In this interview with Divio’s Jonathan Stoppani, read about how we set out to build our own Governance, Risk, and Compliance tool. The project exemplifies Divio’s approach to problem solving.
Christina Harker, PhD
In part one of this article series, we discussed how we were able to achieve an A+ ISO certification in just 4 months. In this article, we’ll delve a little deeper into the tool we especially built for managing compliance tasks that streamlined, clarified and enhanced our process.
The Government, Risk and Compliance (GRC) tool we created significantly sped up our ISO compliance certification process (which includes an ISO audit). And our GRC tool will also work for related, future compliance processes.
Although we didn’t set out at the very start planning to create a tool for our cloud compliance maintenance and future compliance expansions, it emerged as a natural and elegant solution to the problems we wanted to solve. The tool has the amount of flexibility and modularity we need to achieve our compliance goals without wasting time and effort on repetitive administrative tasks. So far as that goes, the tool replicates our design priorities for infrastructure management and our smart PaaS.
The GRC tool offers a robust set of cloud compliance standards that we can tailor to our individual clients. When we discuss our clients’ needs with them, we can check off the compliance requirements they need, and our tool generates documents relating to those specific requirements. We can also customise every item so that special or unusual compliance requirements can be included. With this tool, our team can quickly create bespoke, heavily customised compliance documents and assurances for our clients. This dramatically cuts the vendor onboarding time for both our clients and ourselves.
In this interview, Divio’s Jonathan Stoppani talks about how the GRC tool was built, the pain points, why it’s beneficial to clients, and how the project encapsulates Divio’s approach to problem-solving.
Here’s a breakdown of what we covered:
Background to the Build
Divio’s Starting Position & Rationale
An Elegant Solution
A Clearer Procedure
A Customised Approach for Every Client
A Quicker Process
The Team Behind the Success
We actually started building this tool quite early on in the process once the need became clear, and we worked on it in parallel as we went through the ISO compliance certification process. At the time, we were pursuing our first ISO 27001, 27017 and 27018 certifications for cloud compliance.
We had already been working on our security posture in a variety of ways for about 10 months before we committed to the ISO process. Consequently, with that work behind us and the GRC tool in hand, we were able to turn the ISO certification process around very quickly and with an excellent result.
In turn, the experience of working on compliance and our security posture before starting the ISO process gave us a certain clear-sightedness about what would be an ideal setup for completing the process and other future cloud compliance certifications.
That said, we never limited our thinking to just ISO compliance. We began building the GRC tool with more than ISO in mind. We concentrated on overall compliance, including information security, compliance management and so on. In the end, we collected requirements from a range of standards and, right now, we are tracking over 1,800 requirements in our system.
Here’s a closer look at how we built our GRC tool.
Why did we build a GRC tool? It became obvious, even at the very beginning, that we would not be able to handle the required level of complexity for compliance work with Excel tables and spreadsheets. It would have been impossible to go through 1,800 requirements that way.
At the same time, we didn’t plan out the entire tool in one sitting or in one sprint. It was an iterative process; it was built incrementally. It started out initially purely as a management tool to manage requirements, and then it grew from there.
It really began to grow once we reached a tipping point. That point came when we started to write and draft the policies in our custom GRC tool, and we were able to link the policies to the requirements as cross-references.
Eventually, we also faced the need for asset management and risk management compliance documentation. We knew we did not want to attempt that in an Excel sheet either. We already had a tool handling another aspect of compliance, so it just made sense to integrate these additional topics into that tool we had been building.
At Divio, we incorporated the ISO certification process itself into a larger, ongoing, expansive approach to compliance. It was important to us that anything we folded into the bigger, long-term work was a coherent and consistent model that could function as a part of our longer-term compliance and security framework-building process. And that is how the ISO process contributed, or meshed, with our GRC tool, a tool that has now outgrown ISO certification.
