"One of the best BCMS examples she had ever audited."
A sustained compliance partnership across multiple frameworks and years.
Colliers is one of the world's leading real estate services firms. Over a sustained partnership, Secure Step Forward has supported them through the full cycle of building, maintaining, and improving their compliance posture as their business and the standards themselves have evolved.
"This recertification is a testament to our proactive approach to Business Continuity Planning."
Zoe Harris, Head of Compliance, Operations & Facilities, Colliers UK
From Approved Plans to Proven Assurance
Acas: The UK's national workplace relations service
Acas is the UK's national workplace relations service, operating across multiple offices and directorates and supporting around 1,000 staff. They had 17 approved Business Continuity Plans covering both office and directorate-level operations. The documentation existed and had board approval. The question was whether those 17 plans would actually hold together as a single, integrated response when it mattered.
The Acas Board wanted practical assurance, not further policy approval. Plans had never been tested as a coordinated enterprise-level response. Gaps in decision-making, escalation pathways, and cross-directorate coordination had not been surfaced under realistic conditions. With an IT Disaster Recovery exercise scheduled for February 2026, there was both a governance expectation and a practical deadline driving the need for validated improvement.
We designed a structured two-session exercise model built directly around Acas's existing BC artefacts and Business Impact Analyses, ensuring the exercise tested their actual plans rather than a generic scenario. Session 1 was a facilitated integrated tabletop exercise designed to surface the specific gaps in governance clarity, cross-directorate coordination, and escalation decision-making. Between sessions, we worked with Acas to implement targeted improvements to role definitions, decision flow, and communication pathways. Session 2 re-tested the same scenarios to validate that those improvements had taken effect, producing evidence of progress, not just a list of recommendations.
By Session 2, Acas had achieved measurably clearer enterprise-level escalation and decision structures, stronger coordination between offices and directorates, and defined communication pathways for critical decisions. The Board received a prioritised, RAG-rated improvement plan: actionable evidence of validated progress ahead of their February 2026 IT DR exercise. The engagement moved Acas from holding approved documentation to being able to demonstrate operational assurance.
First-Time ISO 27001 Certification. One Minor Finding.
Podium Analytics: sport-for-good foundation, data-led organisation
Podium Analytics is a sport-for-good foundation with an ambitious goal: to achieve ISO 27001:2022 certification with limited internal resources and no dedicated compliance function. For a data-driven organisation seeking to build trust with partners and funders, certification was not just a compliance milestone. It was a signal of credibility.
First-time ISO 27001 certification is notoriously difficult without specialist support. Most organisations attempting it alone either stall during ISMS development, fail their first audit, or build frameworks that become a maintenance burden rather than a genuine asset. Podium needed a route to certification that was both rigorous and sustainable for a lean team to own going forward.
We began with a structured gap analysis to understand exactly where Podium stood against the standard, then worked alongside their team to develop a streamlined ISMS tailored to their size and risk profile, not an enterprise-grade framework retrofitted to a smaller organisation. The focus throughout was on building something sustainable: policies and controls that their team could maintain, understand, and evolve without ongoing external dependency.
Podium Analytics achieved ISO 27001:2022 certification at first attempt, with just one minor finding, an outcome that significantly exceeds industry averages for first-time candidates. Critically, the ISMS they now hold is designed to grow with their organisation, providing a platform for future compliance activity rather than a static document.
"Secure Step Forward's expert guidance was instrumental in achieving our ISO 27001 certification. Their approach is practical, professional, and focused on building sustainable compliance, not just ticking boxes."
Damian Smith, CIO, Podium Analytics
From Audit Exposure to Integrated Resilience
Beale & Co: leading international law firm
Beale & Co is a leading international law firm for whom robust information security and business continuity are not just compliance requirements. They are client expectations and competitive differentiators. When they needed to strengthen their compliance position ahead of an ISO 27001:2022 transition and build a business continuity framework from scratch, they needed a partner who could deliver both without creating two parallel workstreams.
Beale & Co faced a dual challenge: preparing for the ISO 27001:2022 standard transition while simultaneously building a comprehensive business continuity framework that did not exist in integrated form. Existing IT disaster recovery runbooks were fragmented across departments, and the firm had no unified Business Impact Analysis or company-wide Incident Response Plan. With an external auditor already on the horizon, the window to close these gaps was limited.
We approached the engagement as a single integrated programme rather than two separate projects. A comprehensive internal audit identified the priority gaps in their ISO 27001 compliance posture and provided a clear implementation roadmap. In parallel, we designed and built a complete resilience framework: a full Business Impact Analysis, a company-wide Incident Response Plan, department-level Business Continuity Plans, and an integrated IT Business Continuity Plan that replaced the existing disparate runbooks with a single coherent structure.
Beale & Co emerged from the engagement with a significantly strengthened compliance posture and a fully integrated business continuity framework, one that their external auditor specifically noted. The internal audit findings provided a clear prioritised roadmap, and the new BC framework replaced fragmented documentation with a structure that works as a single coherent response plan.
"Thanks for your help with this piece of work which made a good impression with the auditor."
