Rescuing a Failing ISO 9001 & ISO 27001 System Before Imminent Audit
Challenge / Problem
A competitor had implemented separate ISO 9001 (quality) and ISO 27001 (information security) systems for the client, but had spectacularly failed to provide any support, explanation, or guidance. They handed over access to a platform and a library of documents and then, in the MD’s words:
- “They set us up and downed tools.”
- “The systems are not understood, are causing frustration, anguish and despair.”
The systems were cumbersome, irrelevant to the business, and actively obstructing day‑to‑day operations. The MD summarised the situation bluntly:
- “I need this not to be a thorn in my side.”
To make matters worse, the company had unintentionally appointed a non‑UKAS certification body to both implement and assess the systems, resulting in weak design, poor transfer of knowledge, and a lack of independent credibility. Early comments from staff revealed the depth of the problem:
- “The system is falling over.”
- “It gets in the way of the day-to-day work.”
- “We’re trying to do things properly, but I’m guessing.”
- “The rest of the staff are in the same boat… they don’t understand it… and no-one has time.”
The small, close‑knit team felt overwhelmed by a poorly constructed and badly transferred management system.
As a result, during the year since initial certification:
- No audits had been carried out.
- No management review had taken place.
- No documentation had been updated.
- The system had not been applied in practice.
And now, the annual assessment was just weeks away. Urgency was at its highest.
Client Overview
The company was established to tackle the growing complexity of insurance claims administration and the delivery of financial information to the insurance market. Their work demands accuracy, confidentiality, and fast, reliable workflows, making an effective management system critical.
Approach and Solution
The first step was to create immediate breathing space and gain control of the situation. Diaries were cleared and an intensive rescue plan was initiated. Statius undertook:
- A comprehensive management review to understand gaps, risks, and priorities
- The drafting of a realistic but robust recovery plan
- Representation at the audit, defending the plan and current position to the certification body
This approach enabled the client to move from panic to structure, from confusion to clarity.
Outcome and Impact
Despite the starting position, certification was successfully retained, with only two non‑conformances raised, a significant achievement given the absence of audits, reviews, or system use over the previous 12 months.
More importantly, a longer‑term transformation plan was agreed, including:
- Creating a new integrated management system, ensuring it reflects real business processes, removes duplication and reduces effort
- Migrating away from the non‑UKAS certification body to a credible UKAS‑accredited provider
- Rewriting documentation in clear, accessible language understood by all staff
- Establishing a meaningful KPI framework aligned to operational and information security needs
- Training the whole team so staff understood not just what to do, but why it mattered
- Making the system lighter, faster, and easier to maintain, removing the ‘thorn in the side’ the MD described
The result was a complete shift in attitude and confidence. Staff engagement increased, clarity improved, and the organisation gained a pathway not just to retain certification, but to use it as a practical tool to support growth, efficiency, and client trust.