Maybe this seems unusual, but our approach essentially comes from our background as programmers. We try to make sure everything we do is logical and efficient. Our criteria is that things need to be reproducible and follow a clear, pragmatic sequence. We need to be able to follow the same process repeatedly and always come to the same conclusion; that is a fundamental requirement when it comes to our processes at Divio for our product and projects like security compliance.
And this plays into the GRC tool and the role of the ISO compliance certification process. The GRC tool increasingly allowed us to benefit from standardisation, and it plays to our strengths as a team.
The ISO certification process shaped the GRC tool’s creation to some extent because of its own nature. That is, structure and organisation is key to integrating requirements throughout any ISO compliance certification process. For instance, you need to consider risk assessment, treatment actions for risks and so on. These are vital to ensuring a good result and long-term reward for your efforts during the ISO certification process, or any of the other compliance processes you have planned. With any process like that, standardisation and efficiency have clear benefits.
Our starting point, therefore, was to pursue the most efficient and elegant solution to achieving compliance.
The pursuit of an elegant solution affects everything in a project and, in our experience, elegance must rely on a certain amount of standardisation.
For example, at some point during the ISO certification process, companies will start to analyse and track requirements needed. This is typically done by firing up Excel. The company will create a table and begin inputting various pieces of information there. This may take two hours, a day or a week. Sometimes they realise they need to do things differently, and then they start the whole project again from scratch. Depending on the size of the project they’re working on, this can be a good approach or a bad approach.
But, as you can imagine, handling all that information in an Excel sheet quickly becomes unmanageable.
This issue was the first thing that we wanted to tackle with our GRC tool. We needed a way to efficiently manage thousands of requirements. We wanted a solution where, by standardising the process and generalising it to different standards and frameworks, we would then be able to manage a large number of (possibly exotic) requirements. This management would need to go—and now does go—hand-in-hand with a subset of tools that would cut work time and allow us to navigate and get the most out of the database (for example, cross-referencing, deduplication, and so on).
As we started doing this, other questions arose. For example, we would ask why are we handling, or not handling, a given requirement? These seemingly innocent questions are vital. They normally come up when you onboard new clients who require particular certifications or reports.
By creating our tool, we were able to preempt these issues to some degree and plan for them.
At the end of this journey, as mentioned previously, we have close to 2,000 requirements in the database and it is an easy-to-use purpose-built tool. It has saved hundreds of person-hours.
The policy drafting module was the second part that we added to the GRC tool.
Again, we took a step back and considered different courses of action. We asked, “how would companies normally approach this?” Well, most companies would put these policies in Word documents. The downfall of that approach is that—similarly to Excel—you end up with lots of documents, template changes and so on. It quickly becomes unmanageable to draft policies in a word processor. You constantly need to go through all these documents and update them again and again. It’s just not efficient.
At Divio, we like to have everything clean, structured, and looking the same across the board. The elimination of extraneous steps through things like universal formatting leads to a clarity of vision. So instead of using Word, we used Sphinx. This is a standard documentation tool that’s common in the Python world.
Additionally, we were actually already using this tool to produce product documentation, so it was a natural fit to use Sphinx for providing the policies. There was no unnecessary extra labour in picking up Sphinx as a new tool.
We integrated the drafting of the policies into the GRC tool itself, so that we could write RST documents, but we also had the functionality to annotate them with additional visual information. This gave a lot more scope for customisation for our clients.
As we had a database of all the requirements, and could draft policies using the same tool, we were then able to link directly from requirements to wherever we wanted. This was a major benefit. It meant we could link from individual requirements to sections inside policies where we were talking about specific requirements.
Basically, everything in the policies was cross referenced with requirements. We approached it like we would have approached an audit: everything could be traced, tracked, and qualified.
Ultimately, our GRC tool covers writing, editing, customisation, expansion and project management. This gave us a streamlined process for tackling ISO certification which we were working on in parallel, but it also now enables high-speed client onboarding as well where we can use it for building custom compliance packages to a client’s specification.
