Types: Case Studies

WhosOnLocation

ISO 27001 Certification

Background

WhosOnLocation is a small, innovative, and rapidly growing New Zealand based Software as a Service (SaaS) solution provider of people presence management services. Since their inception in 2012, they have experienced strong growth, expanding to support 5000+ clients across over 25 countries.

WhosOnLocation Chief Executive, Darren Whitaker-Barnett approached Axenic with a challenge that is common to most small NZ service providers.

The Challenge

Help WhosOnLocation compete in a global marketplace. Increase their security capability and reduce the effort that is required to demonstrate that capability to customers. To help differentiate their business in the marketplace.

The WhosOnLocation service collects a range of personal information about people entering and leaving customers’ sites. Darren and his team were increasingly being asked by customers how secure their service is and how they are protecting the information collected. Responding to individual requests for different sets of information to provide customers with this assurance was becoming time-consuming as the WhosOnLocation’s customer base grew. Along with existing customers, when tendering for new business they also need to provide this information to prospective customers. 

Axenic has recently worked with us on a business security assessment and a security roadmap to achieve alignment to EU General Data Protection Regulation (GDPR). The security gap analysis work, the knowledgable people they assigned to our project, as well as the recommendations and assistance they extended to us when implementing new practices so impressed myself and our development and infrastructure team that we now use Axenic in the role of Chief Information Security Officer (CISO), also known as a Virtual CISO. Our current engagement extends beyond the role of CISO and included them leading our ISO 27001 certification project. With Axenic we feel we have a partner with a vested interest in ensuring we and our customer data is secure.

DARREN WHITTAKER, FOUNDER/CEO, WHOSONLOCATION

Our partnership with Darren and his team at WhosOnLocation has been a great example of right sizing security for a small growing company and staying focused on the business benefits of doing it well. Helping them achieve ISO27001 certification has been the icing on the cake.

TERRY CHAPMAN, MANAGING DIRECTOR, AXENIC

The Solution

Rather than trying to meet diverse security requirements across multiple jurisdictions, Axenic agreed with WhosOnlocation that an approach based on international standards would be the best way to help WhosOnlocation effectively meet their customer’s needs. Achieving certification against internationally recognised security standards such as ISO/IEC 27001 Information Security Management System (ISO 27001) would enable WhosOnlocation to provide its customers with confidence that their information is protected. This would also provide them with a strong competitive advantage when compared with similar service providers. To achieve the desired outcome and completing the work on a pragmatic budget commensurate with the size of their business, Axenic analysed the overlapping requirements between the multiple international standards to deliver an optimised roadmap of activities that allowed WhosOnlocation to: 

  • Address their GDPR requirements.
  • Develop a milestone-based timeline to improve their security maturity.
  • Work towards international security standards including ISO27001, with WOL successfully achieving this at the end of 2019.

To reach a good balance between cost and impact, Axenic provided a Virtual Chief Information Security Officer to work on a part-time basis with WhosOnlocation to drive the implementation and adoption of good security practices.

The Results

To date, Axenic has worked with WhosOnlocation to help them achieve:

  • Compliance with the NZ Privacy Act 1993
  • On-time compliance with the EU GDPR by May 2018
  • A significant uplift in overall security maturity within WhosOnlocation
  • Continue to build a culture of security with the organisation
  • Attainment of WhosOnlocation’s ISO 27001 certification successfully meeting international security standards

Working with Axenic to achieve ISO 27001 certification has helped WhosOnlocation to:

  • Making it easier for WhosOnlocation to compete in an exclusive global market with competitors who also have ISO 27001
  • More than halving the time it takes the security team to provide assurance that they are effectively managing their risk exposure and customer information. (pre-ISO 27001 approx. 32 hours per quarter, post ISO is approx. 8 hours per quarter)
  • Give WhosOnLocation the ability to approach large multi-national companies.

