How LearnSci demonstrates robust security management and streamlines partner onboarding with ISO 27001 certification

The Challenge

LearnSci partners directly with universities to provide digital educational resources, meaning that the business holds a significant amount of student, assessment and assignment data. The 2025 Cyber Security Breaches Survey found that 97% of higher education institutions identified a breach or cyber attack in the last year. As such, potential suppliers are held to stringent security requirements; achieving ISO 27001 certification was crucial for the business, enabling LearnSci to demonstrate its robust security practices.

Katy Aldrich, Operations Lead at LearnSci, said: “Universities integrate parts of our system into theirs, and we store student data on our side. We need to be really careful to protect that data. The universities have big procurement processes to go through when they’re licensing any new software, and ISO 27001 gives you a big tick there.”

“We wanted to be ISO 27001 certified to show that we take care of the data we’ve been given, and that we consider data security across the organisation.”

Katy Aldrich Operations Lead, LearnSci

Katy and the Learning Science team had tried to implement ISO 27001 using various document and policy templates. However, after implementation progress stalled, they realised they needed a tool with which they could build a complete, effective information security management system (ISMS) and align it with ISO 27001 best practice requirements.

“We’d tried a few different things; nothing was really working, and we weren’t making any progress. We tried a couple of policy template packs, but we didn’t have the infrastructure within the company and the background of risk registers and asset registers. We needed something that provided more than just a starting point for the policies.”

Katy Aldrich Operations Lead, LearnSci

The Solution

The business implemented ISMS.online to manage ISO 27001 compliance, using the platform to centralise policies, tasks, risk management, evidence collection and more. Working with their dedicated Customer Success Manager and using ISMS.online’s Assured Results Method (ARM), LearnSci took a step-by-step approach to compliance, truly embedding information security across the business.

“The pre-written policy and control templates provided a good scaffolding – 90% of what we needed was there. We could remove parts that weren’t relevant to us and add in things that were.”

Katy Aldrich Operations Lead, LearnSci

Katy added: “Starting with nothing and trying to work out how to align the standard, which is written in a very specific way, and then interpreting that into our company, would have been much harder. Having that starting point was really important for us.”

LearnSci also made use of the platform’s policy packs feature to foster a culture of compliance awareness. How the business uses policy packs aligns directly with ISO 27001’s employee training and awareness requirements and helps LearnSci to ensure employees across the organisation know their information security roles and responsibilities.

“We use ISMS.online to share key policies; when new people start, we send them a policy pack which has 15 or 20 key policies they need to consider in their day-to-day work. Then we can regularly re-publish that policy pack and get everyone to check they’re still familiar with the policies, because you could easily read something and then forget about it. That was helpful during our certification audit, because we could prove that we put the relevant policies in front of people, and they read them.”

The Result

“Following the ARM method helped us identify the areas we needed to concentrate on to progress.”

Katy Aldrich Operations Lead, LearnSci

The LearnSci team built out their ISMS and embedded information security processes into the business across the course of three years, and successfully achieved ISO 27001 certification first-time in 2025.

“By the time we got to the audits, we had a system that we had been building on for a couple of years, worked well for us, and that we knew our way around. The whole company was familiar with the platform because we’d had a couple of rounds of getting them to read their policy packs and getting other people involved to record risks or use the incident tracker,” Katy said. “So, when auditors asked us about something, we could point them in the right direction. They commented that it was really well set up.”

Being ISO 27001 certified is expected to save Katy and the team valuable time and resources when working with universities. The biggest impact will be when LearnSci onboards new partners: having ISO 27001 certification in many cases eliminates the need for the team to fill in intensive information security questionnaires. Instead, the certification demonstrates the business’s robust information security management.

“ISO 27001 certification gives the partner confidence that we’ve been externally certified, and we’ve got the data security element covered. It’s a big win for us, and it’s a win for them.”

Katy Aldrich Operations Lead, LearnSci

“A couple of information security questionnaires I did last year had a long form, and the first question is: “Are you ISO 27001 certified?” If you can tick that box and give your certificate number, you don’t have to fill in the form.”

LearnSci has also achieved significant cost savings by using the ISMS.online platform.

“If you take into the account the cost of the system and the cost of our time, it’s much less than the cost of employing someone in a compliance officer role. We wouldn’t be able to employ someone of the right level to do that, because we’d still need time from other people in the company.”

What’s Next?

The LearnSci team are proud to have achieved ISO 27001 and are planning publicity around this, as well as how to maintain high standards it sets. They will be leveraging the certification in discussions around upcoming sales and renewals during the next few months, as universities start to look at resourcing for the next academic year.

“Our ISO 27001 certification is really going to come into play in the next six months as we enter our peak sales season.”

Katy Aldrich Operations Lead, LearnSci