Understanding risk and delivering quality are fundamental to the success of our business, so we invest in continuous improvement of our internal systems and standards. Over recent years, we’ve implemented a number of management systems which are certified to recognised British and international standards, and are rigorously assessed by external experts on a regular basis. They assess the strength of processes and controls related to specific sustainability topics identified in our materiality matrix.
We’re currently certified to the following standards, the certificates for which can be found in our download centre:
ISO 9001 (held since 2011)
Our Ministry of Defence (MoD) account team achieved ISO 9001, the standard for quality management systems, in 2011 to meet the client's requirements. This enhances the robust risk and quality management processes we already have in place.
ISO 14001 (held since 2008)
ISO 14001 is the standard for Environmental Management Systems (EMS), and was the first external standard that we achieved. The EMS provides assurance that we’re managing the environmental impacts of our business activities in line with our environmental policy and objectives. ISO 14001 is an important standard for clients in particular, who frequently request it during the tender/bid process as evidence of a minimum level of commitment to improving environmental performance.
ISO 20000-1 (held since 2014)
Last year we achieved ISO 20000-1, the standard which assesses our IT Service Management System. It’s an important standard for our clients as it assesses 'the design, transition, delivery and improvement of services that fulfil service requirements'; and helps ensure effective operation and delivery of the IT services our clients expect of a professional services firm.
ISO 22301 (held since 2013)
ISO 22301 specifies requirements for implementing, operating and improving a Business Continuity Management (BCM) system. Business continuity is clearly a critical requirement for our business, which frequently involves handling and analysing large volumes of sensitive commercial and personal information. Holding this standard offers stakeholders confidence that we’re continuing to ensure that it is both safeguarded and available at the right times. We’d previously held ISO 25999 since 2009.
ISO 27001 (held since 2011)
ISO 27001, focuses on implementing management controls to protect information assets across the firm. Information security is a high priority for our clients, and consequently has a high weighting on our sustainability materiality matrix. For this reason, we introduced a metric to our scorecard in 2012, reflecting the number of non-conformities to the standard that our external assessors report.
ISO 50001 (held since 2012)
Energy consumption accounted for approximately 22% of our overall carbon footprint at the end of June 2014, and is also a key area of cost for the business. Achieving ISO 50001, the standard for energy management systems, has helped us to measure and understand our use of energy across the business, and to ensure that we continue to focus on reducing it in line with our environmental commitments for 2017.
OHSAS 18001 (held since 2011)
As a professional services firm, we’re not typically exposed to the same sorts of safety risks as companies in other sectors, such as oil exploration, manufacturing or extraction. However, we are a people-based business, and do face some health and safety challenges which are more specific to the office environment, such as stress, or strains from working with computers for extended periods. Holding OHSAS 18001, the standard for occupational health and safety management systems, helps us to challenge ourselves to make sure that our people are appropriately cared for in the delivery of their work from our offices.
BS 10008 (held since 2012)
Last year, our scanning team achieved certification to BS 10008, a standard which is designed to deal with issues relating to the authenticity and integrity of electronic information which may be used as legal evidence. While the standard has only been introduced very recently, it has broader implications for our information management.
Our assessors, BSI, typically report the conclusions of their audits in four categories:
|Major non-conformity||A major nonconformity is a situation that raises significant doubt about the ability of the firm’s information security management system to achieve its intended policy and objectives system to achieve its intended policy and objectives.|
|Minor non-conformity||A minor nonconformity is a single identified lapse which would not in itself raise significant doubt as to the capability of the firm’s information security management be a useful tool to identify areas for additional improvement.|
|Observation||Indicator of potential risk, but no immediate implication for certification, and no requirement for it to be addressed.|
|Opportunity for improvement||A recommendation which, in the opinion of the auditor, could deliver incremental improvement to the system.|
We use the auditor’s findings to identify any potential weaknesses and prioritise areas for improvement.