We made the right decision by engaging with Axenic. As we were going through the process it has become evident that we couldn’t do it without their help.

TOM PECK, CHIEF TECHNOLOGY OFFICER, WHOSONLOCATION

Visit WOL website

Download case study (pdf)

Flux Federation

Axenic and Flux ISO27001

Background

A subsidiary of Meridian Energy, Flux Federation has been in business for just over 2 years, providing a software platform that makes it easier for energy retail business to operate and innovate. Based in Wellington and originally developed from Powershop, they currently serve nine energy retailers in 3 different markets globally.

The Challenge

Operating in a very competitive global marketplace, Flux was looking for independent proof to support their robust security practices.

Early on in the process two key challenges were identified.  While Flux has always had good security practices, they had gone through several external audits that identified a lack of a documented process.  The lack of a formal process meant it was not as easy for Flux to show their clients and customers that they were following a methodical, risk-based approach to securing their platform.  This provided an opportunity to back up the good work that they are doing with documented processes. 

Along with the opportunity to provide a documented approach to their information security, as a service provider who wants to expand into international markets, Flux needed globally recognised certification to assist with their growth.  Fortunately, there is an international, globally recognised, information security standard – ISO/IEC 27001:2013.  This standard provides a set of standardised requirements for operating an Information Security Management System (ISMS). Flux recognized that achieving ISO 27001 on their own was going to be a challenge and Axenic were approached to help them through the process and ultimately to achieve certification

We needed to document and prove to our clients, how good the state of our security practices are.

BEN AMOR, TECHNOLOGY LEAD, FLUX FEDERATION

We were thrilled to have been able to help Flux with their certification because like them, we beleive it provides the right level of assurance for their existing and future clients, especially during a time when data privacy is so topical.

HUSSEIN ELRAKHAWY, SENIOR CONSULTANT, AXENIC

The Solution

The starting point was defining a formal, repeatable, consistent approach to information security management.  Flux needed to take a pragmatic, risk-based approach that also took into account management involvement, insight and endorsement of the practices. 

While supporting the established Flux processes, it was identified that ISO27001 certification would provide a very good proof point that their information security practices were meeting the required international standards.  As a globally recognised certification that takes a risk-based method, ISO27001 is a high-level approach with sufficient flexibility to tackle the specific information security management challenges an organisation like Flux faces. 

In their journey to ISO27001 certification, Axenic helped the Flux team to review and develop documentation to meet the mandatory requirements that were needed to be completed as part of the certification process, as well as the development of several security initiatives.  Key in this process was the establishment of the security committee by Axenic.

Along with this Axenic worked with Flux to write and develop an approved information security policy to bring the required documentation approach to their information security processes.  This work was combined with a full Risk Assessment, the development of an internal security awareness program and an internal audit including actions on the findings.

The Results

In this case, the key success result was achieving ISO27001 certification.  The actual time to complete the certification is very much dependent on the status of existing practices and the organisations commitment to the process with between one to two years not being uncommon.  In Flux’s case, the high degree of commitment and existing procedures meant they were able to achieve certification in around 12 months. They are now able to provide this certification as proof of their processes and this provides Flux with a framework that helps them to:

  • Protect both client and employee information
  • Help manage and keep risk exposure to a minimum
  • Meet contractual and regulatory obligations e.g. GDPR and the Payment Card Industry Data Security Standard (PCI-DSS)
  • Continue to build a culture of security with the organisation
  • Brand image protection – both for Flux and their clients

Ultimately, the ability to show existing and potential customers that Flux takes a methodical risk-based approach to secure their platform with ISO27001 certification provides the team with confidence to go after new business knowing that they have a mature information security management system.

