How Mesmerise used Sprinto to build a connected compliance program and save time on management
UK-based Mesmerise Group builds solutions that exist at the intersection of XR (Extended Reality) and AI (Artificial Intelligence). Leading Fortune Global 500 companies partner with Mesmerise to provide immersive brand experiences, training sessions, and digital events, with the aim of not only embracing but also staying at the forefront of advancements in spatial computing, AI, and sustainability.
-
ISO 27001
-
SOC 2
-
HIPAA
-
GDPR
-
UK
-
8 weeks
Time to complete ISO27001, SOC2, GDPR, and HIPAA audit
-
90%
Improvement in vendor management practice
Ready to get
started?
Challenge
Since its launch in 2016, Mesmerise has been committed to helping companies create transformative experiences using frontier technologies like AI, AR, and VR. Amid rapid growth and diversification plans, Mesmerise has prioritized security and compliance. βSecurity is driven at the top. Our CEO insists on being the best of the breed, and that requires embedding security at the very foundation of everything we do,β says AdΓ©le Tredoux, Head of GRC at Resonance Labs, a part of Mesmerise.
To roll out and track multiple security standards with greater efficiency, Mesmerise wanted to implement a new and flexible system that could quickly adapt as the organization changed and keep up with its growth trajectory. Relying on consultants and spreadsheets was no longer reliable or scalable. βWe wanted to connect the dots of effort and impact better,β exclaims AdΓ©le.
Chiefly, Mesmerise looked for a compliance management platform to βknock out all frameworks at once.β AdΓ©le recalls, βWe were quite ambitious. We knew SOC 2 and ISO 27001 were fairly well-aligned and they required similar evidence. While preparing evidence for one, we decided it was sensible to do a bit more and tackle both simultaneously.β HIPAA and GDPR were added to the list shortly after, as a privacy baseline already existed and only a a little more effort was required to meet full compliance. βThere was no point in splitting it out. We wanted to save time,β AdΓ©le adds.
To drive efficiencies, automation was key. AdΓ©le remarks, βWe wanted to catalyze efforts with automation. We donβt have all the time in the world to review logs manually.β
After a rigorous evaluation of various solutions across a variety of criteria, Mesmerise settled on Sprinto as their choice of compliance management platform. βChoosing Sprinto for our security and certifications was a no-brainer,β says AdΓ©le. βIt can handle multiple standards at once and map requirements across the board on its own. The dashboard clearly showed what [control] checks are passing and what needs attention. It identifies issues and shows the impacted certificate(s). Itβs also user-friendly and easy to understand, even for non-technical team members.β
Sprinto is a cost-effective auditing solution. The benefits of its dashboard, which identifies issues for timely fixes, far outweigh its annual cost. Compared to the tedious method of manually reviewing logs, the dashboard saves significant time, energy, and money.
Solution
Once the instance was set up and integrated with cloud applications, Mesmerise began by activating SOC 2, ISO 27001, HIPAA, and GDPR standards inside Sprinto. βWe were immediately flooded with alerts. Sprinto was quick to identify configuration gaps in our code repos and infra setup, and our infra team immediately started resolving these,β notes AdΓ©le.
Sprintoβs common control mapping played a crucial role in unifying all standards for efficient tracking and evidence collection. This harmonization of controls across standards, coupled with automated control testing, eliminated the need for manual tracking of systems and logs. βSprinto provides a clear overview of how everything connects, and then it monitors everything for us. If I had to do this manually, I would need to refer to my control map spreadsheet to identify which controls are common or unique to a framework. Sprinto provided this mapping right out of the box. Besides saving time, this has led to a better understanding of control overall,β AdΓ©le says.
On the non-technical side, AdΓ©le uploaded their policy and procedure documents to Sprinto. This was followed by security training. βThe training with Sprinto was excellent. It was user-friendly, avoided technical jargon, and included practical examples and tests. It was a significant improvement over the overly complex training in my previous role and saved me from creating training from scratch.β
Sprintoβs vendor management module enabled AdΓ©le to consolidate vendors and build a single, reliable inventory. βSprinto selected vendors from our workspace provider, eliminating the need for manual additions. We also included our non-SaaS suppliers to Sprinto to build a one-stop vendor inventory,β she says.
Managing vendors has become much easier with Sprinto. No one enjoys supplier management as itβs often one of the most tedious tasks in any company. Now, it only takes half an hour a month to go through it all. Itβs something I can do on the go because itβs no longer overwhelming.
The effort required to accommodate both HIPAA and GDPR requirements was minimal. βAs a data protection officer, I incorporated privacy essentials into our practice before we even began. We only had to update our privacy policy, and the control information from Sprinto was helpful,β AdΓ©le notes.
It took Mesmerise 4 weeks to get fully set up. During this process, the group decided to split into three entities. Each entity pursued certification in all four frameworks. And each of the three entities collectively secured 12 certificates in another 4 weeks!
Results
Mesmerise achieved compliance with all 4 frameworks, completed audits, and received their audit report and certifications in approximately 60 days. βSprinto put us in touch with a US-based auditor would could audit us for all frameworks at once. And we used Sprinto to show evidence against all four.β
Our infrastructure specialist and I trust the data accuracy of Sprinto β it gives no false positives or negatives. We verified the data from Sprinto and confirmed that the issues it reports are real and demand our attention. Essentially, Sprinto encourages further investigation, which is useful. Weβve adjusted the alert threshold on the platform to make sure we are focusing on the right issues at any given point.
AdΓ©le recalls having no more than two email interactions with their auditor. βSprinto had us covered. We only needed to connect with our auditors for a few additional pieces of evidence. If I were doing this the traditional way, Iβd have to meet with my auditor in person and review each piece of evidence over several days.β
Since receiving certifications, Mesmerize Group has unlocked large deals in the North American market. With Sprinto running in the background, there is increased assurance of security best practices across Mesmerise. βSometimes, clients need detailed information about our controls, but their terminology often differs from ours. We lean on Sprinto to identify the correct controls, show how itβs mapped, and how it is monitored. Having such visibility provides a lot of assurance.β
Sprintoβs intuitive mapping of controls across frameworks provides Mesmerise Group with insights into its readiness for other standards. AdΓ©le notes, βIt gives me easy access to relevant information, helping me make a case for a certain framework. Essentially, Sprinto helps us strategize and present the right information to the board about our control status and readiness. This supports market readiness evaluations.β
In effect, Sprinto has now eliminated more than 90% of compliance efforts. βWeirdly, I have so little to do,β exclaims AdΓ©le. βWithout Sprinto, most of my time would be spent mapping and coordinating evidence. Now I have more time to operate strategically, participate in events, and keep up with the threat landscape.β
