Chapter 1: The cornerstone of
secure operations

It's the holiday season, and you're in a new country, excited to explore the local cuisine. You stumble upon a picturesque restaurant but hesitate, wondering if the food is safe. All those unpleasant experiences your friends shared start playing in your head, so you decide to ask the manager for some reassurance. At this point, the manager has two choices: they could either offer you a 30-minute kitchen tour to show off their hygiene practices or they simply point to a prominently displayed ISO 22000 (food safety management) certificate on the wall. A busy manager would probably go for the latter — and honestly, you'd be fine with that too.

Much like an endorsement from a trusted organization, certifications serve as tangible proof of adherence to high standards, fostering trust without lengthy explanations. The same principle applies in the IT world. Whether you're a small startup with a handful of employees or a global enterprise like ManageEngine, certifications often become the foundation of trust, building credibility even before your first interaction with a customer.

In the 2020s, trust is paramount, and the statistics prove it:

  • According to Forbes, global cybercrime damage costs are expected to grow by 15% per year, reaching $10.5 trillion USD annually by 2025.
  • Cybersecurity Ventures estimates worldwide cybercrime costs will hit $10.5 trillion annually by 2025, emphasizing the need for enhanced cybersecurity measures.
  • IBM reports that when remote work is a factor in causing a data breach, the average cost per breach is $173,074 higher, underscoring the cybersecurity challenges in the evolving work landscape.

These statistics highlight escalating cybersecurity concerns. So how do we at ManageEngine ensure our customers trust us with their digital environments? Through certifications. In recent years, we have achieved certifications for SOC 2, multiple ISO standards, and various global security standards. This has helped us establish immediate trust and evolve our security posture with continual improvement. However, this was easier said than done.

Like any company embarking on a new venture, we started with zero certifications. We built a dedicated team and now earn the trust of millions of users worldwide thanks to these certifications. It's been an incredible journey, strengthening our processes and preparing us for future challenges.

If you're wondering how we achieved this success or how you can replicate it, this guide is for you. In this e-book, we reveal the strategies, frameworks, and practical tips behind our approach. You'll uncover everything you need to obtain certifications that inspire trust and strengthen your digital ecosystem.

Understanding the basics

What's the difference between a standard, a certification, and a regulation?

Standards are established guidelines or best practices that organizations can follow to ensure quality, safety, efficiency, or other desirable outcomes. For example, ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for managing sensitive information so that it remains secure.

Certifications are a formal recognition that an organization meets a specific standard. Certification bodies, often independent third parties, assess whether an organization complies with the standard's requirements. For instance, when a company is certified under ISO 27001, it means that an accredited body has verified that the company's information security management system meets the standard's criteria.

Regulations are mandatory requirements set by governments or regulatory bodies that organizations must comply with. Unlike standards, which are often voluntary, regulations are enforced by law. For example, the General Data Protection Regulation (GDPR) in the European Union mandates how organizations must handle personal data, with severe penalties for non-compliance.

Understanding these distinctions is crucial because while standards and certifications help build trust and demonstrate compliance, regulations are legally binding and require strict adherence.

Key certifications worldwide

Certifications vary widely across industries and regions, each addressing specific needs and regulatory environments. Here are some key certifications relevant to the IT and software industries:

  • ISO 27001 — Information security management: A globally recognized standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system.
  • ISO 27017 — Cloud security: An extension of ISO 27001, this standard provides guidelines for information security controls applicable to the provisioning and use of cloud services.
  • ISO 27018 — Privacy for cloud services: Focuses on protecting personal data in cloud environments, ensuring that cloud service providers handle customer data with the highest privacy standards.
  • ISO 27701 — Privacy information management: A privacy extension to ISO/IEC 27001, it provides guidance for establishing, implementing, maintaining, and continually improving a privacy information management system (PIMS) within an organization.
  • SOC 2 — Service Organization Control 2: A certification primarily used in the USA that ensures service providers securely manage data to protect the privacy and interests of their clients. It focuses on five trust service categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
  • Certified Senders Alliance (CSA): A quality certification for mailbox service providers, particularly relevant for companies engaged in email marketing.
  • Cloud Security Alliance (CSA) STAR: An assessment to help cloud providers document compliance with the Cloud Controls Matrix (CCM) and help customers assess the security capabilities and practices of a provider.

These certifications not only ensure that organizations meet specific standards but also help them gain a competitive edge in global markets.

Identifying the right certification

Choosing the right certification for an organization depends on several factors, like the industry, target markets, customer expectations, and regulatory requirements. Here's an approach to simplify your decision-making:

  • Assess market demands: Start by understanding the expectations of key markets. For instance, a software service provider with its primary market in the USA should focus on SOC 2. If the business is expanding into Europe, GDPR compliance and certifications like ISO 27018 and ISO 27701 could come in handy.
  • Evaluate business needs: Consider internal processes and the risks associated with operations. If information security is a core concern, ISO 27001 could be a foundational certification.
  • Understand interconnected products: For organizations with multiple products that are part of a larger suite, evaluate how certifications for one product may impact others. For example, obtaining CSA certification for Zoho Campaigns required us to consider the implications for interconnected products like Zoho Mail.
  • Long-term vision: Think about the company's future growth and the potential markets that can be tapped down the line. Certifications that align with a long-term strategy can be more beneficial than those with a narrow focus.

By aligning certifications with both current needs and future goals, businesses can ensure their compliance efforts are strategic and impactful.

