Customer Story
Customer:
iPayroll
Sector:
IT, Payroll processing
Background
Established in 2001 with offices across New Zealand and Australia, the iPayroll Group (iPayroll Limited / CloudPayroll Pty Ltd “the Group”) is a pioneering cloud based payroll solution. Helping thousands of businesses run their payroll services securely and efficiently, the Group is a business of significant scale having recently (September 2021) achieved the milestone of $35 Billion total payrolls processed. Operating a business of this size, with the important function of supporting payroll services, requires significant compliance and security obligations. While always operating to the highest security standards, the Group has a culture of constant innovation and development to ensure their security and compliance processes remain at best practice.
The recent mandate from the Australian Tax Office (ATO) provided the Group with an opportunity to enhance their security processes by achieving ISO/IEC 27001:2013 certification.
The Challenge
The initial motivation for undertaking ISO 27001 certification was a requirement from the ATO for all businesses who manage a minimum of 10,000 Tax File Numbers (TFN) to have internationally recognised certification of their security processes. The Group easily met this threshold and certification was a business-critical project that needed to be completed.
While the Group has always had excellent security practices, they were in danger of being in breach of the legislation if they did not get certification. The Group also recognised that achieving ISO 27001 on their own would be a challenge, so they initially approached another service provider to help them on their certification journey. Unfortunately, this company did not provide a very robust process, which led to a overcomplicated management system.
As a result, the Group ended up with lots of documents but did not sufficiently understand how it related to the business and realised they did not have enough resources to implement an ISMS.
We did not understand the key things that we needed to
GLENDA MACBAIN, CORPORATE SERVICES MANAGER, IPAYROLL
do in order to create the correct structure.
The Solution
The answer turned out to be finding the right people to partner with! Enter Axenic and things just clicked for the team. The Group had completed a lot of work they thought they needed to do, however what they needed was direction to connect the dots between what they had done and developing a working ISMS. This would allow the Group to operationalise the processes they had developed. At this stage Lisa from Axenic came in and did a comprehensive 2.5 day audit and identified areas of concern and areas for improvement.
Following Lisa’s audit, Martin from Axenic joined the certification project team and explained exactly what it needed to look like and what they needed to do. This created a breakthrough, with Martin giving the project team confidence that they were working with someone who understood the organisation and gave the Group faith that they were going to be able to gain certification.
Most importantly, making sure the ISMS was fit for the Group, it being important to know what to keep, what to discard and what to change slightly.
The Results
First and foremost, ISO 27001 certification allowed the Group to meet the ATO mandated obligations. However, the results go a lot deeper than that. After the initial driver of the mandate, the Group quickly started to see the additional benefits of being the only payroll supplier in New Zealand with ISO certification. Fast forward a few months post certification and overall the company has changed its culture and is now even more infosec aware. Their ISMS is now embedded it into the Group’s culture with the following tangible results:
- When new or existing clients ask for the Group’s security practices, instead of it taking hours to pull together the information, they simply show them the gold standard of ISO27001 – saving time and money.
- The Group are now well set up with a CISO and an information security focal point.
- The Sales Team can use this as a sales tool, helping convert leads and giving the Group a serious competitive advantage.
- As a result of the process the Group has moved to a paperless environment, completely changing the way the company works.
- The Group made a number of changes companywide with training sessions and roadshows, the team really took on board and engaged with the ISMS.
We could not have done it without Axenic and Martin – he tied the whole thing together for us.
MARTIN GLEESON, MANAGING DIRECTOR, IPAYROLL