Types: Case Studies

iPayroll

Background

Established in 2001 with offices across New Zealand and Australia, the iPayroll Group (iPayroll Limited / CloudPayroll Pty Ltd “the Group”) is a pioneering cloud based payroll solution. Helping thousands of businesses run their payroll services securely and efficiently, the Group is a business of significant scale having recently (September 2021) achieved the milestone of $35 Billion total payrolls processed. Operating a business of this size, with the important function of supporting payroll services, requires significant compliance and security obligations. While always operating to the highest security standards, the Group has a culture of constant innovation and development to ensure their security and compliance processes remain at best practice.

The recent mandate from the Australian Tax Office (ATO) provided the Group with an opportunity to enhance their security processes by achieving ISO/IEC 27001:2013 certification.

The Challenge

The initial motivation for undertaking ISO 27001 certification was a requirement from the ATO for all businesses who manage a minimum of 10,000 Tax File Numbers (TFN) to have internationally recognised certification of their security processes. The Group easily met this threshold and certification was a business-critical project that needed to be completed.

While the Group has always had excellent security practices, they were in danger of being in breach of the legislation if they did not get certification. The Group also recognised that achieving ISO 27001 on their own would be a challenge, so they initially approached another service provider to help them on their certification journey. Unfortunately, this company did not provide a very robust process, which led to a overcomplicated management system.

As a result, the Group ended up with lots of documents but did not sufficiently understand how it related to the business and realised they did not have enough resources to implement an ISMS.

We did not understand the key things that we needed to
do in order to create the correct structure.

GLENDA MACBAIN, CORPORATE SERVICES MANAGER, IPAYROLL

The Solution

The answer turned out to be finding the right people to partner with! Enter Axenic and things just clicked for the team. The Group had completed a lot of work they thought they needed to do, however what they needed was direction to connect the dots between what they had done and developing a working ISMS. This would allow the Group to operationalise the processes they had developed. At this stage Lisa from Axenic came in and did a comprehensive 2.5 day audit and identified areas of concern and areas for improvement.

Following Lisa’s audit, Martin from Axenic joined the certification project team and explained exactly what it needed to look like and what they needed to do. This created a breakthrough, with Martin giving the project team confidence that they were working with someone who understood the organisation and gave the Group faith that they were going to be able to gain certification.

Most importantly, making sure the ISMS was fit for the Group, it being important to know what to keep, what to discard and what to change slightly.

The Results

First and foremost, ISO 27001 certification allowed the Group to meet the ATO mandated obligations. However, the results go a lot deeper than that. After the initial driver of the mandate, the Group quickly started to see the additional benefits of being the only payroll supplier in New Zealand with ISO certification. Fast forward a few months post certification and overall the company has changed its culture and is now even more infosec aware. Their ISMS is now embedded it into the Group’s culture with the following tangible results:

  • When new or existing clients ask for the Group’s security practices, instead of it taking hours to pull together the information, they simply show them the gold standard of ISO27001 – saving time and money.
  • The Group are now well set up with a CISO and an information security focal point.
  • The Sales Team can use this as a sales tool, helping convert leads and giving the Group a serious competitive advantage.
  • As a result of the process the Group has moved to a paperless environment, completely changing the way the company works.
  • The Group made a number of changes companywide with training sessions and roadshows, the team really took on board and engaged with the ISMS.

We could not have done it without Axenic and Martin – he tied the whole thing together for us.

MARTIN GLEESON, MANAGING DIRECTOR, IPAYROLL

Visit iPayroll website

Download case study (pdf)

WhosOnLocation

ISO 27001 Certification

Background

WhosOnLocation is a small, innovative, and rapidly growing New Zealand based Software as a Service (SaaS) solution provider of people presence management services. Since their inception in 2012, they have experienced strong growth, expanding to support 5000+ clients across over 25 countries.

WhosOnLocation Chief Executive, Darren Whitaker-Barnett approached Axenic with a challenge that is common to most small NZ service providers.

The Challenge

Help WhosOnLocation compete in a global marketplace. Increase their security capability and reduce the effort that is required to demonstrate that capability to customers. To help differentiate their business in the marketplace.

The WhosOnLocation service collects a range of personal information about people entering and leaving customers’ sites. Darren and his team were increasingly being asked by customers how secure their service is and how they are protecting the information collected. Responding to individual requests for different sets of information to provide customers with this assurance was becoming time-consuming as the WhosOnLocation’s customer base grew. Along with existing customers, when tendering for new business they also need to provide this information to prospective customers. 

Axenic has recently worked with us on a business security assessment and a security roadmap to achieve alignment to EU General Data Protection Regulation (GDPR). The security gap analysis work, the knowledgable people they assigned to our project, as well as the recommendations and assistance they extended to us when implementing new practices so impressed myself and our development and infrastructure team that we now use Axenic in the role of Chief Information Security Officer (CISO), also known as a Virtual CISO. Our current engagement extends beyond the role of CISO and included them leading our ISO 27001 certification project. With Axenic we feel we have a partner with a vested interest in ensuring we and our customer data is secure.

DARREN WHITTAKER, FOUNDER/CEO, WHOSONLOCATION

Our partnership with Darren and his team at WhosOnLocation has been a great example of right sizing security for a small growing company and staying focused on the business benefits of doing it well. Helping them achieve ISO27001 certification has been the icing on the cake.

