Chapter 3: Case studies

Case study #1: Strengthening resilience through BCMS (ISO 22301)

Achieving ISO 22301 certification for our Business Continuity Management System (BCMS) has been a pivotal step in reinforcing Zoho Corp.'s ability to ensure uninterrupted service, even in the face of unforeseen challenges. Let's take a closer look at how we developed and implemented a BCMS framework, covering critical functions and products.

A BCMS is essential for any organization that aims to maintain critical operations during disruptions and swiftly recover from unexpected events. Our BCMS was designed to:

  • Identify potential risks: By understanding and preparing for various threats, we could establish contingency plans that would mitigate impacts on our services.
  • Ensure operational continuity: During disruptions, maintaining seamless operations for essential functions is crucial for customer trust and satisfaction.
  • Facilitate swift recovery: A well-planned BCMS reduces downtime and accelerates the recovery process, minimizing the effects of any disruption.

Implementation and the lessons we learned

The certification process required a comprehensive review and enhancement of our existing business continuity practices. Our journey was marked by several key initiatives:

1. Strategic preparedness

The BCMS certification reflects our methodical approach to proactively identifying and addressing potential risks. By analyzing scenarios ranging from natural disasters to cyber incidents, we ensured that we could continue operations seamlessly during any disruption. Historical context also plays a role and acts as a catalyst for this journey. Our Indian headquarters is located in Chennai, a city that is prone to seasonal changes and natural calamities like floods and cyclones. These past experiences revealed gaps that were subsequently addressed, leading to a more standardized approach. Ultimately, it resulted in a framework aligned with ISO 22301 requirements.

2. Rapid response capability

Developing a BCMS framework required the integration of recovery plans across various departments, which includes structured planning, role allocation, and resource optimization. This integration ensured that every team understood their role in the event of a disruption, enabling a more cohesive response. When faced by challenges like natural disasters, coordination across various functions, including the network operations center (NOC), IT support, HR, physical security, and the workplace suite teams, ensured that the BCMS covered all critical areas and could be activated quickly when needed.

3. Continual improvement and adaptation

Initially, the BCMS certification covered critical products like Zoho Mail, Zoho Writer, ManageEngine Mobile Device Manager Plus, and Zoho WorkDrive, among others. This selective implementation was guided by urgent business requirements. Moving forward, our expansion plans are aimed at meeting the growing demand for secure, uninterrupted services, especially in sectors like government operations where business continuity is a contractual requirement.

Achieving BCMS certification has been more than just a compliance exercise—it’s a strategic asset that enhances customer trust and acts as a key differentiator in a competitive market. ISO 22301 certification is a testament to our dedication to operational resilience. By identifying potential risks, ensuring seamless operation during disruptions, and continually improving our processes, we have built a BCMS framework that aligns with our goal of delivering excellence consistently. Our ongoing commitment to strengthening business continuity capabilities means that we will continue to set the standard for reliability and preparedness, no matter the challenge.

Case study #2: Strengthening compliance with SOC 2 certification

Achieving SOC 2 certification has been a fundamental part of ManageEngine and Zoho's compliance strategy, enabling us to demonstrate our commitment to robust security practices, data protection, and operational integrity. Here, we dive deeper into the SOC 2 audit process, how we addressed challenges, and continually improved our internal controls to meet the rigorous standards expected by our customers.

SOC 2 is a comprehensive framework designed to ensure service providers securely manage data to protect the privacy and interests of their clients. By adhering to the Trust Services Criteria (Security, Confidentiality, Processing Integrity, Availability, and Privacy), we assured customers that our systems met the highest standards of data security and operational excellence. SOC 2 also served as a critical trust-building tool, demonstrating our ability to maintain service commitments and system requirements under stringent scrutiny.

Key challenges and strategic solutions

1. Overcoming audit delays through proactive preparation

Problem: Previous audits faced delays due to incidents in cloud services and vulnerabilities in products, leading to escalations from frustrated customers. These issues highlighted the need for more streamlined processes and proactive audit preparation.

Solution: Initiating pre-audit discussions focused on areas that had previously caused delays. Engaging auditors early on in the process to provide detailed evidence guidelines reduced unnecessary iterations and ensured that teams were well prepared to present the required documentation and evidence.

2. Implementing a divided audit report approach

Problem: Historically, a single SOC 2 report covered all cloud and on-premises products across divisions. This meant that any significant NC in one division could affect the entire report, potentially impacting multiple customers.

Solution: Adopting a segmented audit strategy and creating three separate SOC 2 reports:

  • One for on-premises products
  • One for cloud services in the US data center (DC)
  • One for cloud services in all other global DCs

This approach allowed isolation of issues to specific segments, ensuring that NCs did not impact unrelated divisions. Additionally, teams like Zorro and NOC were engaged to provide necessary support, further enhancing the audit process.

3. Enhancing audit scope and methodology

Expansion: The SOC 2 audit included additional products, expanding the scope to cover a broad range of services. Global presence was also reflected by including sub-service organizations like Japan and Saudi Arabia DCs. Operating and gaining certification at a global level becomes a bigger challenge in terms of logistics. With more requirements, scheduling conflicts, and communication challenges, expansion may present itself as a barrier to certification.

Solution: We implemented a hybrid audit method, combining in-person and remote audits facilitated by in-house conferencing tools. Compliance management tools tracked evidence collection, automated processes, and facilitated dynamic chats, ensuring seamless coordination between teams and auditors.

Key takeaways and actionable practices

Proactive measures: Early identification of potential issues allowed the implementation of corrective actions well before the audit commenced. Teams were briefed on expected requirements, ensuring that documentation, logs, and reports were readily available, reducing the chances of delays.

Detailed planning: Setting clear goals and timelines aligned internal efforts with audit requirements, minimizing disruptions, and ensuring timely completion of the process.

Tailored reports: By dividing the audit report into distinct segments, specific areas of concern could be addressed without affecting the entire compliance certification. This approach facilitated more efficient audits and minimized the impact of non-conformities, allowing a better focus on individual product categories or regional operations.

Shared responsibility model: The process also highlighted the importance of shared accountability between internal teams, external service providers, and auditors. Coordinating efforts across these groups helped to streamline compliance activities and foster a culture of collaboration.

SOC 2 certification exemplifies our commitment to security, operational integrity, and customer trust. By implementing a structured, proactive approach to compliance, the organization not only met audit requirements but also paved the way for ongoing improvements and scalability. This focus on continuous enhancement ensures that as the business grows, it remains resilient, compliant, and ready to meet the evolving demands of customers.

Final thoughts

Our strategic use of internal tools and alignment with global and regional standards has been a critical driver in establishing ManageEngine as a trusted name in information security, setting a foundation for ongoing success. As you embark on this journey, remember that it's not just about lists and audits; it's about fostering trust in an increasingly challenging digital ecosystem. We hope this e-book serves as a roadmap to navigating the complexities of certifications and turning them into a competitive advantage.

Mahanya

About the author

Mahanya is a content writer who specializes in IT stories, documenting the journey of enterprises like ManageEngine - their ups and downs, internal processes, and core principles. She is keenly interested in interacting with IT thought leaders to get their perspective on digital transformation. A true zillennial at heart, she spends her spare time on social media finding homes for rescue dogs.

About

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget. ManageEngine crafts comprehensive IT management software with a focus on making your job easier. Our 120+ awardwinning products and free tools cover everything your IT needs. From network and device management to security and service desk software, we’re bringing IT together for an integrated, overarching approach to optimize your IT.

Putting together your sales enablement starter kit

Introduce your inbox to a whole new perspective

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.