Client Requirement

SimInsights sought to increase its reputation, dependability, and competitive edge by adhering to the most appropriate information security frameworks. This was to guarantee their clients that their business follows strict information security and privacy compliance. Further, this would enable them to establish trust in their capacity to safeguard the sensitive data they collect, store, and process and adhere to industry best practices, which ultimately would foster their business growth.

CertPro & Compliance

SimInsights approached CertPro, which is a leading compliance consulting and auditing company, to help them implement the requirements of data security, privacy, and regulatory compliance from scratch.

During the introductory meeting, the expert consultants at CertPro understood that SimInsights is a cloud-based SaaS software and services company that gathers, processes, stores, and transfers data both inside and outside of the United States. Therefore, consultants at CertPro identified the significance of SimInsights being compliant with SOC 2, ISO 27001, GDPR, and HIPAA.

CertPro discussed the benefits of integrating the four frameworks collectively as an integrated management system with SimInsights’ top management. The top management of SimInsights decided to move forward based on the advice provided.

Why SOC 2, ISO 27001, GDPR, and HIPAA?

SOC 2 (System and Organization Control 2): SimInsights, as an organization, handles sensitive information about their clients and often enters commercial partnerships with universities and hospitals. CertPro suggested that SimInsights prove to its clients that it has established the necessary controls and security measures to secure their information by going through a SOC 2 audit. Therefore, we focused on advising and auditing three key principles for SimInsights’ SOC 2 compliance: system and data security, availability, and confidentiality. SimInsights’ top management requested only the SOC 2 Type I audit and attestation based on their requirements and timeline.

ISO 27001:2013: As an ISO certification is globally recognized, CertPro recommended to SimInsights that obtaining this certification would help them be more credible and have a competitive advantage while expanding their market globally. ISO 27001 certification will help SimInsights demonstrate its commitment to implementing a robust infosec posture for managing and protecting information assets. This helps establish trust with customers and provides assurance that their data is handled securely. 

GDPR (General Data Protection Regulation): Achieving GDPR compliance is mandatory and crucial to operating within the European Union (EU) and maintaining strong data protection practices. As SimInsights deals with personal data (PII—Personal Identifiable Information) through its software and services, CertPro proposed that compliance with GDPR ensures that the company secures the privacy rights of individuals and follows strict guidelines for collecting, processing, storing, and disposing of personal data.

HIPAA (Health Insurance Portability and Accountability Act): As SimInsights also provides services to the healthcare industry and handles healthcare-related data (Protected Health Information, or PHI), CertPro implied that HIPAA compliance becomes essential for SimInsights. Being compliant with HIPAA ensures that SimInsights adheres to stringent security measures and safeguards for handling sensitive healthcare data.

Implementation

CertPro consultants created a plan to help SimInsights implement four compliance frameworks. This would help SimInsights meet customer expectations, reach a broader market, enhance data privacy, and reduce risks related to data security and regulatory compliance. CertPro used a 9-step method to combine SOC 2, ISO 27001, GDPR, and HIPAA compliances into a single management system for SimInsights.

CertPro’s expert consultants conducted a thorough analysis of SimInsights’ business processes, identifying and optimizing the scope for the four compliance frameworks. The consultants at CertPro carried out a thorough gap analysis to find areas of non-compliance, and then remediation and documentation were done to close the identified gaps. 

CertPro consultants, working with SimInsights’ selected Chief Information Security Officer (CISO), created the System Description document for the SOC 2 report. They also developed the required policies, procedures, records, and registers for the ISO 27001, GDPR, and HIPAA frameworks.

SimInsights’ CISO implemented all the recommendations provided by CertPro consultants to ensure there were no non-conformities in the documentation and information security practices suggested by CertPro. To ensure that SimInsights personnel understand compliance requirements and their obligations to maintain compliance with SOC 2, ISO 27001, GDPR, and HIPAA, the CertPro team offered standard training and addressed queries from department heads as well as all employees of SimInsights. 

After organizing the necessary documents and evidence for compliance, CertPro’s team then guided SimInsights’ department heads in conducting internal audits for ISO 27001, GDPR, and HIPAA. These audits, overseen by the CISO, assessed control effectiveness. CertPro also assisted in arranging management review sessions, paving the way for an external audit and certification.  SimInsights received assistance from the consultants at CertPro during a pre-audit evaluation to make sure it was prepared for external audits for the three compliance frameworks. 

CertPro and SimInsights’ CISO worked together to document and collect evidence for the three Trust Service Criteria (TSC) principles required for the SOC 2 Type I audit. The SOC 2 Type I audit report was compiled with information about the SimInsights management assertion, which talks about SimInsights’ commitment to SOC 2 compliance. Followed by the system description, which details the technical controls established and practiced by SimInsights. Finally, SimInsights established the mapping of technical controls, aligning them with the TSC principles.

SimInsights was able to successfully complete the external audit and certification process for ISO 27001:2013 and the independent assessment for GDPR and HIPAA by CertPro’s principal auditor. CertPro’s in-house CPA, licensed by the American Institute of Certified Public Accountants (AICPA), assessed and officially verified SimInsights’ SOC 2 Type I report.

So, the CertPro team completed the entire project of implementing, auditing, and assessing the integrated management system (IMS) in just 90 days, causing minimal disruption to SimInsights’ daily operations.

Benefits gained by the client:

Improved Data Protection: SimInsights now uses a robust data protection mechanism. By adhering to these standards, the business can be sure that it has put strong controls and procedures in place to protect sensitive data, reducing the chance of data breaches and unauthorized access.

Trust and Reputation: SimInsights has improved its reputation as a dependable and secure service provider by following industry best practices and fulfilling customer expectations. CertPro’s implementation demonstrates SimInsights’ commitment to data security and privacy, instilling customers with confidence in the business’s ability to safeguard their sensitive data.

Competitive Advantage: SimInsights has an advantage over competitors in the market thanks to compliance with these strict standards and laws. SimInsights is more likely to win over prospective customers than rivals who might not have attained the same degree of compliance. The distinction provided by the certifications highlights SimInsights’ dedication to upholding strict security and privacy requirements.

Legal Compliance: SimInsights now meets legal and regulatory requirements, such as GDPR and HIPAA. Compliance with these regulations ensures that SimInsights operates within the boundaries of applicable laws and reduces the risk of legal and financial consequences. This not only protects the company but also reassures clients that their data is handled in accordance with relevant regulations.

In summary, SimInsights benefited from CertPro’s successful implementation, audit, and assessment of SOC 2, ISO 27001, GDPR, and HIPAA compliance. This resulted in enhanced data safety, trust, reputation, a competitive advantage, and compliance with legal and regulatory standards.