tagged to a workflow and a person, monitoring compliance progress became easy.
Results
Officebeacon was ISO 27001 audit ready in 2 weeks. “I went through each and every control and it was all mapped to exercises we did on-site.”
Using the Sprinto auditor dashboard, it was easy for Officebeacon to share evidence with their auditor. Accuracy was key, and Sprinto assured Anil of the quality of the evidence, including snapshots. “Because issues were fixed well in advance of the audit process, it was easy for us to complete audits quickly,” says Anil.
Within 40 days of entering an audit, Officebeacon received its ISO 27001 Certification.
Anil notes that automation played a crucial role in helping Officebeacon achieve audit success. “We could have accomplished all of this using Excel and PowerBI, but it would have required many man-hours. And more than 8 months. With a purpose-built tool like Sprinto, we can meet timelines and goals much faster.”
Automation helps, in terms of linking all the pieces together. Along with APIs, Sprinto paints a clear picture of where you are and where you need to go.
Anil also emphasized the role Sprinto’s support team played in enabling him. “Software vendors can be rigid but Sprinto was flexible and worked with us. They have a solution mindset and the team problem-solved with us every step of the way,” he notes.
Right from sales to support, the Sprinto team is always available.
Since achieving compliance and certification, Officebeacon takes assurance in the guarantee of a secure and compliant practice. Notes Anil, “Now that everything is lined up in one software, we are more relaxed.”
