Season 2 Episode 24 – ISO Compliance Software – Part 2
ISO Compliance Software – Part 2
In this episode of the Quality Hub podcast, Xavier Francis continues the discussion with Anne Siebert and Brian Reich of Core Business Solutions, focusing on the Core Compliance Platform’s reliability and security for ISO compliance. They explain how Core’s infrastructure ensures high uptime, using AWS GovCloud for security and encryption and more.
[Xavier] (0:07 – 0:47)
Hello everyone, and thanks for listening to the Quality Hub and chatting with ISO Experts. I’m your host Xavier Francis, and today I’m here with Anne Siebert, Product Manager, and Brian Reich, Manager of Software Development, both from here at Core Business Solutions. I am glad you both can join us.
Thanks, X. Thanks for having us. Absolutely.
We’re so glad to have you both with us again. Okay, so last week we were talking about the Core Compliance Platform. Now, Brian, Anne mentioned Core’s uptime, and with you being on the development side, you probably know a little bit more about the whys and where of that, but what measures do we here at Core take to ensure high system uptime and reliability?
[Anne] (0:48 – 1:53)
Yeah, so let’s talk about uptime and reliability with Core. So in our terms of service with customers, I believe we promise three nines, 99.9% uptime, which is a few minutes per month or a few hours per year, however, you want to think about it. In practice, since I’ve been here, we’re historically around five nines of uptime per year.
There’s very little downtime with Core. Wow, that’s good. So what do we do to keep Core up and running as much as we possibly can?
There’s a couple of things there. So first off, we use the AWS GovCloud to host our software. AWS GovCloud is a U.S.-based region of Amazon Web Services. It also, in addition to being on U.S. soil, it provides a lot of security out of the box, and it meets regulatory and compliance requirements for a whole bunch of different standards such as ISO 27001, CMMC, NIST 800-171, a bunch of other things that I can’t remember off the top of my head as well.
[Xavier] (1:53 – 1:57)
But a lot. Yes. There’s a reason it’s called GovCloud.
[Anne] (1:57 – 3:30)
Yeah, it is designed to provide a really good backbone for people to build services, to serve the government or government contractors. That’s basically what its whole purpose is. So another thing that helps keep Core online as much as possible is the fact that our support and infrastructure teams are U.S.-based. So if something does happen, we’re working more or less in the same time zones as most of our customers. If there’s an issue, we are very responsive. We can deal with it very quickly. That is important.
It is. We do try to leverage technologies that require as few restarts and reboots as possible, which means less downtime. And when there is something that needs a restart or a reboot, we have redundancy built into our infrastructure.
That means while that thing is rebooting, there are still application servers online to fulfill your request to the application. In addition to that, we build our infrastructure to be redundant across multiple geographic regions. So, for example, if there is an incident in one location where we have servers such as, I don’t know, a hurricane, something like that, there are application servers still running in another zone that can fulfill requests to the application.
So like I said, we promise our customers three nines of uptime, which is roughly eight and three quarter hours of downtime per year. But in practice, we’ve been closer to five nines over the last couple of years, which is more like five and a quarter minutes per year.
[Xavier] (3:30 – 3:41)
Wow. That’s very specific. Very specific.
That’s great. So, Brian, we mentioned AWS GovCloud, but what about data security and encryption? How does it help that?
[Anne] (3:42 – 4:08)
Sure. So, yeah, as you said, we are hosted in AWS GovCloud, and that environment is highly secure and provides very robust encryption for both data in transit and at rest. OK.
So from the moment a user starts working in Core, everything’s encrypted from their web browser where they’re interacting with the application to the application servers and from the application servers to the database. Everything is encrypted.
[Xavier] (4:08 – 4:45)
So with the encryption being important, that means the moment you’re entering your data in that browser, it’s now been changed and encoded where it can’t be intercepted by anybody. Or if it is, they can’t read it because there’s a certain encryption until it gets to the place where it’s stored, which is important when people are looking at data, especially if they’re dealing with data that may include PII or personal identifying information. If they’re dealing with some governmental information, if they’re dealing with healthcare-type stuff, that kind of security is really important to have that encryption, correct?
That’s right.
[Anne] (4:45 – 5:40)
So if you log into Core or, if you use any applications over the web, you’ll notice that your browser will tell you whether you’re using a secure connection or not these days, right? Core will not allow you to connect without a secure connection. If you can’t support encryption, you can’t use core.
So you’ll notice when you log into Core that it’s over what’s called an HTTPS connection. We use HTTPS with the most recent versions of the encryption standards available. Once you are in Core and you’re sending data back and forth to our application servers, everything is encrypted between you and the application server.
