How Mesmerise used Sprinto to build a connected compliance program and save time on management

UK-based Mesmerise Group builds solutions that exist at the intersection of XR (Extended Reality) and AI (Artificial Intelligence). Leading Fortune Global 500 companies partner with Mesmerise to provide immersive brand experiences, training sessions, and digital events, with the aim of not only embracing but also staying at the forefront of advancements in spatial computing, AI, and sustainability.

ISO 27001

SOC2

SOC 2

HIPAA

GDPR

UK

8 weeks

Time to complete ISO27001, SOC2, GDPR, and HIPAA audit 

90%

Improvement in vendor management practice

Ready to get started?
Challenge

Since its launch in 2016, Mesmerise has been committed to helping companies create transformative experiences using frontier technologies like AI, AR, and VR. Amid rapid growth and diversification plans, Mesmerise has prioritized security and compliance. “Security is driven at the top. Our CEO insists on being the best of the breed, and that requires embedding security at the very foundation of everything we do,” says Adéle Tredoux, Head of GRC at Resonance Labs, a part of Mesmerise.

To roll out and track multiple security standards with greater efficiency, Mesmerise wanted to implement a new and flexible system that could quickly adapt as the organization changed and keep up with its growth trajectory. Relying on consultants and spreadsheets was no longer reliable or scalable. “We wanted to connect the dots of effort and impact better,” exclaims Adéle.

Chiefly, Mesmerise looked for a compliance management platform to ‘knock out all frameworks at once.’ Adéle recalls, “We were quite ambitious. We knew SOC 2 and ISO 27001 were fairly well-aligned and they required similar evidence. While preparing evidence for one, we decided it was sensible to do a bit more and tackle both simultaneously.” HIPAA and GDPR were added to the list shortly after, as a privacy baseline already existed and only a a little more effort was required to meet full compliance. “There was no point in splitting it out. We wanted to save time,” Adéle adds.

To drive efficiencies, automation was key. Adéle remarks, “We wanted to catalyze efforts with automation. We don’t have all the time in the world to review logs manually.”

After a rigorous evaluation of various solutions across a variety of criteria, Mesmerise settled on Sprinto as their choice of compliance management platform. “Choosing Sprinto for our security and certifications was a no-brainer,” says Adéle. “It can handle multiple standards at once and map requirements across the board on its own. The dashboard clearly showed what [control] checks are passing and what needs attention. It identifies issues and shows the impacted certificate(s). It’s also user-friendly and easy to understand, even for non-technical team members.”

Sprinto is a cost-effective auditing solution. The benefits of its dashboard, which identifies issues for timely fixes, far outweigh its annual cost. Compared to the tedious method of manually reviewing logs, the dashboard saves significant time, energy, and money.

Solution

Once the instance was set up and integrated with cloud applications, Mesmerise began by activating SOC 2, ISO 27001, HIPAA, and GDPR standards inside Sprinto. “We were immediately flooded with alerts. Sprinto was quick to identify configuration gaps in our code repos and infra setup, and our infra team immediately started resolving these,” notes Adéle.

Sprinto’s common control mapping played a crucial role in unifying all standards for efficient tracking and evidence collection. This harmonization of controls across standards, coupled with automated control testing, eliminated the need for manual tracking of systems and logs. “Sprinto provides a clear overview of how everything connects, and then it monitors everything for us. If I had to do this manually, I would need to refer to my control map spreadsheet to identify which controls are common or unique to a framework. Sprinto provided this mapping right out of the box. Besides saving time, this has led to a better understanding of control overall,” Adéle says.

On the non-technical side, Adéle uploaded their policy and procedure documents to Sprinto. This was followed by security training. “The training with Sprinto was excellent. It was user-friendly, avoided technical jargon, and included practical examples and tests. It was a significant improvement over the overly complex training in my previous role and saved me from creating training from scratch.”

Sprinto’s vendor management module enabled Adéle to consolidate vendors and build a single, reliable inventory. “Sprinto selected vendors from our workspace provider, eliminating the need for manual additions. We also included our non-SaaS suppliers to Sprinto to build a one-stop vendor inventory,” she says.

Managing vendors has become much easier with Sprinto. No one enjoys supplier management as it’s often one of the most tedious tasks in any company. Now, it only takes half an hour a month to go through it all. It’s something I can do on the go because it’s no longer overwhelming.

The effort required to accommodate both HIPAA and GDPR requirements was minimal. “As a data protection officer, I incorporated privacy essentials into our practice before we even began. We only had to update our privacy policy, and the control information from Sprinto was helpful,” Adéle notes.

It took Mesmerise 4 weeks to get fully set up. During this process, the group decided to split into three entities. Each entity pursued certification in all four frameworks. And each of the three entities collectively secured 12 certificates in another 4 weeks!

Results

Mesmerise achieved compliance with all 4 frameworks, completed audits, and received their audit report and certifications in approximately 60 days. “Sprinto put us in touch with a US-based auditor would could audit us for all frameworks at once. And we used Sprinto to show evidence against all four.”

Our infrastructure specialist and I trust the data accuracy of Sprinto — it gives no false positives or negatives. We verified the data from Sprinto and confirmed that the issues it reports are real and demand our attention. Essentially, Sprinto encourages further investigation, which is useful. We’ve adjusted the alert threshold on the platform to make sure we are focusing on the right issues at any given point.

Adéle recalls having no more than two email interactions with their auditor. “Sprinto had us covered. We only needed to connect with our auditors for a few additional pieces of evidence. If I were doing this the traditional way, I’d have to meet with my auditor in person and review each piece of evidence over several days.”

Since receiving certifications, Mesmerize Group has unlocked large deals in the North American market. With Sprinto running in the background, there is increased assurance of security best practices across Mesmerise. “Sometimes, clients need detailed information about our controls, but their terminology often differs from ours. We lean on Sprinto to identify the correct controls, show how it’s mapped, and how it is monitored. Having such visibility provides a lot of assurance.”

Sprinto’s intuitive mapping of controls across frameworks provides Mesmerise Group with insights into its readiness for other standards. Adéle notes, “It gives me easy access to relevant information, helping me make a case for a certain framework. Essentially, Sprinto helps us strategize and present the right information to the board about our control status and readiness. This supports market readiness evaluations.”

In effect, Sprinto has now eliminated more than 90% of compliance efforts. “Weirdly, I have so little to do,” exclaims Adéle. “Without Sprinto, most of my time would be spent mapping and coordinating evidence. Now I have more time to operate strategically, participate in events, and keep up with the threat landscape.”