Using the best in technology and modern, agile audit services to achieve multi-standard compliance

INTRODUCTION TO OCTOPUS DEPLOY

Australian-born software company Octopus Deploy is on a mission to take the panic out of software deployments. 

When companies and developers deploy new features, there is a range of risks. From accidentally breaking something to the wrong configuration, this can lead to a website that doesn’t work how it should. Their platform helps developers and companies consistently deploy software features into environments, making it a repeatable and calm process.

BEGINNING THE COMPLIANCE JOURNEY

With the goal to move into the global enterprise space, Octopus Deploy began looking at the requirements of enterprises in Europe and the United States. This involved the different compliance standards, and which ones were considered world-class to these enterprises. It was quickly discovered that ISO 27001 in Europe and SOC 2 in the United States were going to be key for Octopus Deploy to win clients in each region.
 
When looking at each framework and the individual requirements, it became apparent that there was a lot of overlap between the standards. This resulted in Octopus Deploy's decision to complete both frameworks. They started with ISO 27001 and laid SOC 2 over that, with a few additional controls.
 
With their plan in place, Octopus Deploy started looking for audit firms and the most efficient way to achieve their goal.

DISCOVERING COMPLIANCE AUTOMATION

After first hearing about Vanta at a conference. Octopus Deploy’s CEO spoke with Jim Burger, Director of Information GRC at Octopus Deploy, about using the platform on their compliance journey. Wanting to ensure they had all available information, the team looked at several different platforms, ultimately signing with Vanta.

DISCOVERING A NEW AND BETTER WAY OF AUDITING

After working with a traditional audit firm that had time zone challenges, Octopus Deploy started looking for an audit partner who was not only in a better time zone but could also meet their agile requirements. “We practice agile delivery ourselves, and there had to be a better way to do this. Because we are a remote-first company, we needed something that was really agile alongside us,” said Jim.

After conducting a search looking for the terms ‘agile’ and ‘audit’ and speaking to Vanta, AssuranceLab stood out as the preferred audit partner. 

Octopus Deploy began working with AssuranceLab in 2022 and continues to work with the team today.

WORKING THROUGH THE AUDIT PROCESS

Octopus Deploy’s deadlines were driven by contractual obligations, where SOC 2 would be needed when the contract started. All three teams set their sights toward the goal, ultimately seeing Octopus Deploy achieve its compliance goals within deadlines.
 
Whilst there were some unexpected things that came up throughout the process, Jim highlighted that the overall process went well and the communication from AssuranceLab was fantastic.

With the immense overlap between SOC 2 and ISO 27001, Octopus Deploy was able to align its teams on one goal and narrow concentration. “Completing SOC 2 and ISO 27001 together allowed for synergy within the team. Having the team focused on audits from both angles allowed us to concentrate on the activities. We found having all tasks condensed into one quarter allowed us to shift our focus to maintenance for the rest of the year,” said Jim.

KEEPING EVERYONE ON TRACK

Like most things, achieving compliance requires focus from everyone involved. This is no different for Octopus Deploy, which made it its team's goal for Q4 2024 to focus on audit readiness. There were a few aspects of the process that really helped with this.
 
“The numbers showed we had some work to do, but having those metrics was really powerful. It enabled me to not only communicate and plan with my team but also communicate progress back up the line. People love data, and having the ability to see our progress is very motivating."

THE IMPACT OF VANTA

The power of Vanta’s automation, metrics, and dashboards meant that at a glance, the Octopus Deploy team knew where they stood. This was particularly helpful for app/user syncing and the ability to instantly know if something/someone had dropped out of compliance. There was no waiting or manual checking. Couple this with the ability to assign tasks to people directly in the platform, and Vanta proved to be a powerful compliance tool.
 
“Vanta really just takes the pain out of the ‘how am I going to establish the metrics/framework and address all the audit requirements?’ As a cloud-first, remote-first company, I can’t just go and look at a server rack; we rely on automation and tools that are done properly for these things. The vast array of Vanta integrations achieves this. Nearly everything is already in there.”

THE IMPACT OF ASSURANCELAB

Working with a local team that could provide agile audits was important to Octopus Deploy, which needed an audit firm that could keep up with them as a cloud-first, remote-first business. Whilst there was a deadline to work towards, Octopus Deploy didn’t know when they would be completely ‘audit ready’, and the flexibility and onboarding into the framework that AssuranceLab provided around this was immensely beneficial.

THE IMPACT OF SOC 2 AND ISO 27001

For Octopus Deploy, compliance was not another box-ticking exercise but rather an opportunity for a fresh perspective on a hard problem. In achieving compliance, they have not only bettered their systems but can reassure clients that their product is secure.
 
Octopus Deploy has continued to open doors in the enterprise space and ultimately increase its bottom line. From an internal perspective, the team now considers and uses compliance best practices for decision-making.

RECOMMENDATIONS FOR FUTURE COMPANIES

When asked if Jim would recommend compliance to other companies, he said, “Absolutely, but it does depend on their industry. ISO 27001 is relevant for a wide range of companies, but for a technology/SaaS company, SOC 2 is more relevant.” He also shared his recommendations for companies looking at Vanta and AssuranceLab: “Yes, I would recommend them and have done so in the past.”

THE FUTURE FOR OCTOPUS DEPLOY

Octopus Deploy has its sights set on a bright future. Its goal is to continue its growth over the past 10 years and find new and exciting ways to service its customers. With some exciting updates coming soon for enterprises (watch this space), they are well-positioned to achieve this.
 
From a compliance perspective, the team is working towards the goal of being compliance-ready year-round and building on evidence uploads and timeline learnings from past audits. 

If you would like to experience the AssuranceLab difference yourself, contact our team: info@assurancelab.com.au