Case Studies

Case Study: How ManagingLife Achieved SOC 2 Compliance

Case Study: How ManagingLife Achieved SOC 2 Compliance

We had the opportunity to interview Tahir Janmohamed, the Founder and CEO of ManagingLife. Our conversation revolved around the significance of security in a rapidly expanding healthcare company, their choice to pursue SOC 2, their strategies for addressing future security frameworks, and the valuable assistance provided by the Carbide Platform and its team of security experts in expediting their compliance journey.

Tell us a bit about ManagingLife and what you do.

ManagingLife is a Toronto-based digital health company. Our mission is to improve the lives of people with chronic pain, a challenge that affects approximately 20% of the population across the world. We provide an industry-leading digital pain management solution and clinically validated app-based platform called Manage My Pain.

Why is security and privacy important to your company?

When it comes to healthcare, the data that is collected tends to be more sensitive. ManagingLife users can track symptoms and experiences in a way that empowers them to advocate for themselves – it’s a voice for what they’re experiencing. With such personal information being collected and stored, safeguards are essential. Security and privacy are critical to be truly effective in our mission and maintaining trust with our users.
There has also been a shift in the healthcare industry where health system partners, hospitals, and stakeholders now have comprehensive security and privacy requirements in order to be affiliated with them. There is also a legislative component – we are legally required to meet specific security and privacy mandates in order to operate as a digital health company dealing with Personal Health Information.

Why did you feel SOC 2 was the best framework compliance to pursue?

Security and privacy by design was a priority for us from the get-go – it has always been part of our standard of operating. We initially implemented policies, processes, and structures to make sure security and privacy were being addressed – but as we grew, we realized we needed a formalization to provide proper evidence for the efforts and systems we had in place. We decided to choose between ISO27001 and SOC 2. Ultimately, it came down to location – SOC 2 is more prevalent in North America, where most of our customers and partners are. As we expand into the EU and UK, we plan to work toward ISO27001 compliance. This strategy was critical to choosing a security and privacy solution. The option to expand and build upon what we achieve is one of the reasons we chose the Carbide Platform.

Who is responsible for security in your organization?

I am responsible for the security of ManagingLife. My background is in enterprise architecture, with extensive experience leading the development and management of enterprise-level systems. This has given me a unique, tactical perspective as the Founder and CEO of ManagingLife. My approach is to nurture a cultural tone that prioritizes security and privacy. This needs to be set and modeled by leadership and made accessible to every member of the ManagingLife team.

Does SOC 2 compliance make an impact on your sales cycle? If so, how?

Absolutely. Today, choosing to work with or engage with the services of innovative and unique health tech solutions like ManagingLife isn’t just a business decision, it can be a full-on information security risk. Without SOC 2 certification, a company can be considered as having an elevated risk profile. Being compliant doesn’t just improve our security maturity; it ensures our security and privacy posture doesn’t become a barrier during the procurement process.
Additionally, being SOC 2 compliant has helped with Vendor Security Questionnaires. It’s provided a formalized framework to map to the questions we’re asked and provides evidence via the SOC 2 report.

What was the SOC 2 compliance process like?

From the beginning of the process, ManagingLife had about 80% of the SOC 2 requirements met. What we needed was a more formalized structure to map out, apply, and validate our security and privacy controls. Carbide’s Platform and team accelerated the process by helping us develop and operationalize policies that directly linked to our processes and procedures. The Carbide Platform, team, and services helped to close the gaps we had going into the SOC 2 compliance process.

What was your experience working with Carbide like?

We felt very well supported. We really appreciated the human touch provided – there was always someone we could speak to when we needed, including a variety of experts that could discuss our specific questions and provide guidance every step of the way. There are nuances to what we do, and having a person with extensive experience to navigate the security and privacy journey was invaluable. The Carbide team facilitated the process using probing questions to help our team get the result and answers we needed. The Platform is evolving and improving. We found it particularly useful during the audit, as anything done in the platform can be leveraged during an audit.

Can you provide a real-world example of how Carbide reduces effort on an ongoing basis?

Carbide provided everything we needed to streamline the processes for incident response tabletop exercises, operationalizing our policies, annual risk assessments, and security awareness training. Their templates, structure, and easily accessible team of experts gave us a leg up so we didn’t have to start from scratch on our own.

Simplify Compliance with Carbide and Accelerate Your Security Journey

Meeting the security standards required by enterprise customers, such as SOC 2 and ISO27001, can be a burdensome and expensive process. However, the Carbide Platform offers a comprehensive solution. By centralizing controls, policies, generating critical tasks, and providing planning tools, Carbide empowers you to fast-track your compliance timeline. Let’s discuss how Carbide can save you both time and money on SOC 2, ISO27001, and other compliance requirements.