And then in addition to that, any communication between the application server and the database and the file servers where your data is going and being stored, everything’s encrypted in transit between them and it’s encrypted while it’s at rest on the hard drives as well.
[Xavier] (5:40 – 6:05)
All right. So everything is locked down with that encryption. That’s right.
Also, you mentioned about everybody being able to be secured. We support multiple browsers on multiple OSs. So you’re pretty much able to, whether you’re in Chrome, whether you’re in Edge, whether you’re in Firefox, whether you’re in Safari, there’s very few that we’re not going to be able to handle from that perspective for that encryption.
[Anne] (6:06 – 6:15)
That’s right. Our browser support matrix, as we call it, is 12 months of support for all of those browsers that you mentioned, Firefox, Chrome, Safari, and Edge.
[Xavier] (6:16 – 6:35)
Awesome. Well, that’s exciting to know that we’re looking at that level of security. Now, Brian mentioned previously that Core is in the US and we’re based here.
All of our servers and staff are here as well as our people. What other benefits of having an in-house development support team are there with being US-based?
[Brian] (6:36 – 7:39)
Well, the Core is designed with the end user in mind. So we want to focus on making compliance management as straightforward and user-friendly as possible. The development team is actively using user feedback to enhance features like our dashboards, reporting, and training.
That way we can effectively make compliance easier for all customers. Having in-house development and in-house support teams in the US ensures that the team is closely aligned, not only with customer needs but also with compliance requirements. It also is really helpful to get real-time support from the staff that know the software in and out.
So when the support team has an issue or is currently working with a customer on an issue or multiple customers, the software team knows about it within minutes.
[Xavier] (7:40 – 7:40)
Right, right.
[Brian] (7:40 – 7:46)
And then that way we can easily get a solution in place.
[Xavier] (7:46 – 7:52)
Right. So you’re not dealing with, okay, let me kick that upstairs and we’ll get back to you.
[Brian] (7:52 – 7:57)
Right. It’s kind of that question mark of, okay, well, when is this going to be fixed?
[Xavier] (7:58 – 8:14)
Exactly. You’re going to have where they’re working the same time zones, they’re working in the same timeframe. Also our customer support, I believe it’s life.
I’ll let you talk about that in a minute. And you’re just able to communicate with the software team and get things fixed a lot faster if there’s a problem.
[Brian] (8:14 – 8:29)
Yep. That’s right. You mentioned the live support.
We have a feature that is our live chat. It’s real live humans that our customers can interact with on a chat platform.
[Xavier] (8:29 – 8:37)
So it’s not an AI bot saying, okay, I can answer these questions, but you don’t know what they are. So you’re going to have to go through me for five minutes before I kick you to somebody real.
[Brian] (8:37 – 8:41)
That’s right. You are immediately talking to a human being.
[Xavier] (8:41 – 8:41)
Right.
[Brian] (8:41 – 8:47)
And it’s funny because once we rolled that out, customers just raved about it.
[Xavier] (8:47 – 8:48)
That’s awesome.
[Brian] (8:48 – 9:13)
And it’s been a few years since we’ve had that feature. So it’s nice to talk to a human when you need help. We’ve all had that experience of either calling an automated answering machine and hitting all the numbers or yelling at the phone to say representative, which is so frustrating, especially when you need help the most.
[Xavier] (9:14 – 9:14)
Right.
[Brian] (9:14 – 9:28)
There are also plenty of online bots, and chats that you either have to enter a number or a keyword to get information and you just keep getting the same information. It’s annoying.
[Xavier] (9:28 – 9:52)
Well, I mean, I just had something that happened and it’s still happening. I’m having some issues with part of my computer and I went to get some help with it. And somehow the serial number of the device was not accepted into their system.
I finally had to enter just all zeros till I could even chat with somebody to be able to say, I can’t even enter this number to get your help.
[Brian] (9:52 – 10:22)
Right. So you’re already frustrated. You need help.
And now on top of dealing with a bot, not understanding what you’re putting in there, it’s beyond frustrating. So our customers have live humans. It’s during business hours.
Yes, there is a messaging system that if you’re after hours, we’ll get back to the next business day. But ever since we’ve rolled out this feature, it’s been top-notch.
[Xavier] (10:22 – 10:25)
That’s awesome. Brian, do you have any input on that?
[Anne] (10:25 – 12:17)
I’ll say that in my experience, you will not find a software company that is more fanatically devoted to customer service. So I’m sort of thinking about the opposite situation of what Brian just talked about. So think about a software company where the software development talent or the customer support talent are offshore, right?
