FAQs
Your Questions, Answered
No jargon. Just what you need to know.
Whether you’re preparing for certification, reviewing suppliers, or planning your next audit — these are the questions we hear most often.
Just click the tab you’d like to know more about.
Is ISO 22301 a legal requirement?
No, but it helps meet regulatory expectations and supports contracts that require formal business continuity measures.
How is ISO 22301 different from risk management?
Risk management is broader. ISO 22301 focuses specifically on preparing for, responding to, and recovering from disruptions.
Can small businesses benefit from ISO 22301?
Yes — it helps small businesses plan ahead and maintain service if something unexpected happens.
How long does certification take?
Most businesses complete implementation and certification within 3 to 6 months, depending on complexity and resource availability.
Do we need special software to implement ISO 22301?
No — although tools can help, it’s more about clear planning, documentation, and team readiness.
Do I need ISO 27001 certification to be compliant with GDPR?
No, but ISO 27001 supports GDPR compliance by helping manage and protect personal data effectively.
How long does it take to get certified?
It depends on your current setup, but most small to medium organisations can prepare in 3 to 6 months.
Does ISO 27001 include cyber security?
Yes — it includes technical and organisational controls to reduce cyber risks and improve your overall security posture.
Can we implement ISO 27001 without a consultant?
Yes, but a consultant saves time, avoids pitfalls, and ensures your system meets the standard from the start.
Is ISO 27001 only for large businesses?
No — ISO 27001 is suitable for businesses of any size that handle sensitive data or want to improve security.
Is ISO 42001 only for tech companies?
No — any organisation using AI or automation can benefit, not just those building AI systems.
Is ISO 42001 a legal requirement?
Not yet, but it aligns closely with expected global AI regulations and helps you stay ahead of the curve.
Do we need ISO 27001 before implementing ISO 42001?
No, but if you already have ISO 27001, ISO 42001 can be integrated with your existing systems.
What kinds of AI systems does it apply to?
It applies to all forms of AI, including machine learning, automation, and data-driven decision-making tools.
How does ISO 42001 improve AI transparency?
It helps organisations explain how AI decisions are made and manage the risks those decisions might carry.
Is ISO 9001 only for manufacturing?
No — it applies to any business that wants to improve quality, consistency, and customer satisfaction.
Do we need a full-time quality manager?
No — small teams can manage ISO 9001 effectively with the right structure and support.
Is ISO 9001 certification mandatory?
No, but it’s often required in tenders and by clients in regulated or high-value sectors.
Can we write our own quality manual?
Yes — and CSC2 can help ensure it’s simple, useful, and meets certification requirements.
How long does ISO 9001 certification take?
Most businesses complete it within 3 to 6 months, depending on readiness and resources.
Is Cyber Essentials mandatory?
No — but it’s required for some UK government contracts and increasingly expected in supply chain security.
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is self-assessed. Cyber Essentials Plus includes technical testing by an external assessor.
How long does certification take?
Most organisations complete certification within a few days to weeks, depending on readiness and available evidence.
Can small businesses achieve certification easily?
Yes — Cyber Essentials is designed to be achievable for small organisations with limited IT resources.
Do we need to buy specific software or systems?
No — Cyber Essentials focuses on using basic controls effectively, not expensive tools or specific vendors.
Do you work directly for certification bodies?
Yes — CSC2 provides subcontracted auditing services for UKAS-accredited certification bodies across multiple ISO standards.
Can you audit our internal systems before certification?
Absolutely. We offer independent, pre-certification audits to help you identify gaps and prepare with confidence.
Is this the same as consultancy?
No — auditing is impartial and independent. We can also offer consultancy separately, but never at the same time.
Which standards do you audit against?
ISO 27001, ISO 9001, ISO 22301, and others by agreement. We’ll only take on audits within our approved scope.
Can you audit our suppliers?
Yes — we carry out supplier audits to check compliance, risk, and readiness, tailored to your requirements.
Do I need to certify all sites or departments?
No — you can certify specific locations, departments, or scopes depending on your business needs.
Can we combine multiple ISO standards into one system?
Yes — integrated management systems are common, especially for related standards like ISO 27001 and ISO 9001.
How much time do we need to set aside internally?
That depends on your size, goals, and current systems. We’ll help you keep it realistic and manageable.
What if we don’t pass the certification audit?
You’ll get a report of issues to fix. CSC2 helps you address them quickly and prepare for reassessment.
Do we have to use specific software or platforms?
No — we’ll work with what you’ve got or help recommend tools that fit your budget and needs.
Can you help with ongoing support after certification?
Yes — we offer retained support, refresher audits, and guidance for continual improvement.
