Solidatus is a leading data lineage and metadata management provider. The company focuses on intelligent data management, discovery and visualisation services to empower customers and help them identify and act on opportunities. Solidatus was established in 2017 to address a gap in the market for these services. Since opening its doors, Solidatus has garnered a number of awards and was recently named in Deloitte’s Fast 50 for the second year running.
The company offers a host of solutions, including governance and regulatory compliance, data risk and controls, data sharing, business integration and ESG. It has offices in the UK, US, Singapore and India and provides those solutions to global customers across financial services, retail, utilities and local government.
Working with customers in highly regulated industries, such as banking and finance, meeting legislative requirements and having the right security standards in place is paramount for Solidatus. As the company grew, it became clear that having an official security certification would not only enable Solidatus to maintain and surpass required standards, but would also demonstrate that commitment to both new and existing customers. As a result, Solidatus began investigating achieving both CSA Star Level 2 and ISO 27001 certification.
Starting the ISO 27001 and CSA Star certification journey
CSA Star Level 2 certification is an independent assessment of security of a cloud service provider and was created by the Cloud Security Alliance (CSA). It is based on achieving ISO 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM). CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
Both certifications enable organisations to demonstrate to customers and stakeholders they have the right cyber security controls in place to deal with cyber threats and mitigate risk.
Finding the best CSA Star and ISO 27001 implementation partner
Working with the right partner is critical in achieving desired certifications, especially when that partner understands the needs of the business, the industry it operates in and how certification can benefit an organisation.
While the Solidatus team had in-house cyber security skills, it didn’t have the right experience to take the organisation through both certifications.
“We began looking at how to get ISO 27001 certification and CSA Star Level 2. After an extensive search it became clear that while many companies stated they could deliver both, RightCue was the only business that met our requirements. Their knowledge was extensive and they had worked with smaller businesses like us and in the SaaS space.”
Imran Musawi
Cyber Security Engineer, Solidatus
The team at RightCue was recommended for its ISO 27001 consultancy services and its work on CSA Star, and proved it was the right partner to help Solidatus though its certification journey.
The challenge of fast growth
As a small company that grew quickly through the pandemic, many of Solidatus’s processes weren’t as comprehensive as they needed to be. In addition, this also meant the processes couldn’t adapt to cope with that growth and meet the needs of the business. One of the things RightCue would address was looking at those processes in light of Solidatus’s current and future requirements, as well as certification criteria, to help the business better serve its customer base.
Building a robust information security foundation
RightCue began by performing an in-depth gap analysis, assessing the maturity of existing security processes and getting to grips with Solidatus’s business goals and culture – both of which have an impact on the ongoing success of implementing and maintaining a framework.
From there, RightCue developed a comprehensive implementation plan that was tailored specifically to the needs of Solidatus. The plan formed the foundation from which to work, with the RightCue team collaborating with Solidatus to identify their most valuable information assets, document data flows and create information security policies and other documentation.
Guiding through the certification journey
RightCue focused on optimising security management by eliminating redundant administrative processes, ensuring all activities and tasks directly contributed to enhancing control effectiveness. Throughout the project, there were regular project meetings – weekly or bi-weekly – between the RightCue team and Solidatus to monitor progress and address any concerns from stakeholders. This was especially important given the changes around the processes and ensuring all stakeholders were onboard and comfortable with the approach.
Solidatus received additional support from RightCue in the form of comprehensive email and online help to help in risk comprehension, identifying and implementing risk treatments and controls, and reviewing internal documentation to support the audit process.
The RightCue team also helped manage the relationship with the certification body, including reviewing contracts, ensuring the audits considered changes to standards, scheduling the four stages of certification audits within the project, and supporting during the audits themselves.
“The RightCue team were instrumental in the process – to be blunt, if there was no RightCue, we wouldn’t have been able to do this. Their knowledge of controls was outstanding, and they really understood our business.” Imran Musawi, Cyber Security Engineer, Solidatus.
Mock ISO 27001 certification audit
To prepare Solidatus for the assessment and audit, RightCue carried out a mock audit, led by a consultant who hadn’t previously worked on the project to maintain independence. Conducted in the same way as the real thing, the Solidatus team was put through its paces, answering questions and gathering the relevant documentation needed. The result was successful – giving Solidatus the confidence needed to undergo the real certification process.
“It’s always important to work closely with the customer in developing your plan, implementing it and training the team on the new controls and policies. But what we also find is that transparency has to form the basis of the relationship. We are always clear about the time and effort that is required and Solidatus was very receptive to our help. We guided Solidatus through the whole process, worked with them on their deadlines, and we’re delighted with the result.” Sonal Agarwal, Executive Director and Managing Consultant, RightCue Assurance
Getting the right ISMS results
Solidatus has now successfully certified to ISO 27001 and CSA Star level 2. The information security management system (ISMS) is now fully embedded in Solidatus’s business processes, and with both certifications the company now has the ability to show its customers it has the right security controls in place and assure them of the safety of their data.
“We really valued the pragmatic and flexible approach RightCue took when working with us. They were clearly experts in the field and were able to support us through the whole process including setting up a mock assessment process, so we knew what to expect.
“The impact on the business has been great. Customers and prospects are reassured that we have best in class security protocols. The sales team are confident and happy to share certification and relevant documents around our processes. It has freed up time across the business, but crucially given us confidence internally.
“Of course, cyber security is never complete, but we have a solid foundation to work from and know what we need to do to be even better for our next assessment. If you’re thinking of tackling this certification, RightCue would make a great partner.” – Daniel Waddington, CTO, Solidatus.