CoEnterprise achieves multiframework compliance in less than a year, acquires new customers, and saves 75% of time on security questionnaires

CHALLENGE

A small team needed support to meet customers’ compliance requirements

In addition to overseeing technology architecture, deal modeling, and cybersecurity, Ryan Hyllestad, CoEnterprise’s Director of Information Technology, also supports the sales team by responding to about 100 security questionnaires per year.

While working on these questionnaires, Ryan noticed the industry changing: Prospects were increasingly requiring SOC 2 and ISO 27001.

According to Ryan, “it was a showstopper for business deals. Compliance became absolutely mandatory in my eyes.”

Ryan knew he and his small team couldn’t do it alone. He evaluated multiple compliance vendors, looking for a partner that could serve as an extension of his team. He needed a one-stop shop that could help him handle everything from preparation to audit, all in-house. And most importantly, he needed a partner that could handle multiple frameworks simultaneously. “I wanted a tool that would make my life easier. When I was reviewing other platforms and systems, Thoropass was the obvious choice,” said Hyllestad.

SOLUTION

Leveraging an 80% framework requirement overlap from SOC 2 to ISO leads to efficient certification processes

Thoropass’ all-in-one solution was a major selling point for Ryan. Not only was the Thoropass platform intuitive, but it came with a team of compliance experts to guide him through the complex processes of both SOC 2 and ISO 27001.

While collecting evidence for both frameworks, Ryan’s Thoropass Customer Success Manager helped him break down complex requirements into more simplified terms. And unlike other solutions that outsource audits, Thoropass provided direct support and access to their auditors.

Some of the most valuable features for Ryan were Thoropass’ integrations with key systems such as the Atlassian suite, Microsoft 365, and AWS, automating evidence collection. Another favorite was Thoropass’ document library, which holds customizable policy templates.

“The auto imports for the relevant policies made life a breeze.”

Ryan also valued the automated health checks of his code repository and network technology monitoring.

“It scrapes our network seamlessly and notifies me when it detects a new tool being used within the company. It’s scary accurate,” said Hyllestad.

With the efficiencies found in both the platform automations and hands-on support, Ryan was able to complete both SOC 2 and ISO 27001 in a total of 11 months. He started the ISO 27001 process during the SOC 2 observation period and found that 80% of the ISO requirements were already met under SOC 2, leading to a completed ISO audit in under a month.

Ryan beat his end-of-year deadline for both frameworks, handling 95% of the compliance work single-handedly.

Reflecting on this, Ryan shared “it just wouldn’t have been possible without Thoropass.”

RESULTS

New customers, improved employee training, and a 75% time savings in due diligence

For CoEnterprise, SOC 2 and ISO 27001 certification enabled new customer acquisition, retention, and marketing opportunities. Internally, employees benefited from regular security training, and Ryan now has better visibility into critical systems.

Having the certifications also eases the due diligence burden. Many customers send lengthy security questionnaires once or twice a year, which Ryan handles personally.

LOOKING AHEAD

Ongoing compliance and expansion to HIPAA and GDPR

CoEnterprise is committed to working with Thoropass for their upcoming compliance needs and plans to maintain their SOC 2 and ISO 27001 certifications. HIPAA and GDPR are next on the roadmap, and Ryan plans to explore more of Thoropass’ features, such as its due diligence questionnaires.

Ryan’s advice to other companies: Choose your compliance vendor carefully.

“Go with a company like Thoropass that has multiple frameworks and additional feature sets that are really nice to have and build in systems of efficiency. And somebody that has an external auditor that they partner with, so it’s not just punted to your lap to handle and figure out.”