Casestudy

The hotel software company that had to prove it deserved enterprise trust.

Industry

Hospitality SaaS

About Hobse

Hobse, developed by Infonix Weblab Pvt. Ltd., is the world's first hospitality New Distribution Capability (NDC) platform, designed to transform digital collaboration across the hospitality ecosystem.

By seamlessly interlacing hotel systems with the software used by corporate clients, travel management companies (TMCs), travel agencies, destination management companies (DMCs), and other distribution partners, Hobse enables secure, real-time exchange of reservations, inventory, pricing, contracts, room availability, and business information.

The platform eliminates manual processes, disconnected workflows, duplicate data entry, and communication delays, creating a unified, secure, and intelligent ecosystem that enhances operational efficiency, accelerates business transactions, and enables seamless collaboration across the hospitality industry.

There's a particular moment that every growing B2B software company eventually hits. No alarm goes off; Yet something shifts and suddenly, the product you've built isn't the only thing you're selling anymore. You're also selling proof that you can be trusted with someone else's data, their operations, their reputation.

For Hobse, built by Infonix Weblab Pvt. Ltd., a technology company creating digital platforms for India's hospitality sector, that moment arrived in the form of a procurement questionnaire. Then another. Then a conversation with a partner who wanted to see their security documentation before proceeding. Questions kept getting sharper, Answers kept getting harder to give.

They knew, in broad strokes, what they needed: ISO/IEC 27001 certification to formalize their information security governance, and SOC 2 Type II readiness to satisfy the global enterprise market they were moving into. What they didn't have was a clear picture of where they stood, what had to be built, and how to run two compliance programs simultaneously without losing eighteen months and half their operational bandwidth in the process.

That is when they partnered with Whizz Cybersecurity, deployed the WhizzC Compliance Management Platform, and got to work.


The problem with security that lives in people's heads

The Hobse team was indeed security conscious. They did have practices in place, but were distributed across emails, shared drives, individual expertise, unwritten conventions that only made sense to the people who'd been around long enough to know them.

That kind of informal security went fine as long as the customers are small businesses who don't ask hard questions. The moment you're dealing with enterprise hotel chains who have their own security and procurement teams, who run their own due diligence, and who want documented evidence things change and something more is needed.

The documentation gap was real. But it was also a symptom of something deeper: there was no single place where compliance lived. No system of record. No way to look at the organization and quickly answer "here's our current security posture, here's our risk register, here's how we handle access management." The knowledge existed. The structure didn't.

Starting with an honest look at where things stood

The engagement with WhizzC opened with a gap assessment a structured, unglamorous, necessary piece of work that mapped Hobse's existing controls and practices against the full requirements of ISO/IEC 27001. The exercise was mainly to create an accurate starting point: here's what you have, here's what you need, here's the priority order.

From that baseline, a clearly defined ISMS scope was established covering the business functions, information assets, technology, and stakeholder relationships that would be included in the program. Scope definition sounds administrative. In practice, it's where compliance programs succeed or collapse. Define it too broadly and you're overwhelmed. Define it too narrowly and the audit exposes the gaps.



Risk management as a business practice, not a compliance ritual

Risk assessment is the part of ISO 27001 that organizations tend to treat as a box to check. This kind of an approach merely produces a document that reflects the state of your organization at one point of time and becomes increasingly fictional from that moment forward.

Hobse took a different approach. Information assets were identified and assessed against actual threats and vulnerabilities not theoretical ones. Risk levels were evaluated based on likelihood and potential impact to the business. And critically, risk treatment plans were built into the operational workflow, tracked inside WhizzC, and tied to the controls being implemented in parallel.

The goal wasn't to produce a risk register to satisfy an auditor, but to build a risk register that would actually tell you something useful about your business.

Twelve policies. One coherent framework

Hobse developed a comprehensive suite of policies aligned to how the organization actually functions: an Information Security Policy and Access Control Policy at the high level; some policies at operational level, yet some at procedural level and some covering essential tenets of Information Security.

The policies were not mere documents they were deployed communicated to employees through formal awareness sessions, acknowledged through documented workflows, and embedded into the processes they govern. When an auditor asks to see your access control policy, you want to be able to show them the policy and the evidence that people actually follow it.

Running ISO 27001 and SOC 2 at the same time

The conventional wisdom is that you pick one framework and tackle the other later. It's less overwhelming, the argument goes. You build momentum, you get the first certification, and then you extend.

The conventional wisdom is wrong for most B2B software companies, and Hobse's situation illustrated why. Their ISO 27001 program addressed information security governance for their Indian market customers. Their SOC 2 readiness program addressed the enterprise US and global market they were building toward. These weren't duplicates. They were two sides of the same security story, and the controls they shared access management, monitoring, vendor risk, incident response could be built once and applied to both.

WhizzC's multi-framework architecture made this practical rather than theoretical. Evidence collected for one framework didn't have to be recreated for the other. Controls mapped to both sets of requirements simultaneously. The team wasn't running two compliance programs. They were running one program that served two frameworks.

For SOC 2 specifically, the work focused on aligning operational controls to the Trust Services Criteria Security, Availability, and Confidentiality as the core, with additional consideration for Processing Integrity and Privacy. Access governance was strengthened through role-based access control, formal user provisioning and deprovisioning procedures, regular access reviews, multi-factor authentication guidance, and privileged access management. Third-party risk management processes were built from scratch to handle the vendor due diligence that enterprise customers increasingly require.

The quiet advantage: AI that reviews your evidence before the auditors do

One of the less discussed costs of compliance programs is revision cycles. You collect evidence, submit it for review, it comes back with issues, you go back and fix it, resubmit, and do it again. Multiply that by hundreds of artefacts across two frameworks and you've consumed weeks of time on something that should have been right the first time.

WhizzC's built-in AI  (Whizz AI) - performs a preliminary validation pass on uploaded compliance artefacts before they reach formal review. It catches incomplete documentation, flags inconsistencies, and surfaces common submission errors while there's still time to fix them easily. The result is a smoother review process, higher-quality documentation, and considerably less last-minute scrambling as audit windows approach.

It's not a replacement for human review. It's a first filter that makes human review more efficient and that distinction matters when you're trying to run a compliance program without consuming your entire team's capacity.

What Hobse delivers today


The last point is worth sitting with. Most compliance programs are built to pass an audit. The audit happens, the certificate is issued, and then six months later someone realizes that half the controls have drifted and the documentation is out of date and the whole thing has to be done again.

The program Hobse built isn't a point-in-time achievement. It's a governance infrastructure one designed to run continuously, to support the internal audit processes and management reviews that keep an ISMS healthy, and to scale as the organization grows into new markets and takes on new compliance requirements.

That's a different thing from passing a certification exam. And it's the thing that actually builds enterprise trust over time.