June 14, 2024
•
5 min
read
Doriane empowers agronomy departments in their digital shift since 1984. Our software deals with research data from the agronomic industry and our customers rely on these solutions to make innovation on crops (create new varieties, new biosolutions & practices). But this process takes time, 8 years in average for example to create a new variety. It is easy to understand how sensitive this data is in a context of innovation that takes many years and of global competition.. Hence it is our duty to implement the security best practices and ensure the safety of our customers’ data. In 2023 our first SaaS solution was released: Bloomeo. Sending sensitive data to a SaaS is of course considered a high risk by our customers, and we needed a way to build a trust relationship with them.
Being compliant with an international security standard seemed like the right way to go!
There are many security standards, the main ones being SOC2, ISO 27001 and NIST. These standards have a large overlap and of course some specificities. But if we take a bit of altitude, they were all created for the same purpose: structure the way a company manages its risks. That’s really their cornerstone, identifying risks and managing them. ISO 27001 being well known in Europe, and our customers having experience with it, it was an obvious decision. ISO 27001 offers a framework to identify all our risks and ensures the most common ones are covered. Here is a sneak peek of what a company must prove when passing ISO 27001:
Security has always been at the heart of Doriane.
And even though we have experience with ISO standards (Doriane is ISO 9001 certified), ISO 27001 felt like a different beast. So, like most young and successful SaaS company these days, the target was defined but the path towards certification...not so much : ) As a SaaS company, it was obvious to look for a SaaS solution to help us. After evaluating several solutions, Drata felt like the right choice. Relying on Drata has many advantages, for our customers :
Even though compliance with privacy-related regulations (e.g. GDPR, HIPAA, CCPA) is an obligation, most companies don’t get audited for this. Drata allows us to prove we are compliant with them. For Doriane, Drata supported us in project management, clearly listing all the requirements of the standard and the controls to put in place. Our progress towards compliance was clear all along the journey and was communicated to the top management. Drata also helps us in automation. As it is connected to our ecosystem (e.g. Identity Provider, Cloud Provider, Code repository, Ticketing System, MDM, ...) it continuously monitors the status of each control. Additionally, any task that require our attention (like a policy to review or a vulnerability scan to perform) will trigger a notification, so we are confident nothing is missed. On top of the platform, Drata provides a list of partners to support their customer in their compliance journey. Doriane worked with Lyvoc, Drata’s partner for Europe, to put us on the right tracks and lead us toward the certification.
In case you are also thinking about passing ISO 27001, you are most likely wondering what’s the typical timeline. Here are the milestones of our journey:
Preparing a certification takes time... and money : ) In addition to additional software subscription to align our architecture with ISO 27001 standards we also needed to run Penetration tests. Finally building a ISO 27001 required a strong manpower mobilization (as well as internal as external consultancy) for a total of 1 FTE during 6 month before certification and less than 0,5 FTE/year resource after certification to maintain it. It is significant, plan this properly in your budget! But it's worthy for long term relationship with our customers.
ISO 27001 is one hell of a ride! But it is worthy at every level. We strongly believe our compliance with this security standard is key to building a trust relationship with our customers. But beyond this aspect, these security standards force companies like us to regularly re-evaluate their risks, face them and manage them. This is an intense exercise, but we see it as personal hygiene: not super fun but necessary to stay healthy!
Let me conclude this article with a couple of tips based on our experience:
Webinar Replay
Next webinar
June 20, 2024
Tips for successful variety launches
Tristan Duminil
Head of Agronomy