Solution

Uncover implemented Sprinto and got started with the ISO27001 program. Imre Gelens, CTO at Uncover, led the compliance exercise. “Everything was clear from the get-go,” he notes. “The initial meeting made clear the time requirements, what the process was going to be like, what we are doing, and the nature and number of meetings and topics we’ll go through in each. Most of these were on my plate,” he adds.

During the implementation, Imre worked with a Sprinto CSM to configure the platform to pull risks and control information directly from their systems. Because Uncover deploys a lot of infrastructure and actively does development, they configured Sprinto to function autonomously so as to avoid spending new effort incorporating an infrastructure into the security fabric. To do this, Imre only had to take the time to tag each entity in AWS for Sprinto to pull and process information smoothly without stopping. “I preferred a repeatable process that could keep pace with how we deploy infra,” Imre notes. “With Sprinto the process is now fully automated.”

Once set up, Uncover leveraged Sprinto’s integrated risk management suite to scope out security risks, assess business impact, and underscore risk mitigation controls. “This process happens fast because the platform equips you with standardized resources,” notes Imre. Through this process, Uncover could dynamically spot the gaps in their security practice and take steps to not only fill them but also continuously monitor them.

To implement ISO27001-aligned policies, Uncover leaned on Sprinto’s policy templates. “It’s a real time saver!” Imre says.

In just 4 sessions, Uncover was able to implement the ISO27001 program and move towards audit.

For GDPR, Uncover only had to do 6 additional checks over and above what was done for ISO27001. These included:

• Appointment of an EU rep. As both founders of Uncover have a legal background and are citizens of an EU member state, this was a short leap.
• A process for Data Subject Access Requests (DSAR) to address and manage data-related requests [deletion/modification] from website and app visitors/users from the EU and the UK.
• A Record of Processing Activities (RoPA) documenting how different departments within Uncover process the PII data of EU citizens.
• Management review of contractual obligations
• Privacy Policy review with a legal counsel.
• A GDPR-compliant cookie banner solution on their website.

“The additional effort was no more than 15%,” remembers Imre. “And because Sprinto has automated workflows and integrations with our infrastructure, all checks happen continuously and are automated,” he adds.

We did not have to spend time checking boxes, the platform checked the boxes for us. And this guarantees you will remain compliant even after the certification is done.

Results

Uncover completed its audit and received the ISO27001 certification in 14 days.

Over and above the certification, Uncover walked away with not just a stronger security posture but also a compliance posture. At an architectural level, Uncover had to modify very little of its infrastructure. Indeed, effort spent logging and tagging entities ensured a self-sustaining process for all deployment-related events, monitored and managed end-to-end over the Sprinto platform

“This mechanism makes sure all the infra is getting picked up by Sprinto whenever we deploy something,” remarks Imre. “Right up front, Sprinto asks you to classify whether something is a production or nonproductive event. By tagging your resources as you deploy them, you can easily automate necessary checks,” he adds.

In effect, Uncover has successfully built security and compliance into the development function. “Now when we deploy something new, we immediately get a notification asking if we have classified this piece of infrastructure. It’s easy to stay on top of things with minimum effort,” Imre remarks.

By virtue of operating continuously in the background, Sprinto lives to ensure Uncover is operating mindfully and in a compliant manner. “Things like database recovery plan, disaster recovery plan – these are things one has to anyway think about. It is important to build for it, train for it, and check every so often. Sprinto encourages this behavior, forcing us to be more specific,” Imre notes.

Since becoming compliant, Uncover confidently asserts its newfound status in sales conversations. “We make it a point to mention we are compliant,” notes Ingrid. “Being compliant is an important part of the way we operate. Continuous monitoring is a big part of why we like Sprinto – it makes sure we are and remain compliant.”