CoreStream GRC recently achieved ISO 27001 certification with BAB. Very much a natural step for the company, CoreStream GRC themselves provide software products based around Governance, Risk and Compliance (GRC) including IT Risk Management, Compliance Management, Third-Party Risk Management, and many more.
Why?
Because information security is no longer a side concern for technical teams. It is a business issue, a board issue, and increasingly a trust issue. The UK government’s 2025 Cyber Security Breaches Survey found that 43% of businesses identified a cyber breach or attack in the last 12 months, which equates to around 612,000 UK businesses. A 2025 Cost of a Data Breach report put the global average cost of a breach at $4.44 million.
“Cyber security is now critical to business longevity and success.”
The National Cyber Security Centre
In conversation with Richard Eddolls: How CoreStream GRC achieved ISO 27001 certification in just 6 weeks
Here, we talk to Richard Eddolls, who was responsible for implementing the information security management standard, and how their GRC Platform helped them achieve certification in just 6 weeks.
Recognizing a market need for a solution to help organizations navigate growing regulatory and ethical obligations, CoreStream GRC developed its intuitive and flexible GRC Platform to enable customers to effectively document and manage their policies, risks, processes, and controls.
Achieving ISO 27001 certification provided CoreStream GRC with an opportunity to demonstrate their commitment to best practices while gaining credibility through third-party validation. Additionally, the certification process allowed them to experience their own software as a client would, offering valuable insights for continuous improvement.
The ISO’s process
Initially, CoreStream GRC were visited by The British Assessment Bureau (BAB) for their Stage 1 audit. This visit is intended to establish what organizations already have in place, leaving the client with a Gap Analysis and an action plan to move forward with.
Richard Eddolls at CoreStream GRC explained how their preparation began;
“The Stage 1 visit from BAB showed us what deficiencies we had when it came to meeting ISO 27001’s requirements. Whilst we had much in place already, there were some tweaks here and there which would clearly lead to improvements. It was then we used our GRC platform software, which gave us the functionality to record non-conformities and set actions. It meant nothing could be missed, so we could approach our formal Stage 2 audit with confidence.”
Every thriving business inevitably experiences growing pains at some stage. As operations expand, it can become increasingly challenging to clearly define who is responsible for what, when, and how—creating opportunities for issues to arise. These issues can range from minor inefficiencies that hinder productivity to more significant problems that may upset clients and damage the company’s reputation. Protecting their reputation is a top priority for CoreStream GRC, making this a key motivator for their actions.
A successfully implemented management system such as ISO 27001 gives back confidence, minimizing mistakes and the associated re-work from addressing them. No wonder then, at a time when there are regular information security blunders hitting the headlines, ISO 27001 has grown in popularity.
Once ready, it was time for CoreStream GRC to be visited again by an auditor, this time for the formal Stage 2 audit. Richard shared his thoughts;
“Despite a number of us working in risk and compliance for several years, we were a little nervous about being the focal point of an audit ourselves. We needn’t have been concerned. As with the Stage 1 audit, the auditors were incredibly helpful and went beyond merely looking for non-conformities by discussing with us ways in which we might improve our management system. Our GRC platform also made the audit process more efficient, being able to access a single system containing all our policies, processes, risks and controls.”
Successfully achieving certification ISO 27001 first time round without any issues was testament to Richard, his colleagues and, of course, their GRC Platform. He explained how CoreStream GRC were keeping on top of things moving forward;
“As our Information Security Management System (ISMS) has matured, our platform is used to build a policy library, providing a permission-controlled online repository for all interested (and authorized) parties to access. Our risk assessment program is also managed by our platform, supporting the identification, categorization and scoring of risks to information security. Simply put, the people that need access, can access the right things with a clear picture of where we are overall; it saves us an enormous amount of time.”
He added;
“Fully populated, our platform now supports our operational ISMS. Audit assessments, issue and remedial action management and policy and processes reviews are all conducted using a single platform, avoiding the complexity of using disparate systems. Our Senior Leadership team is able to monitor performance of our ISMS via a reporting dashboard which provides real-time information on the state of compliance at any point in time. In addition, all business processes documented in the system are now ready for reuse, effectively accelerating the management of other internal or regulatory requirements.”
The elimination of needless duplication will stand CoreStream GRC in good stead, as they’re planning to implement other ISO standards – which all share a common structure – in the future.
Richard commented;
“Implementing ISO 27001 with our platform was a great way of practicing what we preach! Better yet, it helped us achieve certification from scratch in only 6 weeks. Now, we’re delighted to be able to show our clients that we meet an internationally recognized standard; hopefully reminding them that they made the right choice in choosing us.
From an internal point of view, we can now take on the other standards safe in the knowledge that the impact of doing so is reduced. Our longer-term aim is to ensure that all controls implemented within our business (possibly as a result of regulation or legislation) are documented and assessed in the same way, increasing the value of having a single, collaborative system.”
CoreStream GRC are offering a bespoke demonstration to fellow BAB clients of their GRC platform to show how it can save time and hassle in managing ISO certification and other regulatory or ethical requirements. You can contact CoreStream GRC directly here.
About Rich Eddolls
Richard is a co-founder and Platform Director at CoreStream GRC, where he’s redefining the way organizations approach governance, risk, and compliance. With 20 years of experience in business-driven GRC system design and a background at Deloitte, Richard is all about challenging the status quo and delivering technology that actually works. As the visionary behind the CoreStream GRC platform, he’s committed to building solutions that don’t just promise change—but deliver it.
Connect with Rich on LinkedIn here.
FAQs on fast track to ISO 27001
CoreStream’s GRC Platform was central to the process, providing features like:
A policy library with controlled access for authorized users.
Tools for risk identification, categorization, and scoring.
Automated issue tracking and remedial action management.
Real-time dashboards for performance monitoring and compliance tracking.
By integrating all processes in a single platform, CoreStream GRC avoided duplication and improved efficiency throughout the certification process.
CoreStream GRC offers demonstrations of its GRC Platform to show how it can help organizations manage ISO certifications and other regulatory requirements efficiently. Key benefits include:
Simplified documentation and compliance tracking.
Real-time visibility into ISMS performance.
Integration of business processes to reduce duplication.
A collaborative environment for continuous improvement.
Organizations interested in learning more can contact CoreStream GRC directly for a bespoke demonstration.
Enhanced Credibility: Certification validates CoreStream GRC’s commitment to information security, strengthening client trust.
Streamlined Operations: The GRC Platform eliminated redundancies, saving time and reducing complexity.
Future Readiness: CoreStream GRC can now pursue additional ISO standards more efficiently, thanks to the reusable structure of their ISMS.
Improved Risk Management: A centralized system for managing policies, risks, and processes helps mitigate security threats.
Stage 1 Audit: A preliminary review to identify gaps in compliance and provide a roadmap for improvement.
Stage 2 Audit: A formal evaluation to confirm that all ISO 27001 requirements have been met.
CoreStream GRC used insights from the Stage 1 audit to address gaps, ensuring readiness for the Stage 2 audit.
ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It outlines best practices for managing data security risks, protecting sensitive information, and ensuring business continuity. Achieving ISO 27001 certification demonstrates an organization’s commitment to safeguarding information and building trust with clients.