Working with Axenic helped turn the huge daunting task of acheiving ISO27001 accreditation into something quite achievable

BEN AMOR, TECHNOLOGY LEAD, FLUX FEDERATION

Visit Flux website

Download case study (pdf)

Human Rights Measurement Initiative

Background

HRMI (Human Rights Measurement Initiative) is a small, not-for-profit, global collaborative project focussed on producing metrics that track Human Rights performance as defined in Human Rights law. HRMI is comprised of academics and human rights experts from around the world, the first of its kind and independent from any government entity. Data is collected by respondents residing in the specific countries measured and the metrics are published on the HRMI website for anyone to freely access.

Axenic provided just the right person for the job with the right background and experiences and it seemed like a really thorough process that they helped make really easy

ANNE MARIE BROOK, CO-FOUNDER AND DEVELOPMENT LEAD, HUMAN RIGHTS MEASUREMENT INITIATIVE

Last year, HRMI’s successful pilot in 13 countries (Angola, Australia, Brazil, Fiji, Kazakhstan, Kyrgyzstan, Liberia, Mexico, Mozambique, Nepal, New Zealand, Saudi Arabia and the UK) had given them the confidence to expand their reach to include all 170 countries who have signed/ratified the global human rights treaty.

At Axenic, we deal with a lot of large organisations. It was fulfilling to be able to help a smaller organisation with their delivery of a really worthwhile project

TONY MCNAMARA, SENIOR CONSULTANT, AXENIC

HRMI approached Axenic to help the organisation identify and manage the inherent risks associated with this important project. As part of Axenic’s commitment to supporting impactful citizenship initiatives, we were happy to donate the consulting time to HRMI at no cost.

The Challenge

The HRMI team knew that they needed a robust way to manage their security. The data collected for the survey metrics is very sensitive and protecting this information is crucial. In addition, the integrity of the information collected relies on HRMI being able to protect the identities of the respondents to ensure their safety. HRMI had identified concerns that some governments could act in a hostile manner if their performance results were negative.

Needing to find a more efficient and scalable way to collect information, while protecting the respondents’ privacy, HRMI had decided to procure and implement a new CRM. They needed expert advice on the security criteria the CRM would need to meet so that they could perform due diligence on the potential solution.

I was really happy to have the risks identified in the way that Axenic defined these for us

ANNE MARIE BROOK, CO-FOUNDER AND DEVELOPMENT LEAD, HUMAN RIGHTS MEASUREMENT INITIATIVE

The Solution

Axenic worked with HRMI to undertake an information security risk assessment based on their business requirements and in collaboration with their third party suppliers. Axenic helped HRMI to identify specific security risks that they had not considered, confirmed some suspected risks and identified new risks.

Along with establishing the security requirements of HRMI’s new CRM, Axenic also helped HRMI identify broader risks impacting their wider service and ways to manage these.

Through the information security risk assessment, HRMI was able to identify the risks that they needed to manage and how to effectively protect the identities of the survey respondents and HRMI information.

The Results

As a result of the services provided by Axenic, HRMI are now able to:

  • Develop an updated security policy.
  • Have assurance that they are asking the correct security related questions when screening future third party providers.
  • Communicate confidently with their stakeholders about measures taken to keep survey respondents safe.
  • Communicate confidently to current survey respondents detailing how HRMI keeps their identities safe and how they can keep themselves safe.
  • Recruit more survey respondents through assurance that their identities will remain confidential.
  • Have confidence that they have the right information they need to select the best CRM solution to improve their operational efficiencies and provide them with scalability.
  • Have assurance that the controls that the CRM vendor has in place will meet their business needs and security requirements.

Through our work with HRMI, the not-for-profit has developed a good understanding of how information security can help them achieve a great citizenship outcome.

This initiative is an important part of improving human rights for people around the world that would otherwise not have a voice. Protecting the identities of individuals participating in this initiative and ensuring that HRMI is able to keep its information safe is absolutely critical. Axenic is happy to be able to lend our information security expertise to such a great cause

TERRY CHAPMAN, GENERAL MANAGER, AXENIC

Visit HRMI website

Download case study (pdf)