Data security and compliance have never been more crucial. As businesses globally grapple with an ever-evolving landscape of cyber threats, the importance of adhering to international standards, such as ISO 27001, cannot be overstated. Enter Drata.com, a beacon in the complex world of continuous compliance.
The Legacy of ISO 27001
For years, ISO 27001 has stood as a gold standard, providing a robust framework aimed at assisting businesses in crafting processes that not only ensure safety but also instil trust among stakeholders. This certification is a testament to a company’s commitment to IT security, signalling a refusal to cut corners and a dedication to thoroughness.
However, like many legacy systems, ISO 27001 comes with its set of challenges. Its intricate nature means it’s not a project that can be hastily executed. Achieving and maintaining this certification demands a symphony of collaboration across an entire organisation. And the stakes? Annual renewals with a comprehensive review every three years.
Historically, this has led many consultants down the intricate path of Excel spreadsheets. Here, every change, no matter how minute, is meticulously logged. But as any seasoned IT professional will attest, this method, while thorough, is rife with potential pitfalls.
The Challenges of Traditional Methods
Imagine a sprawling organisation with hundreds, if not thousands, of computers. A single policy change, even a minor one, requires every user’s agreement. A single oversight, a single declined update, and the organisation finds itself in breach of ISO 27001 compliance. And this is just the tip of the iceberg.
Device management, data disposal, encryption standards, multifactor authentication – the list of potential oversights is extensive. In such a scenario, the question begs: isn’t there a more streamlined, efficient way?
This is where Drata.com shines. Recognising the challenges inherent in traditional compliance methods, the team behind Drata has crafted a solution that offers continuous monitoring not just for ISO 27001, but a plethora of other frameworks, including GDPR, CyberEssential, US HIPA, and more.
Why Drata Stands Out
At its core, Drata’s prowess lies in its seamless API integrations. These integrations ensure that every detail, no matter how small, is captured in real-time. Policy not accepted within the stipulated time? Drata notifies you. A new device added without the requisite encryption? You’re instantly updated.
But the team at Drata understands that not every solution provides API support. Catering to this, they’ve rolled out dedicated apps for various operating systems, including Windows, Mac, and Linux. While some manual oversight might still be required, it’s a mere fraction of what traditional methods like Excel demand.
A Deep Dive into Drata.com’s Capabilities
Navigating to app.drata.com, users are greeted with a sleek, intuitive interface. For newcomers, the Quick Start guide offers a step-by-step walkthrough, ensuring a smooth onboarding process.
One of the platform’s standout features is its ability to integrate users via various Identity providers, streamlining the ecosystem from the get-go.
Safety and compliance are woven into Drata’s DNA. The platform advocates for a single super admin, reducing potential conflicts and ensuring a centralised control point. From here, roles such as the Security Committee or Board of Directors can be added, each with customised platform access levels.
For those seeking guidance, Drata’s support system is exemplary. Comprehensive documentation is a click away, and for more pressing queries, the “Live” support option promises a response typically within 15 minutes.
The platform’s dashboard, “My Drata”, offers a panoramic view of task statuses. This bird’s-eye perspective is invaluable, allowing users to quickly identify areas needing attention. For a more granular view, the “Settings” section provides a deep dive into various parameters, from language preferences to notification settings.
One of Drata’s standout features is its “Connections” section. Here, users can integrate a myriad of tools, from vulnerability scanners to ticketing systems. Recognising the dynamic nature of IT ecosystems, Drata continuously expands its list of supported integrations.
Of course, Drata supports Single Sign-On
At the moment there is lack of Zoom but you have a choice of Microsoft Teams and Slack.
One of the most important connections is the Identity provider, as without this connection you can’t bring across all of your users. From the connection, you can pick Google Workspace, JumpCloud, Microsoft 365, Okta or OneLogin. There is a limit of ONE identity provider which is reasonable to avoid conflicts.
