How CoreStream GRC achieved ISO27001 certification in just 6 weeks (Case study by The British Assessment Bureau)

26 Sep

The fast track to ISO 27001: How CoreStream achieved certification in just 6 weeks (Case study by The British Assessment Bureau)

CoreStream GRC recently achieved ISO 27001 certification with BAB. Very much a natural step for the company, CoreStream GRC themselves provide software products based around Governance, Risk and Compliance (GRC) including IT Risk Management, Compliance Management, Third-Party Risk Management, and many more. Here, we talk to Richard Eddolls, who was responsible for implementing the information security management standard, and how their GRC Platform helped them achieve certification in just 6 weeks.

Recognizing a market need for a solution to help organizations navigate growing regulatory and ethical obligations, CoreStream GRC developed its intuitive and flexible GRC Platform to enable customers to effectively document and manage their policies, risks, processes, and controls. Achieving ISO 27001 certification provided CoreStream GRC with an opportunity to demonstrate their commitment to best practices while gaining credibility through third-party validation. Additionally, the certification process allowed them to experience their own software as a client would, offering valuable insights for continuous improvement.

Initially, CoreStream GRC were visited by BAB for their Stage 1 audit. This visit is intended to establish what organizations already have in place, leaving the client with a Gap Analysis and an action plan to move forward with. Richard Eddolls at CoreStream GRC explained how their preparation began;

“The Stage 1 visit from BAB showed us what deficiencies we had when it came to meeting ISO 27001’s requirements. Whilst we had much in place already, there were some tweaks here and there which would clearly lead to improvements. It was then we used our GRC platform software, which gave us the functionality to record non-conformities and set actions. It meant nothing could be missed, so we could approach our formal Stage 2 audit with confidence.”

Every thriving business inevitably experiences growing pains at some stage. As operations expand, it can become increasingly challenging to clearly define who is responsible for what, when, and how—creating opportunities for issues to arise. These issues can range from minor inefficiencies that hinder productivity to more significant problems that may upset clients and damage the company’s reputation. Protecting their reputation is a top priority for CoreStream GRC, making this a key motivator for their actions.

A successfully implemented management system such as ISO 27001 gives back confidence, minimizing mistakes and the associated re-work from addressing them. No wonder then, at a time when there are regular information security blunders hitting the headlines, ISO 27001 has grown in popularity.

Once ready, it was time for CoreStream GRC to be visited again by an auditor, this time for the formal Stage 2 audit. Richard shared his thoughts;

“Despite a number of us working in risk and compliance for several years, we were a little nervous about being the focal point of an audit ourselves. We needn’t have been concerned. As with the Stage 1 audit, the auditors were incredibly helpful and went beyond merely looking for non-conformities by discussing with us ways in which we might improve our management system. Our GRC platform also made the audit process more efficient, being able to access a single system containing all our policies, processes, risks and controls.”

Successfully achieving certification ISO 27001 first time round without any issues was testament to Richard, his colleagues and, of course, their GRC Platform. He explained how CoreStream GRC were keeping on top of things moving forward;

“As our Information Security Management System (ISMS) has matured, our platform is used to build a policy library, providing a permission-controlled online repository for all interested (and authorized) parties to access. Our risk assessment program is also managed by our platform, supporting the identification, categorization and scoring of risks to information security. Simply put, the people that need access, can access the right things with a clear picture of where we are overall; it saves us an enormous amount of time.”

He added;

“Fully populated, our platform now supports our operational ISMS. Audit assessments, issue and remedial action management and policy and processes reviews are all conducted using a single platform, avoiding the complexity of using disparate systems. Our Senior Leadership team is able to monitor performance of our ISMS via a reporting dashboard which provides real-time information on the state of compliance at any point in time. In addition, all business processes documented in the system are now ready for reuse, effectively accelerating the management of other internal or regulatory requirements.”

The elimination of needless duplication will stand CoreStream GRC in good stead, as they’re planning to implement other ISO standards – which all share a common structure – in the future.