While using the tool for ISO certification, we were able to easily follow what was being developed. We could track what requirements were covered, what policies were mapped, what was outstanding and so on. Nothing was left untouched, and the result was a robust set of ISO-compliant policies because we used our bespoke tool to manage the process.
Interestingly, this whole process also revealed so much more about ISO certification than just the up-front requirements. Often, some policy sections would talk about some requirements but wouldn’t fully cover them. You would sometimes need to account for partial coverage. You could also have requirements from different standards or different frameworks. These were often the same thing—it could all get quite convoluted if you weren’t careful. Our tool brought a certain level of clarity with it because it was exhaustive and well-indexed.
To be more specific: our tool means that everything remains clear and considered. We were able to identify equivalence between requirements. Things became less likely to be missed or insufficiently covered. We are also able to generate reports about all the different requirements. This includes how we are covering them, where they are being covered, sub-requirements and so on. Because we worked through the ISO certification with our GRC tool—which is geared to our larger, longer-term compliance projects—our ISO certification approach was comprehensive and robust.
Our GRC tool allows us to create customised compliance documents and packages for our clients. Because we are already tracking nearly 2,000 compliance requirements, we frequently have standards in the system that cover a client’s needs.
The baseline content in the tool doesn't change. However, we are also able to annotate within it to customise requirements for our clients. Some clients have specific compliance requirements that we can now easily match. What comes out is essentially tailor-made, initially built on a standardised foundation. Clients end up with a detailed policy built specifically for their company. This policy is then ready to link back to an external security review process.
Because our tool dramatically reduces how long it takes to get through the security and compliance reviews, it has indirect benefits for our clients. Onboarding happens both more quickly and more thoroughly. We are able to go from opening discussions, to having a solution, to implementing everything with relative speed and ease. The usual process can be cut down by weeks, if not months.
In the past, we’d have to go through almost 400 requirement questions per client. It took time to manually answer them, as well as to look at documents in the policies where we were handling something specific. Even after crossing that bridge, you’d then need the client to sign off, which required a certain amount of time and resources on their end for review. Only then could you start the onboarding process properly and help them with fixing their problems and improving their cloud setup. It was a very long process that our tool now speeds up enormously.
We did this all with our relatively small team. The approach we took in building the GRC tool is the same we take for all our work. It's also the same thing we do to manage the tens of thousands applications that are running on our platform. And this approach allows us to handle any project as a smaller team. It’s all part of the Divio method, and comes down to standardised processes and efficient workload management.
The standardisation and structuring of information is key to the success of our tool. And the same can be said about nearly everything our team works on. Most of the things we do are automated, planned, and structured in a way where a lot of intervention isn’t required. As such, we are able to take on large projects and substantial client needs because we build things to allow easy scaling.
This is where Divio really shines, we create elegant solutions. We have the inbuilt standardisation to be able to manage lots of complex projects through a single product. Because of this foundation, we are able to make decisions in advance of how things need to look and we shape the entire product that way. Our goal is for our product to be able to handle a lot of different projects in the most efficient way possible for our users. And, what may surprise some people, is with a sufficient level of standardisation and efficiency in place, you can operate proficiently with a leaner team and, in fact, you can then really reap the benefits of a smaller team in terms of communication and unity.
Our GRC tool allows us to prepare tailor-made compliance policies for onboarding our clients. This helps reduce the length of time it can take to get big companies signed on. Therefore, it moves us and our clients on to seeing the benefit for our product more quickly, and, ultimately, it reduces the amount of time it takes to just get on with the work. The tool we have developed has ongoing benefits, and has significantly impacted our ISO workflows, our adaptability to client needs and our possibilities in terms of growth when it comes to cloud compliance.
Cloud Compliance / Cloud Management / Cloud Cost Control / Cloud Security
Divio Method and Compliance Part 1: An A+ ISO Certification in 4 Months
In this interview with Divio’s Jonathan Stoppani, read about how achieving an A+ ISO certification in 4 months exemplifies Divio's approach to problem solving.