Quality · Security · AI · Resilience
Build a stronger business.
And prove it.
CroftSpurr helps ambitious SMEs, startups and technology companies improve performance, protect information, govern AI and strengthen resilience through practical management systems.
From ISO 9001 and ISO/IEC 27001 to ISO/IEC 42001 and business continuity, we turn complex requirements into systems that work in the real world.
Methodology shaped by Dr Nigel Croft — former Chair of the ISO subcommittee responsible for ISO 9001 and ISO 9004.
Practical implementation informed by more than 15 years of founder and business management experience.
One coherent management system — not four disconnected projects.
ISO 9001
Quality
ISO/IEC 27001
Information Security
ISO/IEC 42001
AI Management
ISO 22301
Business Continuity
ISO/IEC 23894
Artificial Intelligence — Guidance on Risk Management
Why organisations come to CroftSpurr
Most businesses don’t begin by wanting a management system.
They begin with a commercial problem, an important customer requirement or a level of risk they can no longer ignore.
Winning larger customers
A major customer, procurement team or tender requires evidence of quality, security or governance.
Scaling without losing control
The organisation has grown beyond informal founder-led processes and responsibilities are becoming unclear.
Responding to security scrutiny
Customers are asking difficult questions about information security, access, suppliers, incidents and data.
Adopting AI responsibly
AI is already being used, but policies, responsibilities, risk assessments and oversight have not kept pace.
Reducing operational dependency
Too much knowledge sits with particular founders, employees or suppliers.
Preparing for disruption
The organisation needs credible plans for outages, cyber incidents, supplier failures or other disruption.
Two forms of experience. One practical system.
Standards authority. Business reality.
International Standards Leadership
Dr Nigel Croft
From 2010 to 2018, Nigel chaired ISO/TC 176/SC2 — the ISO subcommittee with responsibility for standards including ISO 9001 and ISO 9004. He later led international work on the harmonised structure used across ISO management system standards.
His influence on CroftSpurr is clear: focus on intended results, understand the organisation’s processes, apply risk-based thinking and avoid unnecessary bureaucracy.
Meet Nigel →
Real Business Implementation
Matthew Spurr
Matthew brings more than 15 years of experience as a founder, operator and business leader. He understands the reality of implementing systems inside growing companies: limited time, competing priorities, demanding customers and the need for commercial results.
His role is to translate management system principles into clear responsibilities, usable processes and practical evidence that fit the organisation.
Meet Matthew →Standards expertise shaped at international level. Implementation grounded in real business.
Our core expertise
Four management systems. One way of working.
Quality Management
Build consistent processes, improve customer confidence and create a stronger foundation for growth.
- Tenders
- Customer expectations
- Process consistency
- Founder dependency
- Scaling
Information Security
A structured approach to protecting information, managing security risk and answering customer assurance.
- Enterprise customers
- Security questionnaires
- Sensitive data
- SaaS procurement
- Cyber risk
Artificial Intelligence
Accountable, transparent and risk-based governance for organisations developing, providing or using AI.
- AI products
- Internal adoption
- Investor scrutiny
- Regulatory readiness
- Responsible AI
Business Continuity
Prepare to respond to disruption, protect critical activities and recover more effectively.
- Customer requirements
- Cyber incidents
- Supplier dependency
- Outages
- Operational resilience
AI Governance
AI is moving faster than most organisations’ governance.
Policies written after deployment are not enough. Organisations need to know where AI is being used, who is accountable, what could go wrong, who may be affected and how decisions will be reviewed.
ISO/IEC 42001
AI management system
ISO/IEC 23894 - Artificial Intelligence — Guidance on Risk Management
AI risk management
ISO/IEC 42005
AI system impact assessment
ISO/IEC 38507
Governance implications of AI
Know your AI
Identify AI systems, use cases, suppliers, owners and affected parties.
Assess the risk
Evaluate reliability, bias, data, security, transparency, human oversight and potential impacts.
Establish control
Define policies, responsibilities, approval routes, monitoring, incident handling and continual improvement.
Support at every stage
A service journey, not a single deliverable.
- 01
Diagnose
Executive discovery, context review, gap analysis, readiness assessment, risk review and a prioritised implementation roadmap.
- 02
Design
Management system architecture, process mapping, policies and objectives, roles and responsibilities, proportionate documented information.
- 03
Implement
Leadership workshops, team engagement, control implementation, training and competence, evidence development, operational support.
- 04
Assure
Internal audits, supplier audits, readiness reviews, corrective action support, management review preparation, certification audit support.
- 05
Improve
Retained advisory, performance measurement, audit programme management, continual improvement, system integration, transitions.
We do not disappear after handing over a folder of documents.
The CroftSpurr method
Process approach. Risk-based thinking. Plan-Do-Check-Act.
It begins with what the organisation needs to achieve — not with a template.
Understand the context
Define the intended results
Map the real processes
Evaluate risks and opportunities
Build proportionate controls
Test effectiveness
Improve continually
No template theatre. No paperwork for its own sake. No management system that exists only on audit day.
Who we help
Built for organisations with something to prove.
Startups
Build customer and investor confidence without importing enterprise bureaucracy too early.
SaaS & technology
Strengthen security, service delivery, quality and AI governance for demanding B2B customers.
AI developers & providers
Governance across AI design, development, supply, deployment, monitoring and change.
Organisations using third-party AI
Control employee use, supplier risk, data exposure and decision-making impacts.
Established SMEs
Replace informal practices with scalable, measurable systems.
Tender-led & supply chain
Demonstrate credible management of quality, security, continuity and supplier risk.
Integrated management systems
One business. Not four separate systems.
Quality, information security, AI governance and business continuity often involve the same leadership team, processes, risks, suppliers and evidence.
CroftSpurr can design an integrated management system that reduces duplication and gives leaders one coherent view of performance and risk.
Explore Integrated Systems →Independence
Consultancy and certification are different.
CroftSpurr helps organisations understand requirements, implement their management system, conduct internal audits and prepare for certification. Independent certification is carried out by a separate certification body. This separation protects impartiality and gives customers confidence in the result.
CroftSpurr does not sell or issue ISO certificates.
We can help clients understand how to select an appropriate independent certification body — but we never imply that certification is guaranteed.
Insights
Clear thinking on management systems.
Quality
ISO 9001 is not a documentation standard
Read article →
AI
What ISO/IEC 42001 means for organisations using AI
Read article →
ISO/IEC 23894
ISO/IEC 23894 - Artificial Intelligence — Guidance on Risk Management: a practical introduction
Read article →
Startups
Does your startup need ISO/IEC 27001?
Read article →
Continuity
What should a business continuity plan actually contain?
Read article →
Integration
How to integrate ISO 9001, 27001 and 42001
Read article →
You do not need more paperwork.
You need a system that makes the business stronger.
Whether you’re responding to a customer requirement, preparing for certification, or trying to bring greater control to a growing organisation, begin with a practical conversation.