How Anaconda got 11x more efficient at demonstrating security
Anaconda is a unified AI platform built to advance AI with open source at scale. The company’s platform provides access to the foundational open-source Python packages used in modern AI, data science, and machine learning. With over 50 million users and 21 billion downloads, Anaconda has established itself as the gold standard for Python, data science and AI. Anaconda’s products are a mix of open-source packages, distribution, and tooling to manage Python implementation. The company’s customers range from Fortune 100 companies and government agencies to small organizations, teams, and individuals who rely on Anaconda to source, secure, build and deploy AI with confidence.
Key requirements
Align with the ISO 27001 security framework to establish baseline controls across security areas, while maintaining flexibility to address control gaps based on evolving best practices and organizational needs, all without compromising Anaconda’s commitment to providing secure, trusted distribution that accelerates AI development and automated control monitoring to eliminate manual tracking and validation.
Sprinto solution
An out-of-the-box ISO 27001 security program with comprehensive policies, automated control monitoring for continuous tracking and validation, and built-in compliance crosswalks for fast scaling. Backed by in-house experts for integration support, platform compatibility, and guidance on implementing the right controls to meet both security and compliance needs.
ISO 27001
USA
50% less effort
To answer security questionnaires
Reduction in engineering busywork
For control management
Strategic compliance
Enabled and prioritized
Ready to get started?
The Challenge – Driving compliance accountability
For David Mason, Director of Security at Anaconda, the search for a compliance solution began with a mandate to increase the company’s compliance footprint.
As a trusted platform serving 95% of Fortune 500 companies and processing over 21 billion downloads, Anaconda recognized that demonstrating security wasn’t just about internal controls—it was about maintaining the trust that millions of users place in the platform every day to deliver secure, verified open source packages for their AI initiatives.
The goal behind compliance and securing attestation for a known framework was to ensure a strong baseline of controls across key security areas, moving away from their usual, risk-by-risk approach that often left gaps. This would also speed up sales cycles, reduce the burden on engineering, and provide customers with straightforward security assurance, without lengthy explanations of security practices.
As Anaconda took on this charter, the security team found themselves blocked in a key area—control implementation. David elaborates—“When we assessed our existing controls after performing a gap analysis, we found that a lot of these were either spottily applied or not at all. If there was a control for every time somebody was onboarded, it may or may not have been executed, and nobody was going back to check if the right processes were being followed. We didn’t have the maturity in our procedures to validate controls.”
The compliance process in place overlooked stakeholder communication and prioritization. “There was executive buy-in, but we hadn’t prioritized compliance at the same level,” shares David. “To fix control gaps, your stakeholders need to know just how blocked you are. That made us lean heavily into automation.”
The team realized they may have also set control expectations without ensuring full understanding. “Everyone knows what to do; they just don’t know the right artifact to prove it,” says Amanda Parson, compliance program manager at Anaconda. “We have a culture of high trust, high autonomy. You’re expected to manage and secure your processes with guidance from security teams and share artifacts if needed. Constantly spoon-feeding and following up would go against the grain of how we work.”
We were looking for a way to automate monitoring our control environment so that we didn’t have to poke around quite so much into everyone’s day-to-day because we just didn’t have the time. Sprinto was a good match for our use case.
The Solution – Expert-guided control implementation and continuous, automated validation
The Anaconda team wanted to start their journey to attestation with a relatively lightweight framework that would pave the way for stricter compliance standards in the future. Consequently, the team chose the ISO 27001 framework. Sprinto ensured out-of-the-box compliance coverage with pre-mapped controls and automated checks, customizable to fit Anaconda’s needs.
Sprinto’s cloud-native integrations connected Anaconda’s infrastructure with relevant ISO controls for real-time control monitoring, a key requirement. “The partnership from the Sprinto team was really important because, especially during platform implementation, the integrations had to match to have a high level of monitoring automation,” says David. “Sprinto was quite flexible and accommodated our integration requests.”
In addition to supporting a risk register, Sprinto’s customizable ISO policy templates enabled Anaconda to create compliance documentation tied to controls and risk scenarios. The Anaconda team then directly rolled out policies for org-wide acknowledgment, paired with on-platform security training.
Sprinto’s expert-led support played a crucial role in getting Anaconda ISO-ready, helping align essential compliance and preferred security controls to Anaconda’s environment, in a way that met both compliance and corporate security conditions. Change management was one area where Sprinto experts worked closely with Anaconda to define the right control conditions, ensuring zero gaps and a flexible control management system.
“Sprinto, as opposed to some other partners in the space, has been very flexible from an implementation and account management perspective. It’s a true partnership where we solve problems together. That makes a big difference,” remarks David.
With ISO 27001 controls set up and automated testing in place, Sprinto produced a consolidated, real-time view of security assets, risks, policies, controls, and evidence, enabling the Anaconda team to see exactly where they were sliding and scaling.
Sprinto also helped reduce manual compliance effort with context-rich alerts to designated control owners when controls were at risk, driving accountability across the organization.
The ideal situation to get to is real-time compliance. When everything’s hooked up on Sprinto, and if a control fails, you get an alert right away. You know exactly when you’re out of compliance and why. So that when we do go to the auditors, we know exactly where you stand.
The Results – Efficient compliance management and security communication
“We were able to land the compliance program last year in a minimal way and clearly demonstrate its value and the value of automated compliance,” says David.
David explains, “We’ve seen a significant reduction in the complexity of our customers’ initial procurement of our software. Qualitatively, at least half of the volume of security questions is gone thanks to attestations. So far this year, I’ve only had to do six or eight questionnaires about our security. It was six or eight a month previously!”
Sprinto’s compliance crosswalks added additional business value by helping Anaconda identify which other frameworks controls ISO 27001 covered them for, enabling them to make an informed decision about what to pursue next.
“Earlier, we’d have to rely on multiple tools and spreadsheets to check if we could reuse controls and evidence across frameworks. With Sprinto, it’s seamless; you can see all the different audit frameworks and the percentage of completion within your controls environment, that does give you some intel on the next easiest thing to go after,” says David.
Crucially, with Sprinto platform taking over the compliance housekeeping, David and the Anaconda team can now focus on building and strengthening their security programs.
For Anaconda, efficient compliance management directly supports the company’s mission to transform the world with accessible, secure, and scalable open source. By streamlining security demonstrations, Anaconda can focus on what matters most: empowering organizations and builders to solve and innovate with data, inspiring breakthroughs that shape the future.
Overall, there’s been a reduction in the engineering busywork, babysitting the control environment, and gathering evidence screenshots. I don’t think I can undersell how useful that is for our team. It lets me move up the value chain, be less tactical and more strategic.