How Recruit CRM embraced compliance automation for seamless, multi-framework security audits
Recruit CRM is a cloud-based Applicant Tracking System (ATS) and Customer Relationship Management (CRM) solution that streamlines and automates recruitment processes. The platform, with its strategic dashboard designed to help clients visualize the candidate hiring lifecycle and revenue opportunities, is loved by recruitment firms in 100+ countries.
ISO 27001
SOC 2
USA
2 months
Time to achieve ISO27001 and SOC2 audit readiness
Ready to get started?
Challenge
Recruit CRM captures and processes a variety of data, often sensitive and personally identifiable information (PII) – about the candidates and employers. Given this nature, questions about the platforms’ security makeup and overarching security practices come up in most sales conversations.
While Recruit CRM operates security-first and is also GDPR compliant, it was important to prove good data security practices by way of audit reports and certifications.
In Recruit CRM’s case, 6 out of 10 prospects go the length to enquire about ISO 27001 and SOC 2 compliance. “A lot of business, especially from large and enterprise companies, was being put on hold because we lacked certifications,” remembers Tanuj Sharan, DevOps engineer at Recruit CRM.
Because their entire infrastructure is on AWS, Recruit CRM tried to capitalize on the platform’s native credibility. They’d often directed prospects towards the compliance reports of AWS assuring them that the data was on a safe platform but it proved insufficient. To make things worse, there were long IT questionnaires seeking justification for the non-compliance.
After an annual security assessment exercise with a third-party vendor, the need to operationalize SOC 2 compliance emerged as mission-critical. “Our security assessment vendor could not help us get compliant, and that’s when we started to look for an implementation partner,” notes Tanuj. Championed by Shoanak (Sean) Mallapurkar, CEO at Recruit CRM, Recruit CRM decided to mortgage its trust with Sprinto.
Solution
Recruit CRM’s ISO 27001 and SOC 2 compliance journey began by integrating their tech stack with Sprinto over a short sprint. “Within an hour of the first call, admin users were decided, alerts for potential spikes were set up and a slack channel was created for communicating with the Sprinto team” remembers Tanuj.
Sprinto administers a control-based compliance program against any security standard. Because it can tie compliance evidence against a control to all the standards bearing said compliance, building a multi-standard audit evidence library becomes easy. “In our case, there was a 95% control overlap between the two so it made sense to tackle both SOC 2 and ISO 27001 together,” remarks Tanuj
Thereafter, to meet compliance requirements, Recruit CRM focused on administering and strengthening security controls recommended for SOC 2 and ISO 27001. Two-factor authentication enabled access, antivirus installation in devices, security training, policy acknowledgments, and other risk management measures were meted out. Implementation documentation, supported by Sprinto’s compliance workflow automation capabilities allowed Recruit CRM’s team to sail through the process, achieve compliance, and become audit-ready.
Tanuj remarks how enabling guard duty on AWS and monitoring surveillance on sprinto was a particularly significant win. “DoS attacks are difficult to check and manage manually. Tagged to Sprinto and supported by automated alerts, we optimized the process and helped set the tone for surveillance” he adds.
Results
Recruit CRM was SOC 2 Type 2 and ISO 27001 audit-ready in under 10 sessions.
They underwent a combined audit to receive their SOC2 Type 2 audit report and ISO27001 certification. Using the auditor dashboard on Sprinto (and supported by the audit evidence library), Recruit CRM breezed through both audits, without any back and forth.
With Recruit CRM’s newfound compliance confidence, they were able to unblock pending deals and land new opportunities. Tanuj proudly states, “Within 30-45 days of becoming compliant, we onboarded 2 enterprise clients!”
Beyond certification, Tanuj recognized a qualitative win for the company: increased security awareness and discipline among employees.
“They have understood that they cannot copy-paste their credentials anywhere and must proactively initiate actions on getting alerts,” he says. Sharing an interesting example, Tanuj recounts how the alerts set up in Sprinto warned the team about crossing 200 message queues in the Simple Queuing Service (SQS) and saved the organization almost 10 minutes of downtime by bringing the issue to their attention instantly.
Sprinto gives visibility and depth over security structure and compliances and helps manage infrastructure, controls, people, and devices under one roof.