Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions


0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

ISO 27001 Certification Case Study

shutterstock_42187189The client is a small, UK-based part of a large global company, and provides products and services to the NHS and other healthcare clients.  The client deals with a quantity of Patient Identifiable Data in both electronic and paper-based formats, and therefore needs to have assurance that this data is being handled correctly.

The Problem

The client wanted to gain ISO 27001 certification in order to better demonstrate that they have information security in place, and to assist with the requirements of the NHS Information Governance Toolkit.  ISO 9001 was already in place, but there was recognition that this would soon need updating to comply with the revised standard.

IT and other head office functions are centralised,  and are based outside of the UK, leaving the client with little or no control over, for example, the IT processes.

Our Approach

Cambridge Risk Solutions worked closely with the client and their Quality consultant to develop a comprehensive Information Security Management System (ISMS), enabling the client to proceed with certification.  The ISMS was documented in such a way that the core documentation could be easily adapted to encompass the quality aspects that would be required for ISO 9001:2015.

Additionally, audit processes were identified which would enable the client to gain certainty from centralised functions that, for example IT, were correctly following their own procedures, thus satisfying risk treatment and control requirements.

The benefits

We were delighted when the client successfully accredited to ISO 27001.  This effectively demonstrates that information security is in place and is maintained.  Additionally, this has assisted with the tender process, and will assist when the client decides to go for a higher rating on the NHS Information Governance Toolkit.

Cambridge Risk Solutions has since further assisted in, for example, providing guidance for the controls that the client needs to seek from suppliers and potential outsource partners.

Get In Touch

We are always happy to answer any questions you may have, please either contact us by telephone, or by filling in the form below.

Please ensure that you do not divulge any sensitive data as this webpage is not secure.

When we decided to go for accreditation to BS25999, we knew we would need outside help. We chose Cambridge Risk because they represented the best balance of professionalism and pragmatism.

more testimonials

  • Business Continuity Planning

    Effective planning that takes into account risk evaluation and business impact analysis, supported by clear and concise crisis management. We work with you to develop user-friendly plans.

  • Business Impact Analysis

    The Business Impact Analysis (BIA) is one of the most important, and least well understood, stages of the Business Continuity Management Lifecycle; we can assist with your BIA.

  • Training and Exercising

    No Business Continuity Management programme is effective without a significant element of training. Moreover, ongoing Crisis Management training and exercising is key. We can provide objective training and exercising.

  • Risk Evaluation and Control

    Risk evaluation and treatment provide a process to identify, prioritise and managing your risks. Cambridge Risk Solutions can assist with risk management for business operational and information security risks.

  • Statement of Applicability

    Which controls do you need to have in place? How do you link your risk assessment process into your SoA? How do you ensure that you have effective controls in place? We can assist with your SoA.

  • Integrated Management Systems

    Management Systems assist with your on-going management, maintenance and continual improvement. We work with you to develop a fully integrated management system, enabling certification to ISO 22301 and ISO 27001.