How Sprinto helped Capptions secure ISO 27001 certification 3X faster than an ISO consultant
Capptions is a Netherlands-based Environment, Health, and Safety (EHS) management software provider organized around helping companies improve their EHS practice to meet regulatory compliance and create a culture of safety. Large businesses across the world, including Seaways, Sarens Group, and AEB Amsterdam rely on Capptions to launch and manage EHS activities with ease and efficiency.
ISO 27001
Europe
3X
Improvement in time-to-ISO 27001 readiness
O
Overhead for sustaining compliance
17
Employee count maintained
Ready to get started?
Challenge
Companies rely on Capptions to design and implement their EHS standards. Since various sources of critical information are used to map and manage EHS aspects, including business permits, audit data, and investigation reports, Capptions deemed it essential to demonstrate its commitment to high business standards, data security, and customer-centricity via an ISO 27001 certification. “The beauty of doing ISO is that it drills down where you need procedures and what’s needed for it. You end up thinking about things you would not otherwise think about,” notes Ruben Stolk, founder, and CTO of Capptions.
Ruben knew going about this with an ISO consultant is the norm – he’d tried it once before – but he also recognized the pitfalls of engaging one. “When we started doing the first round of ISO, I felt we were simply writing down stuff; stuff that no one will read,” Ruben notes. “I prefer tools that put you inside a framework and move you forward. That’s useful.”
Capptions recognized the value in working with a solution that would not only direct but also implement ISO compliance. “We needed a system that would drive compliance and gives us confidence that we are in fact compliant. With ISO consultants everything becomes a paper-based truth and you end up doing nominal work,” he says. “That kind of work makes compliance feel like something that’s bolted on, not something that’s built into the system and therefore not a fact of the business,” he adds.
“Compliance should be embedded into a system. We tried to do this by implementing the ISO27001 framework. But our past efforts were not connected to our systems in any way – we were simply documenting. Sprinto came in as that complementary infra that connects it all.”
Solution
Capptions integrated with Sprinto for seamless compliance program execution and to achieve their ISO 27001 certification more efficiently. “We saw a demo, tried it out, and it just worked!” exclaims Ruben. “None of the other tools we explored connected with us well as Sprinto did. Sprinto felt welcoming like it was made for us.”
Capptions’ ISO 27001 compliance program with Sprinto included scoping their ISMS, setting up robust information security policies, deploying entity level checks, and implementing training programs for all employees.
“I loved that everything is actually connected. It’s not form-filling. Sprinto is actually checking my AWS environment for safety and security. Instead of me sharing a register of people, Sprinto simply looks at our GSuite to map and monitor risk” shares Ruben. “All compliance tasks are drilled down to existing systems and that made me fall in love with Sprinto.”
In addition to Ruben, two other members of Capptions’ leadership team led the compliance mandate. “It was really nice to have a dedicated CSM helping us through the process. We got into a rhythm of doing an hour-long call every week, tackling a specific set of tasks in each.”
We are a typical SaaS company. We use AWS, GitHub, and GSuite much like everybody else, only with some variance. But we are, in effect, using standard tools and technology, in fairly standard ways. If risks are by and large the same, why should ISO be about solving some unique problem? We are a standard company and needed a compliance tool that aligns with this fairly standard reality, without added complexity and overhead.”
Results
3 weeks following implementation, Capptions was ready for ISO 27001 compliance certification. “The fact that it did not take a lot of time or required us to hire an external consultant is something I loved about Sprinto’s process,” remarks Ruben. And while on one hand, it has become easier to communicate with customers who demand proof of compliance, Ruben also points to an improvement in org-wide transparency since integrating with Sprinto.
Capptions now finds itself more [operationally] prepared and working under the shadow of good practices. “From stopping at writing down stuff, today we have a reliable system that ensures things as basic as 2FA are enabled on every system. If there is a freelancer who operates our GitHub, Sprinto automatically alerts us to this new activity and prompts us to take measures to onboard this entity effectively. This keeps us process-oriented,” states Ruben.
Ruben also points to the fact that Sprinto has become Capptions’ security foundation, helping them ensure safe operations. “Once we got our ISO certification, we could feel the pressure drop on solving things. But with Sprinto the importance of remaining 100% compliant is there. Today, we spend no more than 30 minutes a week going through our security compliance posture and nudging people to do their part. And Sprinto automatically reacts to and then registers peoples’ actions. I like that Sprinto keeps going and does not stop.”
“For us being compliant means that we are a company that has confidence in the things that it does. That we are, in fact doing everything we can do things right.”