The platform also boasts a comprehensive “Vendor Directory”, allowing businesses to manage third-party providers and assign risk scores. Automated reminders ensure that vendor checks are timely and in line with business criteria.
Within the “Risk Management” section, you’re presented with a clear overview of the risks your business currently faces and those that have been addressed. This is where Drata’s capabilities truly shine. The platform proactively highlights areas where your business might fall short of compliance standards. While the accompanying screenshot showcases a plethora of active audits, it’s essential to note that on your company’s portal, you’ll only be presented with audits relevant to your organisation. This ensures that the interface remains user-friendly and focused, eliminating the potential overwhelm of navigating through a full suite of audits that might not pertain to your business.
Within the “Reports and Documents” segment, you have access to a comprehensive list of reports, all available for download. These reports are not only essential for internal assessments but are also primed for sharing with external auditors. The auditors have 2 ways of performing an audit. They can log on to the Drata platform and run the audit or they can be supplied with the reports from this section.
Additionally, each report is timestamped, indicating its renewal date, ensuring you’re always working with the most up-to-date information.
Conversely, the “Events” section offers a detailed log of every recorded event. This feature provides invaluable insights, allowing you to ascertain the success or failure of each event, ensuring that you’re always in the loop regarding the operational aspects of your organisation.
The “Monitoring” section holds a special place for me. It offers a concise overview, allowing you to quickly identify and address any areas of non-compliance. While initially, Drata’s comprehensive features might seem daunting, this section simplifies navigation, directing you to the areas that require immediate attention. Resolving these issues is straightforward; a simple click on “Fix Now” sets you on the path to compliance.
Within the “Frameworks” section, you’re presented with a list of all the compliance frameworks to which your business is subscribed. For instance, if your business is solely aligned with ISO27001, that’s the only framework you’ll see displayed. However, for demonstration purposes, this account showcases a variety of potential frameworks, giving you a glimpse of the platform’s extensive capabilities.
Upon completing the initial setup, you’ll be greeted by the “Dashboard.” This central hub provides a snapshot of the platform’s essential components, offering a clear overview of each segment’s status. With intuitive navigation, it allows for effortless access to any section, ensuring you’re always just a click away from the information you need.
What if your main organisation oversees sub-entities? Drata has this covered. The platform accommodates sub-organisations, granting each its distinct section complete with tailored controls. This design ensures you maintain detailed oversight. For users, switching between the main organisation and its sub-entities is seamless. Simply click on the chevron icon adjacent to your company name (as illustrated with “Drata Partners” in our screenshot) and select the desired sub-organisation to view its dedicated dashboard.
In essence, Drata stands out as a formidable platform, offering an extensive range of compliance standards tailored to bolster business compliance. The trajectory of the compliance sector suggests a burgeoning growth in the coming years. As continuous compliance becomes the norm, customers will increasingly seek providers that prioritize both compliance and security, setting a new benchmark in the industry.
A pertinent question often raised is the cost-effectiveness of continuous compliance compared to manual methods. Is one inherently cheaper than the other? The answer isn’t black and white. Consider this: with manual compliance, businesses are bound to annual audits, with a more intensive review every three years. This cycle often results in teams dedicating significant time, especially in the weeks leading up to these audits, to ensure everything is in order. While this might seem cost-effective in the short term, the landscape is shifting.
As the business world becomes more acquainted with the benefits of continuous compliance, the expectations are set to change. In a competitive market, if two businesses are on par in all aspects but differ in their approach to compliance, the one embracing continuous compliance could have the edge. This advantage isn’t just about adhering to standards; it’s about potential revenue. If adopting a solution like Drata leads to securing more contracts and, consequently, increased revenue, then the initial investment in continuous compliance becomes a catalyst for business growth.
If you have any questions regarding Drata and how our team can assist, please don’t hesitate to reach out. We’re here to provide support, just as we’ve done for all our customers – contact us!
Sign up below to join the Operum newsletter