Skip to the main content.
- Case Study -

Comprose and Vanta

Comprose leveraged Zavanta and partnered with Vanta for quick

SOC 2 and ISO 27001 certification processes.  

Discover how Comprose used Zavanta and partnered with Vanta for quick SOC 2 and ISO 27001 certification processes.  

 

“Speaking with my colleagues in the industry, companies may spend up to two years attempting to gain certification and still be unsuccessful. Thanks to Zavanta, our process only took six months.” 

 

Business Challenge 

SOC 2 and ISO 27001 Compliance Priority  

 
SOC 2 and ISO 27001 are compliance standards that verify the processes and procedures are in place to manage information security. These certification processes are time-consuming, often taking 12-18 months, with the very real possibility of still not being certified. While Comprose was already focused on information security, we knew it was important to our current and future clients to pursue these certifications.

Our goal was to partner with a SOC 2/ISO 27001 expert to guide us through the required steps, expediate the creation, management, and approval processes around the required policies and procedures, as well as reduce the ongoing effort to maintain our certification. 

Our Partner

Vanta

Comprose partnered with Vanta to streamline the monitoring requirements and audit process for SOC 2 and ISO 27001. Vanta is the leading trust management platform that helps simplify and centralize security for organizations of all sizes. Vanta’s easy-to-use platform brought many benefits and made a complex process far simpler. 

  • Vanta makes our compliance information directly available to our auditors in a format they find useful.
  • Vanta is integrated directly with our infrastructure, and suggested infrastructure changes provide clear step-by-step directions on how to make the changes.
  • Our dashboard provides our compliance status and who is assigned to each task.
  • Each Vanta document links to our documentation in Zavanta and includes the framework (SOC 2 or ISO 27001) and related Section Code (e.g. A.5.1).
  • Vanta provided MS Word based templates for documents, procedures, and policies, which we were able to quickly convert into Zavanta’s structured content format.
  • Comprose uses Vanta to supplement our security training.
  • Ongoing reminders and scheduling for recurring controls and evidence requirements.

How Zavanta and Vanta Complement Each Other 

Zavanta Picks Up Where Vanta Leaves Off  

Vanta offers a platform for helping a company achieve and maintain SOC 2 and ISO 27001 compliance. It primarily focuses on the latest version of your documents and the controls necessary to achieve these certifications.

Zavanta is an end-to-end policy and procedure management system. It streamlines and automates the entire document lifecycle for ongoing maintenance, updates, and future recertifications.

Zavanta is a powerful complement to Vanta because it addresses the complexities of how documents are created, reviewed, approved, and published within your organization. It also manages how your employees access and use your documentation on a daily basis.

We leveraged the following Zavanta features to accelerate our SOC 2/ ISO 27001 journey:

Web Portal: Our modern, searchable, and highly structured documentation web portal that allows auditors, employees, management, customers, and security staff to quickly search for a find required security Policies and Procedures and other business operational information all in one convenient place.

Access Control: Zavanta provides a robust access control system that ensures that staff does not see documentation that is not relevant to them or privileged documentation. 

Crosslinks: Our trust management platform (Vanta), as well as the rest of our documentation, always links to the latest version of the document in our Zavanta portal, with no risk of having an outdated version of the documentation. 

Version Control: Zavanta has a Document History to track and demonstrate who/when changes were made to the auditors. This provides proof that the content is updated, regularly reviewed, and updated.

Read Verify, Testing, and E-signature: Employee attestation features allowed Comprose to verify to the auditors that employees, the management team, and the ISMS security oversight team not only read the materials but also understood it and took a test on it.

Then further adding to the accountability that SOC 2 and ISO 27001 auditors must see, the employees sign that they read, understand, and will follow the materials. These materials could be code of conduct, security policies, whistleblower, bribery and gifting policies, expense policies, etc. 

Workflows: There is the ability to review/approve documentation and demonstrate to the auditors there is a change management process. This also works with Version Control. 

Checklists: Engaging checklists demonstrate the implementation of the procedures to the auditor for future audits. These are date and time stamped by employee. More importantly, checklists satisfy the auditor requirements of these change management policies and the history documents' use, such as our monthly Access Review, without scrambling to find the email threads where these were performed.

 Zavanta is tailor-made to meet our compliance requirements. It allowed us to obtain our SOC 2/ISO 27001 certifications in 6 months, and our ongoing cost to maintain our certifications has been extremely low. The release of checklists closes the gap we had around uniformly tracking the execution and use of our policies and procedures.  

 

The Results 

Streamlined Audit Process 

Comprose successfully received SOC 2 and ISO 27001 certifications in six months from start to finish. This expedited timing is rare and speaks highly to the synergy between the Vanta and Comprose teams along with the Zavanta software.

During our certification process, we made no changes to the Zavanta system. We simply took advantage of all the features and functionality we provide for our clients. This lays the foundation for any of our clients to utilize Zavanta in the same way for their own certifications.

Foundation for Future Recertifications 

The Comprose team has successfully completed the initial work required to receive the certifications. By utilizing Zavanta, we have created an organized and structured environment for future recertifications. 

  • Comprose has followed Vanta’s guidance and established the policies and procedures required for the certifications.
  • Documents are cross-linked between the two systems to easily update documents should the Vanta requirements change.
  • Reminders have been scheduled in Zavanta for annual reviews of all related documents. 
  • Auditors already have a custom view into Zavanta to easily access content in future audits.  

Summary/Key Take Aways

Many companies need or require SOC 2 and ISO 27001 certification to reduce risk and improve quality. Below are our tips we recommend to streamline the process.

  • Partner with Vanta. We highly recommend working with Vanta on your certifications. Their trust management platform simplified the steps and clearly identified the documents required for certification.
  • Leverage Zavanta. Our own software provided the foundation for the certification since we already had many of the policies and procedures required. Documents are cross-linked between the two systems to easily make updates when requirements or regulations change.
  • Think about the future. Expand your thinking on this process beyond this initial certification process.  Lay the foundation for the maintenance, review, and update process of your documentation with Zavanta.  

Download a Copy of the Case Study

 

Download Case Study