So they may not be working in the same time zone as you. And one that ends up happening is you may talk to somebody in customer support. And if there is indeed a bug, that bug gets pushed onto a queue somewhere in some ticket system, right?
And then for that bug to get evaluated by a software developer, you’ve got to wait for them to punch in in the morning in whatever time zone they’re in and then evaluate what’s going on. You might even have to have some back and forth between them and customer support to get more information. It’s just a lot of slack in the system where nothing is happening, right?
So with us, it’s great. We work in the same time zone as customer support and most of our customers. And not only that, we are in the same room or the same virtual room, so to speak.
And we can have real-time conversations constantly. So when a customer has a problem with the system, usually I hear about it within a couple of minutes. Somebody that I know by name and by face sends me a message or calls me up, whatever, and says, Hey, we’re having this problem.
And either I or somebody else on the team gets to look into that immediately. And that’s great because that allows us to turn around solutions to customer problems very quickly. Pretty often it’s within the same day, within a few hours.
[Xavier] (12:17 – 12:24)
And see if there’s a greater problem. Yeah. So now you’re able to fix it before it might even affect somebody else.
[Anne] (12:24 – 12:43)
Yeah. I will say too, it’s great that we’re in the same location and we work the same hours, right? But it is also a cultural thing.
You need to care about customer support to turn around and solve their problems and give them satisfaction so quickly. And we are very much about that these days.
[Xavier] (12:43 – 12:53)
Yeah, we are. Absolutely. Well, keeping in line with the development aspect, how does Core software adapt to changes in compliance standards?
[Anne] (12:53 – 13:32)
So Core is designed with compliance and certification in mind, and it’s continually updated to reflect changes in standards. So getting back to the idea of culture, that’s how we keep our software updated with changing compliance standards, in my opinion. We’ve forged relationships with the consulting side of the house.
We speak to them very frequently and are constantly engaged with those folks. So when a standard changes, we become aware of that very quickly and we get enhancements and changes on our backlog to address and improve our software to change in time with those standards. Wow, that’s great.
[Brian] (13:33 – 14:12)
What also helps is our relationship with registrars or the certification bodies that perform the audits and certify companies to a particular standard. So this relationship helps in knowing what the auditors are looking for and knowing if a certain action or process, whatever it might be, actually meets the requirement if the requirements change. So having that knowledge to help adjust our approach or enhance any software features that are needed will benefit all of our customers, not just one particular person.
[Xavier] (14:13 – 15:28)
Well, another thing that’s cool about both the consulting and the registrar relationships we have is you see that sometimes certain trends happen where registrars start auditing things differently or so maybe the standard didn’t change, but they’re looking for, they’re defining their approach a little differently. Well, if you have the consultant seeing that, they can adjust and say, hey, we kind of need it to look like this in the software or registrars can say, yeah, we’re kind of looking at that a little differently because X, Y, Z. How does that affect the software that you’re using to comply?
Really, useful. Now, one aspect we haven’t covered, we’ve talked a little bit about the software itself, what it does, how it keeps you up to date, how it keeps you fresh, how it keeps everything on schedule, how it reduces your workflow to some degree in automating things. We didn’t talk about training, and that’s one thing that is important because if you have people that need to meet compliance, they need to know what they need to do.
That’s one thing that we also include with our core subscriptions. We have in-house self-paced training programs. What are the benefits of that, Anne, of having that in-house training integrated into Core?
[Brian] (15:28 – 16:24)
Yeah, so Core, we have not only the in-house US-based support team as well as our software development team, but we also have a program development team that builds all of our training. Whether it be on the particular standard that you are getting certified to, you can learn all about the requirements and what all that means and meet the requirements. You also have access to learn about the Core compliance platform, so that way you can utilize it the best way possible for you and your organization.
It’s all online training, so it is self-paced. You can do it at your leisure. We provide training plans in the order in which you can take the courses, but it’s really up to you and how you want to take your training.
[Xavier] (16:24 – 16:28)
That’s also broken down into who needs to take it if they’re in a certain role as well.
[Brian] (16:29 – 16:52)
Correct, yes. So depending on how involved you are in your management system, we provide the recommended courses for that role. So you do not have to take 100 courses, I’m spitballing a number here, but you have a certain idea of what you need to know for your role, so that way you can do the best job possible.
