ISO 27001 certification for a multi-academy trust in six months
A UK multi-academy trust covering 14 schools and 8,500 pupils needed ISO 27001 certification to win a multi-year DfE-adjacent contract. Previous attempts had stalled on documentation overload. We delivered it in six months with zero major non-conformities.
The challenge
A UK multi-academy trust running 14 primary and secondary schools, 8,500 pupils and 950 staff was bidding for a multi-year DfE-adjacent contract that mandated ISO 27001 certification of the awarding entity by an accredited body. The award decision was scheduled in seven months.
Two prior attempts had stalled. The first hired a consultant who delivered 230 pages of policy that nobody read. The second tried to do everything in-house and got buried in evidence-collection sprawl across 14 distinct school environments.
The brief was simple: pass the audit on the first attempt, do not exhaust the leadership team, and leave the trust with an ISMS they can run themselves once we are gone.
Our approach
Scope: small first, expand later
We scoped the ISMS around the central trust function plus one representative pilot school rather than all 14. This gave us a defensible certification scope with a clear roadmap for adding the other schools at recertification, and kept the evidence-collection burden realistic.
Tooling: one platform, one source of truth
We built the ISMS on Vanta with custom controls mapped to ISO 27001:2022 Annex A. Policy, control evidence, risk register, internal audit and management review all lived in one place that the leadership team could log into and read in their browser.
Awareness: 220 staff, four short modules
Rather than a single 90 minute training video, we built four 12-minute role-based modules (admin, teaching, leadership, technical) and ran two simulated phishing campaigns with the central team. Click rates dropped from 28 percent to 4 percent.
Audit prep: rehearsed, not feared
We ran two internal audits and a full management review with the trust CEO and the audit committee chair before the certification body even arrived. By stage 2 the team knew what to expect, where the evidence lived and how to answer the questions in plain language.
Results delivered
- Certified to ISO 27001:2022 within 6 months of kick-off
- Zero major non-conformities and three minor observations at stage 2 (all closed within 30 days)
- Won the multi-year contract that triggered the programme
- ISMS now self-run by the trust IT manager (1 day per month sustaining effort)
- Cyber insurance premium reduced by 18 percent at renewal
- Roadmap in place to add the remaining 13 schools to the certified scope by year three
“FACG ran the audit room. We turned up, answered questions and watched the system speak for itself. The fact that our IT manager now runs it solo is what makes this a real win.”