Arbor Education is a fast-growing Management Information System (MIS) that offers technological solutions to schools and educational institutions to transform the way staff work and reduce administrative load. That means they manage a lot of sensitive data, such as financial statements, census returns, staff contracts, exam results, and student medical conditions. For Arbor Education to continue to grow as the market leader within the English State school market and beyond, they needed strong security measures in place to protect that data and build trust with their customers.

This led them to pursue ISO 27001 compliance early on as a business. But their manual approach was painful, making it difficult for CTO Damian Brooks’ team to keep things up-to-date and identify areas of improvement that needed more time and effort.

Then the business entered a major stage of growth, acquiring several different companies. As they acquired more companies (and more systems), they wanted a single management information system to sit above all those companies to ensure that there’s a consistent level of quality, but also to minimise the operational burden of running everything. This meant their management system was significantly increasing in scope and complexity, which meant maintaining ISO 27001 certification would be more challenging. 

What’s more, Arbor needed to get this new system compliant with the latest version of ISO 27001 and additional frameworks.

“We needed to upgrade our ISO 27001 standard to the 2022 version and add ISO 9001 and ISO 27701. It was quite an increase in the scope of our compliance footprint and requirements.” 

This added more urgency to their search for the right solution. Needing a tool that could simplify multi-framework compliance while reducing duplicate work, they chose Secureframe after evaluating multiple vendors.

“We knew it would be a really big project to undertake so we did some evaluation of multiple compliance automation solutions. Secureframe came head and shoulders above the others,” says Brooks. “The way that it's set up with a modular approach to the frameworks is quite unique. I think overall the user interface and user experience is much better.”

Brooks and his team found Secureframe so easy to use that they were able to get onboarded and kick off their ISO 27001:2002 compliance efforts immediately. 

“The platform is very easy to understand and to use. The onboarding is a good example. It was so well done that we didn’t need any help — we could just get started using the platform right away.”

Arbor’s compliance roadmap also included ISO 9001, ISO 27701, PCI DSS, and GDPR, all of which have a significant amount of overlap. With Secureframe, the team could log in and see at-a-glance which controls and tests are required, which are common across frameworks, and what their next steps should be as they move forward. For Brooks, this ease of use made a big difference. 

“We approach all our frameworks as part of the same management system, but the auditing cycle is different for each one. So we often need to kind of focus on an individual framework at any given time,” he says. “You’ve got a really easy way of breaking down all of the work for a specific framework. We started just with ISO 27001:2022, but were able to add more frameworks over time. Secureframe helped us manage that workload incrementally. It makes the process so much easier.”

Because Arbor has multiple products and business units, it has a complex and broad tech stack that would be difficult to monitor manually. Secureframe’s tests made it easier to identify where issues are in the company and how to fix them. For example, as they implemented ISO 27001, Secureframe automatically ran tests against AWS, Google, and Azure and provided clear recommendations for implementation changes for each cloud environment. Rather than searching for specific issues or manually taking screenshots of bucket policies, the team could quickly delegate tasks and remediate the issues.

The visibility that Secureframe provides has helped Arbor approach compliance more holistically as a company. This includes identifying which employees have read and approved policies, something they previously had to do manually. 

“We used to have to gather evidence via lots of roundabout ways to prove to the auditor that people had seen our policies and they were up-to-date,” says Brooks. “Now, it’s all in the system. You can just show the auditor that it was done and dusted. That really stood out to me.”

Having every piece of information in one place also helped Arbor integrate their risk management and compliance efforts. Using Secureframe’s end-to-end risk management solution, they could track the actual work that goes into risk remediation directly with the JIRA integration. 

“It’s a really thorough and clear way of showing that you’ve actually captured the risk and you’re doing things to remediate it, which makes evidencing to the auditor very easy,” he says. 

Secureframe’s modular framework approach makes it easy for Arbor to manage compliance for multiple frameworks across multiple products and business units.

“The biggest benefit to using Secureframe is the completeness that it provides in audit readiness,” says Brooks. “There’s much better value in Secureframe, in my view.”

This doesn’t just save the team time in preparing for point-in-time audits. It means they’re continuously audit-ready.

“Our auditing cycle prior to Secureframe would have been roughly six weeks in terms of preparing teams, gathering data, and collecting evidence,” says Brooks. “With Secureframe, it’s more like two weeks, at most, because the tests are always running, the evidence is always being gathered. This has really smoothed out our audit process.”

By automating evidence collection and other time-consuming tasks, the Arbor team now has the time and visibility to truly improve their security posture, rather than just checking a box with compliance.

“Without Secureframe, you will be spending an awful lot of time doing manual work, literally screenshotting evidence, and chasing people down to get approvals,” says Brooks. “This obviously takes a lot of time, but it also makes you less effective. It means you don’t have a high-level view of how the system is working because you’re so focused on gathering the evidence. Secureframe takes that burden away and allows you to focus your time and effort on what you should be focused on, like areas for improvement.”

Reducing this manual overhead has not only saved Arbor time in auditing— it has also made them more effective in their security operating model.

“The weekly cadence of our security operating model has become a lot easier. We’re more effective because we don’t have to spend time digging into minute data. We can view it and focus on where there’s a problem or where we want to make changes,” says Brooks.

All this makes it significantly easier for their team to scale their compliance program as the business continues to grow. 

“There are other frameworks that we're likely to have to comply with going forwards. And the good news is now that it has become a scalable model. We would just add the framework [to our Secureframe instance] and hopefully not have much work to do because most of the controls and tests will be common across frameworks. So it should be nice and easy for us to comply with additional frameworks in the future.”