[Xavier] (16:52 – 17:19)
And there are things that you might not think about, like let’s say we’re talking about periodic review. You might do that naturally in your business, but it might not be or it might just not quite be the same as what they’re looking for from the standards perspective and how you’re going to be audited to it. So somebody who’s going to be doing those periodic reviews needs to understand how it relates to the standard that you’re now conforming to.
And it’s really important to have that training so they can understand it.
[Brian] (17:19 – 17:44)
That’s right. I mean, the nice part with the training as well is that you can go back to it anytime you can keep retaking the same training. If it’s not something that you do that often, say once a year, and you don’t remember.
I often forget how to do certain things, right? We all do. So you can go back to the training, refresh yourself, and then go and do that action.
[Xavier] (17:44 – 17:46)
Yep, yep. It’s available anytime you want it.
[Brian] (17:47 – 18:08)
In addition to that, the other nice part about our in-house training team is that when the standard does change, we can update the training. So that way you are still knowledgeable on what’s changed for that standard. If you’re going for that certification, we are updating training constantly.
[Xavier] (18:09 – 18:55)
Yep. I’m part of that program development team as well as doing the podcast. And we are constantly aware of when a change to a current standard is coming out, and when ISO releases those.
We have some people in our team and our groups who are on some of those boards for when the new revision of something is coming out. So we can kind of get an idea, okay, what’s coming down the pike? How might we handle that from a training standpoint and also from a software standpoint?
So very, very useful. Well, this has all been great information today on why and how software is important for your ISO compliance and also how our specific Core compliance platform can help you with your ISO compliance and your business overall. Do either one of you have any last thoughts on anything?
[Brian] (18:56 – 19:28)
I think the main thing is we are a consulting company, but we also have software to help you achieve your certification but also maintain that long-term. And so we’re learning the standard before you, so that way we can put those processes and organization in place that you don’t have to. We’re here to make it easier for you to get that certification and keep it long-term.
[Xavier] (19:28 – 19:52)
And you don’t have to reach out for more consulting help. So when you need to learn how to do something for the actual compliance and you’re like, I’m a little confused here. Let me talk to an expert.
Well, we have multiple experts who are going to help you, whether the software already shows you how to do it, training in the software to tell you how to do it, or it just does it for you by filling in this information.
[Brian] (19:52 – 20:09)
Well, in addition to that, it is flexible. So it’s not that every customer of ours has to do it the same way every time. It’s you can make it your own as well.
So there is that flexibility in that aspect, but we’re also helping you make sure you meet those requirements.
[Xavier] (20:09 – 20:11)
Yep, absolutely. Anne, do you have anything?
[Anne] (20:12 – 21:25)
Yeah. I mean, for me, I think what makes our software and our company great is the relationships between the different parts of our business, right? The consulting and the software and the training, everything.
We have a unique experience of having consultants who have helped thousands of customers at this point get compliant with different standards. And as a software developer, like, could I go and develop software independently that’s a checklist application to help you get through a compliance standard? Sure.
But it would be hot garbage compared to Core without all of the institutional knowledge that we’ve built from these compliance experts, right? For me, when we had to go through 27,001 compliance, right, I could read those documents and I think I understand them. But then when I talk to somebody like Suzanne, for example, who knows so much from her experience with customers, she can pinpoint where my understanding as a layperson is not what’s going to be expected by the auditor.
They’ve been through these audits with the customers. They’ve brought that knowledge back into the company and the software. And that’s kind of what makes it great.
[Xavier] (21:25 – 21:48)
Well, another thing with that that’s cool is the consultants have certain ways that they look at some of this stuff based on how the individual standard is written. So by the time that gets down to how it works within the software, it’s gone through multiple layers of people that know what the auditor might be looking for, how it’s defined within the standard, and how you meet that.
[Anne] (21:48 – 21:52)
Yeah, we’ve already gone through the pain so our future customers don’t have to. Exactly.
[Xavier] (21:52 – 22:44)
Well, appreciate you both being here. It’s great having you. I always enjoy having you both here to talk about our software.
I know that we do care about our customers and we try to put that forth in our customer service our software and our training. Absolutely. Well, thanks for being here, both of you.
Thanks for having us. Thank you. I want to thank everyone who’s listened to our podcast today.
We hope it’s been informative for you. Now, if you’re looking for more information about Core Business Solutions, how we can help you with ISO certification, cybersecurity, help you with our software or even training customized for your needs, please email us at info@thecoresolution.com. You can also visit our website at www.thecoresolution.com.
If you haven’t already subscribed to our podcast or YouTube to catch this when it’s dropped next week, please do so. Thanks for listening, everyone, and have a great day.