From Startup to Kings Award: Eight Years of Compliance and Data Protection Support for a Tech Company Making a Difference
Sector: Technology | Scope: ISO 27001, ISO 9001, ISO 14001, outsourced DPO | Outcome: Triple certification, Kings Award for Enterprise
Some clients stay with you not just because the work is good, but because what they do matters. This is one of those.
Cambridge Risk Solutions has worked with this client — a technology company whose app makes travel genuinely accessible for disabled and assisted passengers across the UK rail network — since 2018. What began as an ambitious, slightly overwhelming certification project for a seven-person startup has evolved into a long-term compliance partnership that now spans three ISO standards, an outsourced Data Protection Officer role, and nearly a decade of shared history.
The Starting Point
When the client first made contact, the app was not yet live, the team numbered seven people across five nationalities, and the ambition was considerable: they wanted to achieve ISO 9001, ISO 22301, ISO 20000, and ISO 27001 simultaneously. Cambridge Risk Solutions began the work, and the Stage 1 audit was passed. But it was also the moment for an honest conversation.
Pursuing four standards simultaneously is a significant undertaking for any organisation. For a startup still establishing its core operations, the cost, complexity, and management burden would have been substantial — and potentially counterproductive. Having reviewed the contractual requirements carefully, the client decided to focus on a single standard. ISO 27001 was the right choice: the most directly relevant to a technology business handling sensitive passenger data, and the one most likely to be required by future clients and partners.
Certification was achieved with no non-conformances — the standard Cambridge Risk Solutions sets for every client.
The Difficult Middle Years
Growth is rarely linear, and the years that followed were honest ones. As a small business managing costs carefully, the day-to-day maintenance of the management system competed with other priorities. Staff turnover meant that institutional knowledge walked out of the door more than once. The pattern that emerged — a call shortly before the annual audit, a concentrated effort to get things back in order, certification maintained — was functional, but it was not sustainable.
It is a pattern Cambridge Risk Solutions recognises in many growing organisations. The will to maintain compliance is genuine; the capacity to do so consistently, without dedicated internal resource, is the challenge.
A Change in Approach
When the member of staff responsible for the management systems moved on, the client made a deliberate decision to do things differently. Rather than recruiting internally or reverting to the pre-audit panic cycle, they formalised the relationship with Cambridge Risk Solutions through a structured support contract covering ongoing maintenance, staff awareness communications, and audit preparation across all three standards — ISO 27001, ISO 9001 (added as the business matured), and ISO 14001 (added ahead of expansion into a new market).
Cambridge Risk Solutions was also appointed as the company’s outsourced Data Protection Officer — a role that reflects both the trust built over years of working together and the increasing importance of data protection compliance for a business handling sensitive information about vulnerable passengers.
The Outcome
The client has achieved and maintained certification across three ISO standards. The management systems that once caused pre-audit anxiety are now maintained on a rolling basis, with regular staff awareness communications keeping compliance visible across the organisation year-round.
In 2024, the client received the Kings Award for Enterprise — one of the most prestigious business honours in the UK. It was a moment of genuine pride, not just for the organisation, but for everyone who has been part of its journey.
Being told you are part of the family is not something that appears on an audit report. But it is, perhaps, the most meaningful measure of a client relationship.