Case Study: How The Risk Factor achieved ISO 27001 certification in 4 weeks

The Risk Factor: ISO 27001 certification in 4 weeks
The Risk Factor is a boutique insurance brokerage headquartered in Leeds, UK. The company operates fully remotely and works with clients across the UK.
When a significant government contract required them to hold UKAS-accredited ISO 27001 certification, they needed to move quickly. They had a tight tender deadline, a remote-first team, and an existing GRC platform already populated with evidence.
What they needed was an audit partner who could work at pace, deliver a robust certification audit, and use the tools and evidence they had already prepared.
That led them to Tempo.
The challenge: a government tender deadline
The Risk Factor needed ISO 27001 certification to satisfy a tender requirement for a significant government contract.
This created three important requirements.
First, the certification had to be UKAS-accredited. This was not optional. It was part of the tender process and meant The Risk Factor needed a certification body whose certificate would stand up to scrutiny.
Second, the audit needed to happen quickly. The tender deadline meant there was limited time to plan, schedule, audit, close any findings, and issue the certificate.
Third, the audit needed to work for a remote-first business. The Risk Factor had already invested time into organising evidence inside their GRC platform, so they wanted a certification body that could make use of that work rather than forcing them into a slower, more traditional audit process.
After a few false starts with providers who were not set up to work in that way, Jason Rayner, Operations Director at The Risk Factor, was introduced to Tempo.
“From the first time Rob and I spoke, I got the immediate sense that we could work with these guys. The process felt human. They seemed professional but relaxed — an obvious culture fit for us — and they were confident working with a fully remote team and leveraging our GRC platform.”
Why Tempo: UKAS-accredited, remote-first and GRC-friendly
Jason first spoke with Rob Hall, Tempo’s CEO, on 9 February.
On that call, Rob explained how Tempo’s audit process works, what The Risk Factor would need to prepare, and how the audit could be delivered remotely. They also completed the application form together on the call, which is something Tempo likes to do where possible to reduce unnecessary admin for clients.
The process moved quickly from there. Straight after the call, The Risk Factor confirmed they wanted to proceed, and Tempo moved to schedule the audit dates around the client’s commercial deadline.
“The operations and organisation process was really slick. Rob had left me with such a strong first impression on our call. When he introduced us to Jamie Johnson, who ran Tempo’s ops, it was reassuring that there was obvious continuity in quality. It was a seamless process from the first conversation on who Tempo are and how we work, through to the actual delivery of the audit.”
The audit approach: remote, agile and built around their tools
As a remote-first insurance brokerage with no physical critical infrastructure in scope, The Risk Factor was well suited to a remote audit.
This made the process more convenient for their distributed team and helped keep travel time and expenses out of the audit process.
The audit was led by Robert Brown, one of Tempo’s most experienced auditors, with relevant experience across insurance and financial services.
Tempo took an agile audit approach. Audit days were scheduled, but evidence was reviewed asynchronously where possible, using the work The Risk Factor had already completed inside their GRC platform.
Rather than forcing everything into long blocks of live calls, Robert reviewed evidence in the platform at intervals. Meetings were then used where clarification, further evidence or discussion was needed.
This helped the audit stay efficient, structured and manageable alongside the client’s day-to-day responsibilities.
“The whole process was fantastic. From the opening meeting, the auditor made it clear that Tempo would leverage our GRC platform, and that I would have time to review any non-conformities while keeping an eye on my other responsibilities. Whenever required, we jumped on a call. Those sessions were great — Robert was really good at explaining everything. It felt collaborative and truly helpful, and was delivered in a way that helped us trace back findings and understand them.”
The timeline: from first call to certificate in 4 weeks
The Risk Factor needed to move quickly, so Tempo scheduled a 1-day Stage 1 audit for 17 February 2026.
That was just 8 days after Jason’s first call with Rob.
The Stage 1 audit went smoothly. The Risk Factor was well prepared, and Tempo issued a recommendation to proceed to Stage 2. Five areas of concern were noted, giving the team clear actions to address before the next stage.
The Stage 1 report was finalised and shared the next day, on 18 February, leaving The Risk Factor time to close out the areas of concern before Stage 2.
A 2.5-day Stage 2 audit was then scheduled between 2 and 4 March 2026, just under two weeks after Stage 1.
Only one minor non-conformity was identified during the Stage 2 audit. For a team going through ISO 27001 certification for the first time, and at speed, this was a strong result.
The auditor was able to recommend certification, subject to the non-conformity being closed through the corrective action plan process.
The Risk Factor completed their corrective action plan on 11 March and notified their auditor. Robert reviewed and accepted the corrective action plan the same day.
Because the audit report had already been finalised, and Tempo had completed the required internal technical and non-technical reviews, Tempo was able to issue the certificate and report together that same day.
The result
The Risk Factor went from first meeting Tempo to receiving their UKAS-accredited ISO 27001 certificate in 4 weeks.
The process moved at the speed required by the tender, while still remaining robust, professional and properly evidenced.
Key outcomes
- ISO 27001 certificate issued within 4 weeks of first speaking to Tempo
- Stage 1 audit scheduled 8 days after the first call
- Stage 2 audit completed less than two weeks after Stage 1
- Certificate and report issued within 7 days of Stage 2 finishing
- 1 minor non-conformity raised
- Remote audit delivered using the client’s GRC platform
“Honestly, I wouldn’t have thought I’d be so excited about an auditing partner. It was really important that the process moved at the speed we were looking for. What was so pleasing was that this was achieved in such a friendly and open manner. The audit was certainly robust, but it was a positive and engaging process that never felt onerous. By the end of the audit, we had a genuine sense of ‘we deserve this’, which was important given the amount of effort it had taken to prepare ourselves.”
A faster route to ISO 27001 certification
For The Risk Factor, ISO 27001 certification was not just a compliance exercise. It was a commercial requirement linked to an important government tender.
They needed a certification body that could move quickly, work remotely, use their existing GRC platform, and still deliver a rigorous UKAS-accredited audit.
That is exactly what Tempo was built to do.
If you need ISO 27001 certification and want an audit process that is structured, practical and designed around the way modern teams work, get in touch with Tempo.
Book a call
No forms, no faff – just a conversation and a quote. Prefer to skip straight to it? Fill out the application form and we'll get moving.
Alternatively, if you have all the details,
fill out this form here.


