How WebEngage improved cloud security and built a proactive compliance posture with Sprinto

WebEngage is a customer data platform and marketing automation suite that simplifies and improves user engagement and retention for consumer tech enterprises and SMBs. The platform helps brands drive revenue through personalized engagement campaigns across 10 communication channels. WebEngage also helps design intuitive user lifecycle journeys to convert existing users through data-backed omnichannel engagement campaigns and offers in-depth product and marketing analytics to track growth metrics and campaign performance.

Key requirement

A compliance solution that identifies and reports security gaps in cloud infrastructure, streamlines infosec housekeeping with robust control monitoring, and fulfills certification requirements using built-in tools and templates.

Centralized, scalable compliance management with continuous, automated monitoring driven by strong cloud-native integrations, supported by real-time notifications for security gaps and compliance drift, and extensive documentation templates.

ISO 27001

ISO 27701 Logo

ISO 27701

soc2 logo

SOC 2

Hipaa

HIPAA

India

6 months

Time to ISO 27001 & ISO 27701 certifications

6 years

Duration without any major CyberSec incident

4 frameworks

monitored continuously on Sprinto

Ready to get started?

The Challenge – Switching from manual to automated compliance management

For Sanjay Mishra, Head of DevOps, and the members of security team at WebEngage, the journey to compliance began in 2020 when they onboarded PricewaterhouseCoopers international Limited (PwC) and BSI as their compliance consultant and audit partner, respectively. 

Having completed their ISO 27001 certification in April 2021, the WebEngage team followed up with a gap analysis to determine readiness for ISO 27701. However, the time and resource-intensive nature of this exercise, along with difficulties in retrofitting PwC’s pre-set processes into their own context, revealed several shortcomings in continuing with a consultant-based approach to compliance. 

“Agility is important to us. Organizations like PwC typically have a prescribed set of processes, and it was taking too long to fit these processes into what we already have in place at WebEngage. Also, since we were pursuing ISO 27701, which is quite process-centric requiring continuous technical monitoring, we were looking to offload a lot of the work to a platform or a tool via integrations.” 

Additionally, the team found the documentation process for ISO 27001 tedious. For ISO 27701, Sanjay and the team were determined to offload a lot of the documentation and infosec housekeeping to a tool with built-in capabilities.  

Having tried out 2-3 compliance platforms, Sanjay landed on Sprinto for a number of factors, including:

  1. Scalable, automated compliance: Sprinto clarified the process and provided guidance advice on how to effectively organize and operationalize compliance to strengthen WebEngage’s cloud posture, while optimizing the automated approach for maximum efficiency.
  2. A straightforward process: Sprinto’s team clearly set expectations as to what the platform could and couldn’t do, empowering WebEngage to evaluate the platform against their specific needs transparently. 
  3. Responsive integrations: Sprinto’s extensive native integrations could centralize and monitor WebEngage’s entire cloud infrastructure with speed and precision, effortlessly tracking controls without the need for manual effort.

With Sprinto, the commitment was very straightforward. It was clear to us what we’d be able to do and what we’d need to change at our end to achieve compliance. Sprinto’s team also helped us understand our current posture and what processes we’d need to achieve the standards as well as we wanted. This went a long way in cementing Sprinto as our first choice.

The Solution – Integrations-rich and automation-enabled compliance monitoring 


WebEngage decided to use Sprinto to achieve ISO 27701 certification first. Based on the results, they planned to pursue more frameworks (such as HIPAA and SOC 2), and even move ISO 27001 compliance management to Sprinto. 

To start off, Sanjay and the WebEngage team leveraged Sprinto’s pre-built policy templates to add documentation for ISO 27701. Existing ISO 27001 policies were also uploaded to the platform and mapped to built-in ISO controls. After this, the security team ran a policy acknowledgment campaign on Sprinto.

”Earlier, we had to get someone from HR to follow up and track policy acknowledgments. On Sprinto, you can tell how many employees have completed pending tasks and nudge them directly. The platform also sends the infosec team reminders for when to start new training and policy campaigns.”

Next, the WebEngage team used Sprinto’s in-built risk register to align risk practices with ISO 27001 standards. They mapped risks to relevant controls using both their existing controls library and Sprinto’s pre-built controls framework for ISO 27701. 

Having mapped to built-in tests that validate controls, WebEngage successfully automated management of 30 controls, while retaining semi-manual workflows for ~15 controls related to administrative and physical safeguards. 

“Most of the controls we used for ISO 27001 and 27701 overlapped with Sprinto’s, making it easier for us to make the switch to platform-led management. Earlier, we had to manage compliances in three different places, but it’s all consolidated within Sprinto.” 

Among the key processes that ISO 27701 requires to be streamlined and secured, in addition to overall risk management, are access and change management. For access management, Sprinto integrated with Google Workspace and GitLab to enforce role-based access to code repositories and support a zero-trust model. Roles added to Workspace were automatically synced with Sprinto, triggering controls whenever access to critical systems like GitLab deviated from the assigned role. 

Sprinto’s integrations with WebEngage’s incident and vulnerability management tools enabled the team to record, update, and manage incident status right on Sprinto, creating a clear audit trail of incidents. 

Change management was also streamlined on Sprinto, with Jira integration. This allowed Sanjay and the team to capture tickets and resolution statuses on the platform, unifying several aspects of compliance in one place. 

Throughout the process, Sprinto’s support team guided WebEngage in mapping controls to assets and processes according to key compliance requirements, ensuring automated validation while workflows ensured compliance.

As a result of compliance automation and expert guidance, WebEngage was ISO 27701-ready in just 6 months.

Sprinto was crucial in helping us identify gaps in our cloud setup and processes, which we were able to fill quickly with their guidance. The platform monitors our infra continuously and tells us what controls we need to check and fix, this has helped save a lot of time and effort for the security team.


The Results – Proactive posture and confidence in security 


Sprinto’s impact on compliance at WebEngage was felt at several levels. 

The primary impact was on WebEngage’s cybersecurity posture, which the team could make more proactive with Sprinto’s help. The platform keeps the team and stakeholders from management on top of compliance and notifies failing controls, incidents, and more in real time. This was instrumental in making compliance efforts visible and putting out fires at the first sign of smoke. As a result, WebEngage hasn’t experienced any significant CyberSec incident in the last 6 years. 

Additionally, Sprinto’s responsive integrations with cloud systems that make WebEngage’s operating environment helped intelligently identify and close control gaps. Coupled with automated nudges for at-risk controls, this helped WebEngage realize major savings in time and resources spent on managing compliance. 

“Today, if someone tells me to add a new framework, I know exactly what we’ll need to do and how long it will take. Earlier, these were things we had to figure out on our own, but Sprinto has made this so much easier.” 

So far, WebEngage has operationalized ISO 27001, ISO 27701, HIPAA, and SOC 2 on Sprinto, and are confidently taking on client questions about security posture while maintaining security at the highest standards.

We’re quite confident about our cloud security and compliance posture today, and this confidence translates to bigger clients and deals. Having multiple certifications under your belt helps push conversations forward, especially with MNCs and enterprise clients, and Sprinto has played a huge role in helping us achieve this confidence.