Data-driven ISO 27001 and SOC 2 compliance in months, not years

Human Managed’s customers trust us with some of their most important data, such as their asset information, security configurations, and financial transaction data. We serve clients from the essential services sector including financial services and government to protect, scale, and manage their digital business. Because of this, security has always been a top priority for us, and we have strived to embed security by default in our architecture, engineering, and product decisions from Day 1. ?

As part of our commitment to standards of excellence in information security management, I am so proud to share that Human Managed has obtained ISO/IEC 27001:2022 certification and SOC 2 Type I attestation report. ?We are currently in the audit period for SOC 2 Type II.

Why ISO 27001 and SOC 2?

We take our responsibility to keep customer safe very seriously. ?Compliance standards such as ISO 27001 and SOC 2 set best practices for information security management & data security to help organizations create strong security systems and help customers reduce their risk of working with suppliers.

ISO 27001 and SOC 2 are two of the most widely-used and recognized compliance standards in the world to practice data security controls.

• ISO 27001 is one of many standards created by the International Organization of Standardization that provides requirements for setting up a strong information security management system, or ISMS, using strategies such as risk assessment, access control, and incident reporting protocols.
• SOC 2 standard is developed by the American Institute of Certified Public Accountants (AICPA) to document the steps you’re taking to keep your customers’ data safe while you handle, process, or store it.

Neither ISO 27001 nor SOC 2 are mandatory or legal requirement for us. However, we wanted to hold ourselves accountable to both rigorous frameworks to establish even stronger trust from our customers, to be as comprehensive as possible in our approach to information security, and to uphold ourselves to the highest standards of excellence across our governance and operations.

The audit process

Getting ISO 27001 and SOC 2 compliant is an organization-wide effort, requiring leadership, functions related to HR, IT, security, operations, and engineering and more to closely align to the common mission of defined ISMS scope.

Most of the security controls were applicable to our business, and we have more than 100+ technology vendor tools that support the Human Managed’s platform’s 92 microservices. ?Needless to say, the audit process was no easy feat for us and required focused execution and teamwork.

The key stages in the audit process were as follows:

1. Implement security controls & document policies: ?organic progress over 5 years

We are no strangers to security posture, compliance, and risk management (one of our most subscribed services is compliance management for security frameworks!). ? Since our early days, we knew the security controls that are applicable for HM and we had key policies, procedures, and controls (e.g. information security policy, risk assessment policy, identity and access management process & methodology) implemented already. ?

This meant that we were not starting from scratch when we decided to formalize ISO 27001 and SOC 2 compliance this year. We were in a good position and the audit process was more of a matter of getting organized.

As part of our preparation, we conducted internal security awareness training and workshop on information security management system.

2. ISMS management meeting, internal risk assessment: ~2 weeks

We formally set up ISMS council and stakeholders, and assigned accountability and responsibility to each control groups and controls to individuals in HM.

The ISMS council met up on multiple occasions to align on ISMS objectives, identify security risks and agree on their treatment plan, identify and prioritize compliance gaps. We also conducted internal risk assessment, disaster recovery exercise, and internal audit. ?

Personally, this part of preparation phase was incredibly eye-opening and actually enjoyable. The internal exercises clearly revealed repeated themes, our biggest gaps and risks for ISMS, and set the focus for what procedures to improve on prior to external audit. Some big wins from internal exercises were:

• clear accountability matrix from policy ownership all the way to control monitoring
• templates and procedures for key governance and operational processes such as supplier register, access log and non-conformity log.
• new disaster recovery scenarios, playbooks and runbooks in order of prioritized data and services ?
• new data resilience strategy

Before the external audit, the ISMS leadership and stakeholders all had an aligned understanding of our gaps, risks, and priorities.

3. Collect evidence, prepare documents, close gaps in controls, perform internal audit: ~2 months

The two months leading up to our external audit was crunch time, where we reviewed and finalized all documents and collated evidence of implemented controls. ?We also performed our own internal audit during this phase, which gave us the opportunity to evaluate our information security from an objective point of view.

We used Vanta to upload documents, consolidate our evidence and track progress for both ISO 27001 and SOC 2 Frameworks. ?In particular, their built-in integrations with a wide range of our tech stack (e.g. AWS, Okta, Github, Synk, etc.) were very helpful in automating the monitoring and verification of our security controls.

This phase got us organized, showed us that we were actually way more ready than we initially felt, and built our confidence for the actual audit ahead.

4. External Audit: ~5 working days

Finally came the time for external auditors to assess our security practices against frameworks.

We used Vanta-vetted partner Consilium Labs as our external auditor for both ISO 27001 and SOC 2 compliance.

ISO 27001 certification audit was conducted in two stages, and required approximately 5 full working days of time commitment from framework owners and stakeholders. ?During the audit, the in-scope documentations (policies and methodologies) security controls and practiced procedures are examined and verified in detail, in the format of video-conference interviews.

Learnings and tips

From the moment we confirmed our audit schedule, it took us less than 3 months to get ISO 27001 certified and SOC 2 Type I compliant. Compliance to industry frameworks — especially ISO 27001 — are a challenge by design and there are no shortcuts. ?The entire experience was intense, but so rewarding and valuable. ?Here are some of my thoughts and tips from the experience.

1. Adopt security best practices from Day 1: Although the process for compliance certifications and attestations took less than three months, our journey towards a mature information security strategy and operations began five years ago since HM was established. ?Before we decided to go for ISO 27001 and SOC 2, we already had a good idea of what security controls are in scope for our business, had our key ISMS policies written, and implemented security controls of very high standards throughout the platform (e.g. modular microservices design, attribute based access management, client-side data encryption). ?This makes the compliance process more like a gap analysis and gap remediation exercise, rather than an organization-wide security culture building endeavor.
2. Start when you are small and nimble: Certifications and compliance audits such as ISO 27001 are often associated with big organizations. However, small and earlier stage companies have a huge advantage by getting on the compliance journey early, because their processes and procedures are still not fully set, and they can be quick to make changes to be compliant with less bureaucracy and complexity. There are so many tools and solutions out there ?that helps you to achieve security compliance with much fewer resources and less time than before.
3. You decide what matters for your business and customers: you are in charge of determining the scope of applicability for the security frameworks based on your services. ?Although the total universe of security controls is large and always changing, it’s not a necessity to cover all of it. Carve out what is relevant for your business, and start. Then expand your scope in phases as you grow in maturity. ?
4. Frameworks boost your growth. ?Use them: best practices are best practices for a reason. ?Although they can be dull and dry, the ISO 27001 and SOC 2 frameworks really helped HM mature to its next stage of growth. ?They brought my leadership and wider teams closer together, assigned clear accountabilities and responsibilities, gave structure to our governance and operations, gave visibility into our business’ current state, helped us to prioritize our risks and remediation activities, plan for continuous improvements, and so much more.
5. Finally, information security is not a checkbox exercise, its continuous operations. Getting ISO 27001 certified and SOC 2 Type I compliant is a huge milestone achievement for a 5 year old small and lean team of ours, and one that we are really proud of. ?However, much more important than getting external validation is internal practice of information security to the highest standards every day with accountability.

We are excited and ready to increase our customer satisfaction and trust by being a reliable, secure, and accountable data platform.

Read more about security at Human Managed here: https://www.humanmanaged.com/security

Read our press release here: https://sg.finance.yahoo.com/news/human-managed-awarded-iso-iec-003500256.html