From providing security services to undergoing a security audit

INTRODUCTION TO TANTOSEC

TantoSec, an offensive security company, is no stranger to security compliance. They provide offensive cybersecurity services such as Penetration Testing and Red Teaming.

Founded in 2022 in Australia, TantoSec has grown nationally, and as they are expanding into international markets, as part of that, they know that getting compliant is essential.

TAKING ON THE COMPLIANCE JOURNEY

Working in the security and compliance space meant TantoSec already knew the different frameworks. Couple this with their strong commitment to security, and they knew that ISO 27001 was the framework they needed. 

“We obviously pay attention to the kind of processes and things we put in place. Customers are entrusting us with very sensitive information related to the types of engagements that we're doing.” Marco Cantarella, Co-Founder at TantoSec.

Another benefit of ISO 27001 Certification is its use in third-party security assessments and questionnaires, which are often a long process. “We also go through a lot of third-party security assessments, so we know the amount of work that we, and our clients, have to do for security questionnaires. Getting a standard like ISO 27001 will help streamline that process,” said Marco.

ENGAGING ISO 27001 SPECIALISTS

From experience, Marco and the team knew what was involved in an ISO 27001 audit. This led them to seek external support from a consulting specialist, CyberNinja. Having already worked with Swapnil from CyberNinja, TantoSec had developed a professional relationship with the team. “When the decision to get ISO compliant came up, we knew CyberNinja would be a perfect fit. He's sat on both the customer side and now the consulting side. It really helped to bridge the gap for someone like us who is obviously on the consulting side to make sure that we're covering both bases,” said Marco.

After signing with CyberNinja and beginning to get audit-ready, it was time to bring in AssuranceLab as the expert audit team.

END-TO-END AUDIT PROCESS

Initial assessments of TantoSec’s audit-readiness showed that their policies and documents were housed in different external drives. This static process would make collecting evidence difficult. 

With guidance from CyberNinja, TantoSec started using the compliance automation platform Vanta. This took their manual evidence collection and transformed it into an automated process with a clear roadmap. CyberNinja was instrumental in this process. They took TantoSec’s current procedures and made them compliant with the ISO 27001 standard. This meant less time creating things from scratch and instead improving what the team already knew. CyberNinja’s responsiveness and availability throughout the process made getting audit-ready a lot more straightforward than anticipated. 

"Working with the TantoSec team was a seamless and collaborative experience; they brought clarity and focus to the table. From initial preparation to internal audits, right through to Stage 1 and Stage 2 certification, we followed a focused 6–8 month roadmap and delivered on it, right on time. What made the difference was our ability to keep things moving without overwhelming the team. We focused on what mattered, cut out the noise, and maintained momentum from start to finish.” Swapnil Jain, CEO at CyberNinja. 

Once TantoSec was audit-ready, it was time to begin the audit. All the prep work meant TantoSec had its evidence ready to go in Vanta. This made it seamless for the AssuranceLab auditors, who are familiar with the platform, to jump in and start testing. Ultimately, this saw TantoSec achieve ISO 27001 according to their roadmap.

"Collaborating with Tanto Security on their ISO 27001 journey was both engaging and insightful. As an offensive cybersecurity services provider, TantoSec presented a distinctive business model and scope that required our audit team to tailor our approach from the outset. Through close collaboration with the TantoSec team, we were able to align our methodology to fit their operations effectively. The active involvement of Swapnil and the CyberNinja team further contributed to a smooth and efficient audit process through their technical expertise and clear, proactive communication." Mark Kozer, Manager at AssuranceLab

ACHIEVING ISO 27001 CERTIFICATION

With all parties working seamlessly, TantoSec achieved ISO 27001 Certification according to their desired deadline. “Which is a compliment to everyone who worked on it. From CyberNinja to Vanta, and obviously, AssuranceLab. With all the groundwork we established and the support from those teams it was a really smooth process,” said Marco. 

Whilst achieving compliance is fairly new for TantoSec, they already have their sights set on some of the benefits it’s going to bring. “This is going to save us a lot of time and headaches down the road. It’s certainly helped move along some conversations with customers. We obviously expect more things like that to become clearer over time,” said Marco. 

“It definitely builds up confidence and trust within customers,” said Swapnil.

RECOMMENDATIONS TO OTHER OFFENSIVE SECURITY COMPANIES

Marco also shared his recommendations to other offensive security companies starting the ISO 27001 process. 

“I would recommend AssuranceLab and CyberNinja. It was easier than I expected it to be. And definitely a lot of benefits to our business moving forward.”

“ISO 27001 is also a worthwhile endeavour. I think that more and more companies are going to mandate something like this as well, just because of the onerous nature of making every single potential vendor fill out a third-party security questionnaire. It just creates so much work. I think obviously it makes our customers' lives easier.”

“Completing the ISO 27001 processes as a smaller company is beneficial, rather than waiting till you have 40 or 50 people.”

INTERNATIONAL GOALS FOR TANTOSEC

With their sights set on expanding into international markets like New Zealand, North America, and Europe, TantoSec is already looking into the region-specific compliance standards.

“We want to establish offices overseas in places like like New Zealand and North America. Especially in mature markets, compliance is really important. Overall, we just want to continue to grow the business. The goal is to double in size in the next couple of years,” said Marco.

If you would like to experience the AssuranceLab difference yourself, contact our team: info@assurancelab.com.au