How Seiso got Rimsys audit-ready to close a massive deal
In less than 9 months Rimsys passed dual ISO 27001 and SOC 2 audits — with no nonconformities — and earned their ISO 27001 certification along with a pristine SOC 2 attestation, thanks to Seiso. That allowed them to close a significant deal with their biggest customer ever.
Do you need to show your clients that you have an effective information security program, or have you committed to obtaining an ISO 27001 certification or SOC 2 attestation?
Seiso has a perfect track record over 7 years working with growing tech companies to meet the challenge.
When Rimsys called to say they needed to be audit-ready for both an ISO 27001 certification and a SOC 2 attestation within 9 months, we sprang to action. We were ready for this challenge, having successfully helped many companies through both these processes.
We started the journey with a Web Application Penetration Test, an assessment of their new microservice-based flagship product by way of breaking and entering (with clear pre-authorization, taking care to note any findings and prevent damage).
While our Technical team was busy testing the client-facing product for security issues, our GRC team took a step back to perform a company-wide Risk Assessment, identifying and cataloging the most concerning items that required attention.
We led them through an intensive Security Workshop, where we meticulously reviewed the design and architecture of their system.
This workshop included a comprehensive analysis of network structures, data flow, and access controls to identify potential vulnerabilities. Following this, our engineers conducted an in-depth Threat Assessment, which involved systematically evaluating the risk of various cyber threats specific to Rimsys’ industry and technology stack.
This assessment was not just a theoretical exercise; it encompassed real-world scenarios and utilized advanced threat modeling techniques. We identified critical security gaps and provided a prioritized list of recommendations for mitigating risks, ensuring the customer was well-prepared for their upcoming audit.
In addition, we:
- conducted a thorough evaluation of the customer’s Security Awareness Program
- created the mandatory documentation for an ISO 27001 auditable program
- formalized and documented the activities they need to perform to support their security program
- orchestrated a pre-audit assessment using a team of battle-hardened consultants and internal auditors to double-check the work
- walked them through the required Management Review practice
- supplied Pre-audit Training to ensure their leaders were ready to undergo audit scrutiny
How did we do it?
Using Seiso’s security program implementation process, we took a simple approach that uses the best of ISO 27001’s information security management system and NIST’s risk management framework.
Our experts pulled it off without any interruption to our client’s business.
First, we worked closely with Rimsys’ leadership and technical team to understand who is vested in their security program and what specifically they care about (their scope).
Then, we worked together to perform a risk assessment to identify unacceptable risks. This entailed reviewing each asset to find vulnerabilities highly likely to exist and raised threats that could take advantage of the vulnerabilities. We helped Rimsys rank their likelihood and impact by prioritizing the risks they should focus on resolving.
We worked side by side to develop solutions to reduce risky situations and helped Rimsys implement their security programs. That included documenting their information security policies and improving their vulnerability management program.
At that point, Rimsys achieved a functioning cybersecurity program able to continually improve along with documented security objectives they required their program to meet.
It was time to tackle audit-readiness. During this project phase, we coordinated Rimsys’ internal audit to perform a comprehensive review of their information security management system (ISMS) with the goal of finding problems before the auditor does.
Seiso then guided Rimsys through a management review, discussing the state of the program, including the internal audit results and the organization’s performance in meeting previously established security objectives. Management also reviewed their support for both the program and the security objectives they expect the program to meet in the coming year.
Our client reached the desired state of being ready for their audit in record time. The results? They passed the first time with no findings from the external auditor, without needing extensive tooling or an expensive re-work of their program.
Rimsys made their client happier and more confident knowing they:
- Improved their organization’s security
- Avoided breaching their contracts and
- Closed new deals faster
As for Seiso? We, too, made a client happier and even more satisfied with our services, deepening our relationship as a trusted partner.
Today, Rimsys still maintains active ISO 27001 and SOC 2 compliance through our ongoing Management Services. Our team of experts continues to work as part of the Rimsys team by overseeing their processes for continuous improvement and passing their audits year after year.
We do this through a variety of services provided, such as:
- Business as Usual Activities
- Compliance Automation Tooling Development
- Risk Management & Risk Register Maintenance
- Facilitating Management Review
- Audit Readiness Training & Audit-Day Support
- Internal Audit
- Web Application Penetration Testing