Richard commented;

“Implementing ISO 27001 with our platform was a great way of practicing what we preach! Better yet, it helped us achieve certification from scratch in only 6 weeks. Now, we’re delighted to be able to show our clients that we meet an internationally recognized standard; hopefully reminding them that they made the right choice in choosing us.

From an internal point of view, we can now take on the other standards safe in the knowledge that the impact of doing so is reduced. Our longer-term aim is to ensure that all controls implemented within our business (possibly as a result of regulation or legislation) are documented and assessed in the same way, increasing the value of having a single, collaborative system.”

CoreStream GRC are offering a bespoke demonstration to fellow BAB clients of their GRC platform to show how it can save time and hassle in managing ISO certification and other regulatory or ethical requirements. You can contact CoreStream GRC directly here.

FAQs

1. What is ISO 27001, and why is it important?
ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It outlines best practices for managing data security risks, protecting sensitive information, and ensuring business continuity. Achieving ISO 27001 certification demonstrates an organization’s commitment to safeguarding information and building trust with clients.

2. How did CoreStream GRC achieve ISO 27001 certification in just 6 weeks?
CoreStream leveraged its Governance, Risk, and Compliance (GRC) Platform to prepare for ISO 27001 certification. The CoreStream GRC platform enabled the team to:

Document policies, risks, and controls effectively.
Identify gaps and record non-conformities during the Stage 1 audit.
Track and manage action plans for compliance.
Streamline the audit process with centralized, real-time access to critical data.

The platform’s efficiency, combined with focused preparation and a collaborative approach with The British Assessment Bureau (BAB), enabled CoreStream GRC to achieve certification quickly.

3. What is the difference between Stage 1 and Stage 2 audits for ISO 27001?

Stage 1 Audit: A preliminary review to identify gaps in compliance and provide a roadmap for improvement.
Stage 2 Audit: A formal evaluation to confirm that all ISO 27001 requirements have been met.

CoreStream GRC used insights from the Stage 1 audit to address gaps, ensuring readiness for the Stage 2 audit.

4. How did CoreStream’s GRC Platform support the certification process?
CoreStream’s GRC Platform was central to the process, providing features like:

A policy library with controlled access for authorized users.
Tools for risk identification, categorization, and scoring.
Automated issue tracking and remedial action management.
Real-time dashboards for performance monitoring and compliance tracking.

By integrating all processes in a single platform, CoreStream GRC avoided duplication and improved efficiency throughout the certification process.

5. What were the key benefits of ISO 27001 certification for CoreStream GRC?

Enhanced Credibility: Certification validates CoreStream GRC’s commitment to information security, strengthening client trust.
Streamlined Operations: The GRC Platform eliminated redundancies, saving time and reducing complexity.
Future Readiness: CoreStream GRC can now pursue additional ISO standards more efficiently, thanks to the reusable structure of their ISMS.
Improved Risk Management: A centralized system for managing policies, risks, and processes helps mitigate security threats.

6. How does CoreStream’s GRC Platform benefit other organizations pursuing ISO 27001?
CoreStream GRC offers demonstrations of its GRC Platform to show how it can help organizations manage ISO certifications and other regulatory requirements efficiently. Key benefits include:

Simplified documentation and compliance tracking.
Real-time visibility into ISMS performance.
Integration of business processes to reduce duplication.
A collaborative environment for continuous improvement.

Organizations interested in learning more can contact CoreStream GRC directly for a bespoke demonstration.

About Rich

Richard is a co-founder and Platform Director at CoreStream GRC, where he’s redefining the way organizations approach governance, risk, and compliance. With 20 years of experience in business-driven GRC system design and a background at Deloitte, Richard is all about challenging the status quo and delivering technology that actually works. As the visionary behind the CoreStream GRC platform, he’s committed to building solutions that don’t just promise change—but deliver it.

Connect with Rich on LinkedIn here.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

Cookie	Duration	Description
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.