A Decade of Resilience: Long-Term BC and Information Security Support for an Automotive Testing Facility
Sector: Automotive | Scope: ISO 22301, ISO 27001, integrated management system, exercising | Outcome: Sustained certification across a decade-long partnership
Some client relationships are defined by a single project. Others evolve over years into something closer to a genuine partnership — where the consultant becomes part of the fabric of how an organisation manages its resilience. This is one of those.
Cambridge Risk Solutions has worked with this client, a specialist automotive testing and proving ground facility, since 2014. What began as a certification project has become an ongoing contract relationship covering business continuity, information security, and the full annual cycle of plan maintenance, exercising, and audit support.
The Starting Point
When the organisation first approached Cambridge Risk Solutions, it had recently separated from its former parent company and was establishing itself as an independent operation. Its primary client — a major automotive manufacturer — required ISO 22301 certification as a condition of the relationship. The pressure to achieve certification was real, and the timeline was not generous.
The organisation already held ISO 9001 certification and had an established quality management system. Rather than treating business continuity as a separate discipline bolted on alongside existing arrangements, Cambridge Risk Solutions persuaded the client to develop a fully integrated management system — a single set of documentation covering quality, business continuity, and ultimately information security. For an organisation of this size, that integration meant less duplication, clearer ownership, and a system that was genuinely manageable rather than theoretically comprehensive.
Building Capability, Not Dependency
From the outset, the approach was built around knowledge transfer. Business continuity only works if the people inside the organisation understand it, own it, and can act on it without waiting for an external consultant to tell them what to do. The internal lead — a quality manager with the background and capability to run a management system — was central to making that work. He understood what was required and why. Cambridge Risk Solutions provided the specialist expertise; he provided the institutional knowledge and day-to-day management.
When ISO 27001 became a requirement, the same approach applied. The learning curve was steeper — information security brings its own technical and organisational complexity — but the integrated system meant the foundations were already in place.
The exercising programme developed over the years into something genuinely distinctive. Desktop exercises became progressively more inventive, targeting different groups across the organisation and reflecting the specific operational realities of a proving ground environment — specialist equipment, safety-critical processes, and dependencies that don’t feature in generic BC scenarios. The quality of the scenarios attracted specific praise from the LRQA auditor during a UKAS-observed audit, who asked to see the latest exercise materials as an example of good practice.
Planning for Continuity of the Programme Itself
When the internal lead approached retirement, he did what good BC professionals do: he planned ahead. Cambridge Risk Solutions was brought in early to manage a structured handover, ensuring that the knowledge, relationships, and understanding of the management system transferred smoothly to his successor rather than walking out of the door with him.
That transition to contract support reflects the maturity of the programme. Cambridge Risk Solutions now manages and updates key documents, provides the annual exercising programme, supports BIA refresh interviews, and acts as a first point of contact for business continuity and information security queries as they arise. The system that was built to be owned internally continues to be — with specialist support available when it’s needed.
The Outcome
Certification has been maintained continuously since 2014 across both ISO 22301 and ISO 27001. The integrated management system has survived organisational change, a major personnel transition, and the ongoing operational demands of a highly specialised sector. The exercising programme continues to evolve each year.
It is, in the end, exactly what a well-run BC programme should look like: embedded, maintained, tested, and genuinely owned by the people who depend on it.