Certification Within a Global Business: Integrated Management Systems for a Healthcare Data Specialist
Sector: Healthcare Technology | Scope: ISO 27001, ISO 22301, ISO 9001, integrated management system | Outcome: Triple certification maintained 2016–2020
Achieving ISO certification is straightforward enough when you control your own IT, your own HR, and your own infrastructure. It becomes considerably more interesting when you are a team of sixty people sitting inside a global corporation, where the systems you depend on are owned, managed, and governed by the wider organisation.
This was exactly the challenge facing this client — a specialist division of a large international business handling sensitive data on behalf of NHS clients. Demonstrating the information security credentials that their primary client required meant achieving ISO 27001 certification for a discrete part of a much larger whole.
The Scoping Challenge
The key to making certification achievable — and maintainable — was scope definition. Cambridge Risk Solutions worked with the client to define the certification boundary carefully, encompassing the sixty-strong team and its specific operations while treating the wider corporate functions — HR, IT infrastructure, and others — as external suppliers to the certified scope rather than internal departments outside it.
This was not a workaround. It was a technically sound and auditably defensible approach that reflected the reality of how the organisation operated. Those corporate functions were then subject to supplier auditing within the management system — assessed against defined requirements rather than simply assumed to be adequate because they were part of the same corporate family. It is an approach that requires confidence in the scoping rationale and the ability to construct audit arguments that will withstand scrutiny. It worked.
Growing the System
ISO 27001 certification was achieved, giving the client the information security credentials needed to demonstrate to NHS commissioners that sensitive patient-adjacent data was being handled appropriately. As the relationship developed, the scope of work expanded.
ISO 22301 was added, addressing business continuity for a team whose clients depended on service continuity for operationally critical functions. Then, when the opportunity arose to consolidate, Cambridge Risk Solutions took on the documentation aspects of the existing ISO 9001 system — bringing all three standards into a single integrated management system with a coherent set of documentation, consistent processes, and unified audit trails.
For a small team within a large organisation, that integration was significant. It meant one system to maintain rather than three, with the efficiency gains that brings — and a cleaner, more credible story to tell during external audits.
The Outcome
Certification across all three standards was maintained from 2016 to 2020. The relationship came to a natural end following a merger that restructured the client’s sales operations — a reminder that in the world of professional services, the quality of the work and the continuity of the relationship are sometimes subject to forces entirely outside either party’s control.
The scoping approach developed for this client — treating internal corporate functions as auditable suppliers within a carefully defined certification boundary — remains one of the more technically interesting problems Cambridge Risk Solutions has solved, and a useful reference point for any organisation facing similar questions about how to achieve meaningful certification within a complex corporate structure.