The impact of certifications on ManageEngine

Certifications play a critical role in shaping how an organization is perceived by customers, partners, and regulators. Here's how it helped us:

  • Trust-building: Certifications provide third-party validation of internal processes and practices, instantly building trust with customers. When customers see that we've achieved notable certifications like ISO 27001, they gain confidence that their data is secure and that we take compliance seriously.
  • Competitive edge: In competitive markets, certifications can set us apart from the rest. They serve as proof that the organization adheres to the highest industry standards, making us a more attractive option for potential customers.
  • Facilitating market entry: Certifications can be a prerequisite for entering certain markets or working with specific clients. For example, achieving SOC 2 certification can be a key factor in winning contracts with large enterprises in the US.
  • Streamlined internal processes: Beyond external perception, the process of obtaining certifications often leads to improvements in internal processes, creating a culture of continuous improvement and risk management.

Certifications aren't mere checkboxes—they are strategic tools that elevate an organization's reputation, facilitate market expansion, and drive business success. In the following chapters, we'll explore how Zoho Corp. built a powerful compliance framework from the ground up, and how other organizations can do the same to support long-term growth.

The 8-year challenge:
How we went from zero certifications to acing compliance

ManageEngine began with a singular focus on product quality. For years, our primary emphasis was on research and development, letting our products speak for themselves—and they did. Our commitment to quality propelled our growth, particularly in the US market. As we transitioned from a startup to an enterprise, we attracted larger clients with thousands of users keen on using our products.

However, this growth came with a new challenge: customers asked more questions (as they should). Simultaneously, the global rise in data breaches and security incidents heightened the need for stringent data protection. Our customers began seeking assurance before trusting us with their data. Our initial approach was to provide assurance by answering all of their questions.

Stage 1: Using certifications to simplify trust

Certification of trust
Importance of compliance certifications

It quickly became evident that this approach was cumbersome and wasn't scalable at all. We had to reach out to multiple teams, and this led to multiple delays. As we looked for alternatives, we realized a single certification could answer hundreds of questions and solve our problems. That realization changed our perspective, and everything started falling into place.

Compliance challenges

The first significant demand that came up was for the SOC 2 report in 2016. Once we secured the certification and started gaining the trust of customers, our approach shifted. Achieving SOC 2 certification not only helped us secure larger clients but also enhanced their trust in our security posture. This boost in credibility streamlined our sales process with major customers, demonstrating that our commitment to security was as sturdy as our commitment to quality. Recognizing the importance and advantages of compliance, we embarked on the journey to acquire more certifications. This was our first step towards peak compliance.

Stage 2: Streamlining the certification marathon

ManageEngine's foray into global markets like the UK brought upon an increased demand for internationally recognized certifications. We quickly realized that our compliance efforts needed a significant upgrade, not just for our customers, but for our own operational integrity. This led us to pursue ISO 27001, another significant milestone in our comprehensive compliance journey.

Simultaneously, our presence in the US continued to grow, driving up the demand for SOC 2 certifications. SOC 2 covers five key trust categories: Security, Privacy, Confidentiality, Process Integrity, and Availability. As we ventured into new markets, each with its own regulatory requirements, we found ourselves chasing one certification after another. There were times it felt like we were undergoing an audit every month! With experience, we developed a method to navigate these certifications. However, starting from scratch for each one was exhausting—like running a marathon with no finish line in sight.

To address this, we adopted a more purposeful approach. We had gained enough experience to understand the nuances of various standards, allowing us to craft a more efficient compliance strategy. Here’s how we did it: ISO 27001 became our foundation. We used the ISO clauses and controls to create a master list of requirements, which we managed through an in-house application. Each new certification was then treated as a variation of this master list. This meant that instead of starting from zero every time, we only had to adjust for specific differences, simplifying the certification process considerably.

Key compliance certifications

For example, after establishing our ISO 27001 framework, a customer inquired about our cloud security measures, leading us to pursue ISO 27017, which adds cloud-specific controls to the ISO 27001 baseline. We quickly adapted our framework to include these additional controls and secured the certification. Similarly, for ISO 27018, which is focused on privacy for processors, we layered privacy controls on top of our existing framework.

Even for non-ISO certifications like SOC 2, which uses trust categories instead of controls, we adapted our ISO 27001 baseline to fit SOC 2’s language. This approach allowed us to streamline our compliance efforts, turning what was once a daunting marathon into a well-oiled certification engine. This strategic shift not only simplified the process but also positioned us to meet diverse compliance demands with confidence and efficiency.

Stage 3:
Building compliance champions across teams

Our compliance journey began as a business necessity and has evolved into a cultural cornerstone. As we expanded, both our compliance and product portfolios grew. Today, with over a hundred products in diverse markets, the need for compliance has become more intricate, with specific certifications required for different products in various regions.

Zoho Corporation, the parent company of ManageEngine, offers a suite of interconnected business software, and a certification for one product often impacts others within the suite. Certifications also vary across tools based on their purpose. In some cases, we must limit the scope of compliance to specific products based on regional market demands. With operations across multiple locations, diverse certification requirements, and interconnected products, managing compliance became increasingly complex for our central compliance team. Overseeing 140 teams and over 100 products while expanding our compliance portfolio was no small feat.

So, how did we manage this complexity? We established compliance champions within each team.

  • Identify champions: Our central compliance team selected one individual from each product team to act as the compliance champion.
  • Training and onboarding: These champions were onboarded into a dedicated champions group where they received extensive training on certification processes.
  • Localized compliance: Whenever a specific compliance requirement arose, the champion leveraged our centralized framework to derive the necessary controls and ensure compliance for their team.
  • Ongoing support and recognition: We conduct periodic assessments and reviews for our champions, ensuring they are rewarded for taking on this critical role alongside their regular responsibilities.

This system has empowered our central compliance team to focus on enhancing our overall security posture while allowing compliance champions to coordinate effectively within their teams. This collaborative approach has streamlined our certification process, ensuring we meet compliance requirements with precision and efficiency.

Putting together your sales enablement starter kit

Introduce your inbox to a whole new perspective

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.