Modernizing GRC: The Success Story of Balboa Travel

Location: San Diego, California, USA

Industry: Travel Management

CONTEXT

Balboa’s Journey to SOC 2, ISO 27001:2022, and GDPR

For over 50 years, Balboa has been renowned in corporate travel management. The company offers personalized corporate and leisure travel solutions with advanced technology. When Data Protection Officer Niklaus joined, Balboa was aiming for compliance with SOC 2, ISO 27001:2022, and GDPR. Tasked with modernizing GRC processes, Niklaus chose Scrut as the most suitable partner among multiple vendors.

Niklaus Pegler, Data Protection Officer, Balboa

“One of the biggest challenges was finding specifics about the ISO 27001:2022 and SOC 2. Scrut made it easy. It showed me the exact paragraphs and sections of the standards calling for a requirement and even provided details on the requirement’s expectations.”

Challenges

Decentralized Systems and Inefficient Processes

Niklaus’ previous compliance partner provided limited support, with response times exceeding a week. The platform was buggy, inflexible, and inefficient. The major challenges included:

Manual Compliance Processes

Building policies and managing evidence were labor-intensive tasks. Conducting user training was difficult, and there was no visibility on training completion, control status, or compliance progress.

Vendor Management Issues

Vendor information was scattered across departments. This meant no visibility of assessment status and effort-intensive information collection processes. The decentralized approach also meant no record of the due diligence process, a critical ISO 27001:2022 requirement.

Inefficient Risk Management

Risks were managed on Excel sheets. Continuous platform switching made it difficult to view risks’ impact on controls. Risks had to be evaluated individually to categorize them as high or low.

Cumbersome Audit Process

Audit was conducted off-platform. Evidence had to be manually submitted in Excel sheets to auditors via email. Clarification requests caused more delays, as the IT team struggled to locate associated controls and artifacts.

Adoption of Scrut enabled us to build GRC processes according to best practices in the industry.

Solution

Balboa’s GRC Revamp

Accelerated Compliance Process: Scrut’s pre-built policy library and in-built editor enabled quick policy building and easy customization. Scrut’s people module seamlessly conducted employee training. Balboa could easily track completion through quizzes, facilitating employees’ security understanding and accelerating meeting compliance requirements.

Streamlined Vendor Management: Scrut provided a central repository for managing third-party vendors. Customizable questionnaires and automated reminders ensured compliance, and due diligence was recorded with automatic activity records and logs.

Easier Risk Prioritization: Scrut moved Balboa’s risk register into the platform. Built-in scoring mechanisms segmented risks by severity. The risk dashboard helped Balboa identify risks. The risks were also mapped back to controls for easy review and superior control of risks.

Simplified Collaboration with Auditors: Scrut’s audit management module streamlined the audit process. Auditors had direct platform access to review controls and artifacts, add comments, and submit requests. Auto-routing facilitated responses, eliminating manual processes and accelerating audits.

Favorite Modules

Proven ROI with Scrut:
Download the Full Case Study Now

Impact

Enhancing GRC Efficiency

Flexibility to adapt: Scrut provided Balboa with the flexibility to support both on-premise and cloud infrastructures and manual evidence upload, crucial for transitioning from legacy technology to a modern solution.

Jumpstart to compliance: Controls pre-mapped to regulatory requirements gave Balboa a headstart in achieving compliance. Scrut’s suite of policy and vendor questionnaire templates, in-built employee trainings, and pre-configured workflows further accelerated audit readiness.

Maturity in processes: With Scrut, Balboa was able to adopt mature processes across security aspects. The platform facilitated more organized vendor assessments, improved risk management processes, and simplified collaboration with internal and external stakeholders.