TERRY CHAPMAN, MANAGING DIRECTOR, AXENIC

The Solution

Rather than trying to meet diverse security requirements across multiple jurisdictions, Axenic agreed with WhosOnlocation that an approach based on international standards would be the best way to help WhosOnlocation effectively meet their customer’s needs. Achieving certification against internationally recognised security standards such as ISO/IEC 27001 Information Security Management System (ISO 27001) would enable WhosOnlocation to provide its customers with confidence that their information is protected. This would also provide them with a strong competitive advantage when compared with similar service providers. To achieve the desired outcome and completing the work on a pragmatic budget commensurate with the size of their business, Axenic analysed the overlapping requirements between the multiple international standards to deliver an optimised roadmap of activities that allowed WhosOnlocation to: 

  • Address their GDPR requirements.
  • Develop a milestone-based timeline to improve their security maturity.
  • Work towards international security standards including ISO27001, with WOL successfully achieving this at the end of 2019.

To reach a good balance between cost and impact, Axenic provided a Virtual Chief Information Security Officer to work on a part-time basis with WhosOnlocation to drive the implementation and adoption of good security practices.

The Results

To date, Axenic has worked with WhosOnlocation to help them achieve:

  • Compliance with the NZ Privacy Act 1993
  • On-time compliance with the EU GDPR by May 2018
  • A significant uplift in overall security maturity within WhosOnlocation
  • Continue to build a culture of security with the organisation
  • Attainment of WhosOnlocation’s ISO 27001 certification successfully meeting international security standards

Working with Axenic to achieve ISO 27001 certification has helped WhosOnlocation to:

  • Making it easier for WhosOnlocation to compete in an exclusive global market with competitors who also have ISO 27001
  • More than halving the time it takes the security team to provide assurance that they are effectively managing their risk exposure and customer information. (pre-ISO 27001 approx. 32 hours per quarter, post ISO is approx. 8 hours per quarter)
  • Give WhosOnLocation the ability to approach large multi-national companies.

We made the right decision by engaging with Axenic. As we were going through the process it has become evident that we couldn’t do it without their help.

TOM PECK, CHIEF TECHNOLOGY OFFICER, WHOSONLOCATION

Visit WOL website

Download case study (pdf)

Human Rights Measurement Initiative

Background

HRMI (Human Rights Measurement Initiative) is a small, not-for-profit, global collaborative project focussed on producing metrics that track Human Rights performance as defined in Human Rights law. HRMI is comprised of academics and human rights experts from around the world, the first of its kind and independent from any government entity. Data is collected by respondents residing in the specific countries measured and the metrics are published on the HRMI website for anyone to freely access.

Axenic provided just the right person for the job with the right background and experiences and it seemed like a really thorough process that they helped make really easy

ANNE MARIE BROOK, CO-FOUNDER AND DEVELOPMENT LEAD, HUMAN RIGHTS MEASUREMENT INITIATIVE

Last year, HRMI’s successful pilot in 13 countries (Angola, Australia, Brazil, Fiji, Kazakhstan, Kyrgyzstan, Liberia, Mexico, Mozambique, Nepal, New Zealand, Saudi Arabia and the UK) had given them the confidence to expand their reach to include all 170 countries who have signed/ratified the global human rights treaty.

At Axenic, we deal with a lot of large organisations. It was fulfilling to be able to help a smaller organisation with their delivery of a really worthwhile project

TONY MCNAMARA, SENIOR CONSULTANT, AXENIC

HRMI approached Axenic to help the organisation identify and manage the inherent risks associated with this important project. As part of Axenic’s commitment to supporting impactful citizenship initiatives, we were happy to donate the consulting time to HRMI at no cost.

The Challenge

The HRMI team knew that they needed a robust way to manage their security. The data collected for the survey metrics is very sensitive and protecting this information is crucial. In addition, the integrity of the information collected relies on HRMI being able to protect the identities of the respondents to ensure their safety. HRMI had identified concerns that some governments could act in a hostile manner if their performance results were negative.

Needing to find a more efficient and scalable way to collect information, while protecting the respondents’ privacy, HRMI had decided to procure and implement a new CRM. They needed expert advice on the security criteria the CRM would need to meet so that they could perform due diligence on the potential solution.

I was really happy to have the risks identified in the way that Axenic defined these for us

ANNE MARIE BROOK, CO-FOUNDER AND DEVELOPMENT LEAD, HUMAN RIGHTS MEASUREMENT INITIATIVE

The Solution

Axenic worked with HRMI to undertake an information security risk assessment based on their business requirements and in collaboration with their third party suppliers. Axenic helped HRMI to identify specific security risks that they had not considered, confirmed some suspected risks and identified new risks.

Along with establishing the security requirements of HRMI’s new CRM, Axenic also helped HRMI identify broader risks impacting their wider service and ways to manage these.

Through the information security risk assessment, HRMI was able to identify the risks that they needed to manage and how to effectively protect the identities of the survey respondents and HRMI information.

The Results

As a result of the services provided by Axenic, HRMI are now able to:

  • Develop an updated security policy.
  • Have assurance that they are asking the correct security related questions when screening future third party providers.
  • Communicate confidently with their stakeholders about measures taken to keep survey respondents safe.
  • Communicate confidently to current survey respondents detailing how HRMI keeps their identities safe and how they can keep themselves safe.
  • Recruit more survey respondents through assurance that their identities will remain confidential.
  • Have confidence that they have the right information they need to select the best CRM solution to improve their operational efficiencies and provide them with scalability.
  • Have assurance that the controls that the CRM vendor has in place will meet their business needs and security requirements.

Through our work with HRMI, the not-for-profit has developed a good understanding of how information security can help them achieve a great citizenship outcome.

This initiative is an important part of improving human rights for people around the world that would otherwise not have a voice. Protecting the identities of individuals participating in this initiative and ensuring that HRMI is able to keep its information safe is absolutely critical. Axenic is happy to be able to lend our information security expertise to such a great cause

TERRY CHAPMAN, GENERAL MANAGER, AXENIC

Visit HRMI website

Download case study (pdf)