Amanda Norton, Head of Risk and Compliance, Beale & Co
Expert Oversight That Makes Good Compliance Great
Birketts LLP: leading UK law firm
Birketts LLP is a leading UK law firm with an established in-house compliance team and a strong existing foundation across multiple ISO standards. They were not looking for someone to take over their compliance function. They needed expert independent oversight that would give their team confidence their frameworks were genuinely effective in practice, not just technically compliant on paper.
For organisations with capable internal compliance teams, the challenge is not building the framework. It is validating it independently. Without external challenge, even well-run compliance programmes can develop blind spots, and internal teams can lose objectivity about their own frameworks over time. Birketts needed a partner who could provide rigorous independent audit and realistic incident response testing without disrupting the team's ownership of their own programme.
We worked alongside Birketts' in-house team rather than in a way that displaced their ownership. Our internal audits were targeted at the specific areas most likely to surface practical gaps rather than technical documentation issues, and our incident response testing was designed to replicate realistic scenarios rather than scripted exercises. Insights were shared collaboratively, with the team's deep business knowledge informing how findings were interpreted and prioritised.
The engagement delivered a strengthened compliance framework with specific, actionable findings from both audit and testing activity. Birketts' in-house team were freed to focus on strategic priorities with confidence that their frameworks had been independently validated. The lessons learned from testing informed tangible improvements to their incident response posture across multiple standards.
Fit-for-Purpose Continuity Plans Across Every Campus
Trafford & Stockport College Group: multi-campus further education
Trafford and Stockport College Group operates across multiple campuses, each with distinct operational requirements, student populations, and staff structures. Their existing business continuity policies and incident response plans had become outdated. In a sector where disruption directly affects students' education and wellbeing, having plans that actually work in practice is not optional.
Outdated BC plans create a specific risk in multi-site organisations: the plans that exist are often written for a single centralised structure and do not translate to the operational reality of each location. Escalation criteria were unclear, roles were undefined, and the plans lacked the specificity that staff would need to act confidently during an actual incident. The College Group needed a revamp that could be implemented without disrupting live academic operations.
We rebuilt the College Group's business continuity policies and incident response plans from the ground up, with the educational environment and multi-campus structure as the design constraints rather than an afterthought. Clear escalation criteria were defined for each site, roles were assigned and documented, and the language was calibrated to the people who would actually need to use the plans under pressure: campus managers, not compliance specialists.
The College Group now holds Board-approved, site-specific business continuity plans with clear escalation pathways and defined roles across every campus. Implementation was completed without disruption to academic operations. Staff confidence in the plans has measurably improved, and the frameworks are structured to be maintained and updated without external dependency.
ICO Audit Ready. Full Compliance Achieved.
Lyca Mobile: one of the UK's largest MVNOs
Lyca Mobile is one of the UK's largest mobile virtual network operators, handling personal data for millions of customers across multiple jurisdictions. When an ICO audit covering more than 100 compliance areas was confirmed with a tight preparation window, they needed a partner who could move quickly, prioritise ruthlessly, and deliver results that would stand up to regulatory scrutiny.
ICO audits are not routine compliance reviews. They are detailed, evidence-based assessments that can expose gaps across data protection, governance, and operational practice simultaneously. With over 100 compliance areas in scope and a short preparation window, the risk of an unfocused response was significant: spreading effort across everything risks doing nothing particularly well. Lyca needed a structured approach that could identify the priority gaps and close them in the available time.
We began with a rapid but comprehensive gap analysis across all 100+ compliance areas, producing a prioritised action plan that distinguished between critical gaps requiring immediate remediation and areas requiring documentation rather than substantive change. The preparation programme was then structured around that priority stack, with a collaborative working model that kept Lyca's team informed and in control throughout.
Lyca Mobile achieved full compliance across all ICO audit areas. Beyond the audit outcome, the gap analysis and preparation process also identified and resolved a number of process inefficiencies that had previously added to the ongoing compliance maintenance burden. The governance framework they now hold is structured for future regulatory engagement, not just the audit that prompted it.
Resilience at Scale: Business Continuity Across 2,700 Outlets
Greene King: one of the UK's best-loved hospitality brands
Greene King is one of the UK's best-loved hospitality brands, operating around 2,700 pubs, restaurants and hotels across the country. Building a business continuity framework that works across an estate that large, where each location has its own staff, operational dependencies, and community role, is a fundamentally different problem from building continuity plans for a centralised organisation.
A national hospitality business faces continuity risks that do not fit a standard framework: supply chain disruption, local incidents, IT outages affecting point-of-sale systems, and staffing crises can all materialise differently at a city-centre pub versus a rural hotel. A single top-down plan cannot account for that variability, but a plan designed purely at location level lacks the central oversight and consistency needed for the brand to respond coherently at scale.
We developed a scalable continuity framework built around the principle of structured flexibility: a consistent central architecture with clearly defined escalation and response protocols, combined with location-level recovery procedures that gave local managers the specific guidance they needed to act without waiting for central direction. Plans were thoroughly tested across representative business divisions, with findings used to refine the framework before rollout.
Greene King now holds a fully tested, scalable business continuity framework across their estate. Local managers have the guidance they need to respond to incidents at site level; central teams have the oversight and escalation structure to coordinate a brand-level response when required. Confidence in the plans has been validated through practical testing across multiple business divisions.