Result

With its ISO/IEC 42001 certification, Kugler says prospects and customers can be confident that Cresta is doing everything they can to protect and manage their sensitive data responsibly.

“The most important benefit to us is the customer assurance,” Kugler says. “Customers can stop relying on us telling them everything is fine.

The certification provides independent, third-party assurance that somebody has looked at us and validated that Cresta is developing AI in a responsible way. That is really important.”

Cresta is also using its certification to provide important differentiation in the crowded marketplace of companies claiming to offer AI expertise.

“We’ve doubled down on third-party assurance because we can confidently tell customers they can trust us, and this is why,” Kugler says.

For other companies considering ISO/IEC 42001 certification, Kugler recommends adding a 42001 audit to a strong security foundation based on other standards and certifications such as SOC 2 or ISO/IEC 27001 – Information security management systems.

“Security is not just a sales driver, but the right thing for your customers,” Kugler says. “If you have a secure foundation, then it’s really about all documenting what you do and doing what you say.”

Result

Obtaining a clean audit opinion in the SOC 1 report has helped improve Vector’s position in the marketplace. Vector had two clients that were requesting the firm demonstrate SOC 1 compliance, and Sensiba was able to deliver a report that met those client needs. Working with Sensiba, Vector was also able to complete the audit well ahead of client deadlines. “Clients are looking at this,” says Dayback. “SOC compliance helps legitimize our business offering and lets everyone know we’re a real player in this space, and we take what we do seriously.”

Examining its controls and documentation to prepare for the audit also enhanced Vector’s understanding of its key risks, as well as the steps it has taken to mitigate those exposures. “The process was relatively easy and we’re continuing to see benefits because we established a clear framework from the beginning,” says Dayback.

Dayback recommends that firms approaching a SOC 1 audit invest time to examine the risks first, and then prioritize the controls addressing those risks. “Focus your efforts on the controls that make the most impact. I’ve done other SOC audits, and some vendors made it overly complicated by focusing on all the controls at one time. Start with the critical risks, put the controls around them, and work with your internal teams to ensure the controls align with how they do their job internally.”

Result

Achieving ISO 27001 recertification provides important validation of Lucidworks’ information security controls and processes.

“We have customers in the engineering and manufacturing sector, the financial space, and outside the United States,” Heizman says. “They expect to see compliance with a variety of quality management and security frameworks, but ISO 27001 is especially important.”

The Drata platform enabled Lucidworks to streamline other security-related audits, such as SOC 2 Type II (also conducted by Sensiba). Lucidworks was able to leverage SOC 2 evidence to provide a headstart on its ISO 27001 recertification audit.

“Doing the ISO audit gave us a strong starting point from which we could branch out,” Heizman says. “And now we’re seeing concerns about privacy and AI, and other components that are available within ISO.”

Heizman recommends companies exploring the ISO 27001 audit process look for audit firms that can provide a collaborative relationship. While the auditors have to maintain their independence and won’t provide prescriptive advice, they can help clients understand the process and discuss accepted practices in general terms.

“I’d say to anyone that even if you feel you’re not ready, it’s never too early to engage someone,” she says. “The only way you can get a true feeling where you stand is talking with your auditors and figuring out if you need to shore up processes or controls.”

Result

Despite losing time with their prior manual approach and audit firm, using Drata, EPK and Sensiba were able to complete the SOC 2 Type II audit ahead of the customer’s deadline and provide objective confirmation that the company’s security processes and controls are effective.

The successful SOC 2 audit project has provided EPK with several benefits, including the elimination of security-related discussions during contract renewal with its customers and greater confidence in explaining its security and privacy policies to prospective customers.

Perhaps more importantly, Wiese says the audit process caused a cultural shift within EPK’s teams that placed security at the forefront of the company’s internal discussions.

“It has really focused the company to ask security questions first,” Wiese says. “When we started the process, there was some trepidation that focusing on security might make us less agile. That hasn’t happened, and now we’re talking about security in everything we do. Everyone’s bought into the value of compliance, and I’m very happy about that.” In addition to the SOC 2 Type II, EPK also obtained a SOC 3 report to share with its sales and marketing teams.

Asked what advice he would share with other companies approaching a SOC 2 audit, Wiese says it’s important to evaluate SOC readiness tools before starting the process.

“I’d say don’t do this without a dedicated tool,’” he says. “Yes, you can do an audit without a readiness platform, but it’s extremely difficult to track continuous compliance manually. Spreadsheets are great for certain things, but not for compliance monitoring because you don’t want to update a spreadsheet every day with the status of all your infrastructure. You can just automate that.”

As part of that process, he also suggests making sure the audit firm you choose is familiar with your readiness platform.

“That will set you up for success,” Wiese says. “Don’t try to nickel-and-dime the tool and professionals that will help make sure you’re compliant.”

Result

The SOC 2 Type II audit represented a relatively straightforward process for Beneration, Winigrad says, in part because Vanta automated so much of the required data collection and analysis.

“Vanta helped us collect and organize everything in an orderly fashion, and Sensiba was there to help with any questions that came up,” Winigrad says.

Any time we had a question, someone from Sensiba walked us through it so we could figure out our situation and what we needed to do. Sensiba explained everything well and provided clarity throughout the process. We weren’t interacting with an email address.”

The successful SOC 2 Type II audit report provides Beneration with independent, objective confirmation that its security processes and controls are effective and performing as designed.

In addition, the audit report helps the company compete in the marketplace and pursue larger opportunities. With larger organizations expecting potential vendors to have a SOC 2 Type II audit report, completing the process places Beneration on the same footing as its competitors.

As another benefit, the preparation work that fueled its first audit has positioned Beneration effectively for its ongoing security audits.

“With our connections and integrations set up in Vanta, the work we’ve done will give us capacity to make improvements in future years,” Winigrad says. “Our next audits will be more focused, which will help us improve our security processes.”

Result

Clario has a successful SOC 2 Type 2 Audit Report, which provides objective confirmation that the company’s security processes and controls are effective.

Equally important, the company has sustainable processes and an enhanced ability to reassure customers about protecting their data — as well their customers’ data. The company is better able to conduct ongoing risk assessments, and to adjust its policies and procedures quickly as conditions change.

“We have a meaningful compliance regime and security controls, and we know we can speak confidently about those to clients,” Reiland says. “Being able to provide that level of comfort goes a long way. We also have external validation that our controls are appropriate and performing as designed. There’s an additional comfort that was worth the effort of obtaining the audit.”

Looking back, Reiland says the process was smooth and he wishes Clario had undergone the SOC 2 audit sooner. He also says it’s important to be selective when evaluating tools and partners to help.

“The readiness platform is important, but companies should also be choosy as they interview auditors,” he says. “There’s value in those direct human interactions. It’s not necessarily just about cost. Taking the time to find the right fit is important.”