Download PDF
blue text on a white background with a crown logo

Sector

Education

Service

Cyber Essentials and ISO 27001

Feb 2026

ISO 27001:2022

As a Russell Group university, Queen Mary University of London (QMUL) has a reputation for excellence in all areas, and, wanted to demonstrate this in information security by achieving ISO/IEC 27001:2022 certification.

Results at a glance

QMUL achieved ISO/IEC 27001 certification in November 2025, following a successful Stage 2 BSI external audit.

Key results included:

  • A fully implemented, certified ISMS aligned to ISO/IEC 27001:2022
  • Clearer visibility and accountability for information risk, with defined risk owners and registers
  • A more coherent policy framework, replacing overlapping and inconsistent documentation
  • Stronger controls in areas including access control, change management and supplier security
  • Increased confidence for funders, partners and regulators, backed by recognised certification
  • A stronger culture of continuous improvement, supported by management reviews, internal audits and corrective action

The challenge

QMUL chose an ambitious scope: certification across the entire Information Technology Services (ITS) department. With many teams, services and stakeholders involved, the priority was clear: create consistent, repeatable security practices across ITS, and make them workable day-to-day.

What we did

Waterstons partnered with QMUL to deliver end-to-end ISO 27001 implementation and certification support, including:

  • Gap analysis to establish the baseline and identify priority areas
  • A prioritised roadmap covering quick wins, medium-term improvements and longer-term change
  • Rationalising and updating the information security policy suite to align with ISO 27001
  • Documenting key procedures required for compliance
  • Establishing and operating the ISMS management system clauses (4–10)
  • Planning and supporting implementation across the 93 ISO/IEC 27001 controls
  • Training, awareness and readiness workshops to embed the ISMS and prepare for Stage 1 and Stage 2 audits

What the client said

“Partnering with Waterstons made our ISO 27001:2022 journey efficient, well-governed and highly effective resulting in Queen Mary University achieving certification which has added real, measurable value to the University. Their structured approach helped us embed consistent ways of working across ITS, and certification has given us greater assurance and confidence in the strength of our information security management.”
Rachel Bence, Chief Information Officer

“Waterstons were a brilliant partner throughout our ISO 27001:2022 journey, from the initial gap analysis through to implementation and external audit support. They were practical, calm and hands-on, helping us to maintain momentum, keep the programme on track, and ensure we met the standard. Their support gave us confidence that we were compliant and that our people were prepared at every step. Achieving certification following the external audit is a true reflection of the hard work and commitment across the University.”

Ambrose Neville, Head of Information Security