What does an ISO consultant do?

An ISO consultant helps your organisation implement, maintain and improve an ISO management system — from gap analysis and documentation through to internal audits and certification readiness. TAC is led by an IRCA Registered Principal Auditor with 500+ audits completed, providing practical consultancy for ISO 27001, ISO 9001, ISO 14001 and ISO 45001.

Do you provide ISO 27001 consultancy?

Yes. ISO 27001 information security is our lead standard. We support gap analysis, ISMS implementation, risk assessment, Statement of Applicability, internal audit preparation, certification readiness and ongoing ISMS maintenance.

What is ISO/IEC 42001?

ISO/IEC 42001 is the international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for organisations to manage AI-related risks and ensure responsible AI development and deployment. TAC offers ISO/IEC 42001 as a specialist service under its ISO consultancy umbrella.

How long does ISO certification take?

The timeline varies based on your organisation's size and readiness. Typically, first-time certification takes 6-12 months with proper support. Our clients often achieve certification faster with PICMS and our expert guidance.

Do you offer integrated management system consultancy?

Yes, we specialise in integrated management systems (IMS) that combine multiple ISO standards such as 9001, 14001, and 45001 into a single, efficient system. This reduces documentation and audit overhead.

What countries do you operate in?

We provide consultancy services across the UK, Ireland, Netherlands, Norway, and Italy. Our team can support organisations throughout Europe with both on-site and remote engagements.

PICMS is a separate UK-built ISO compliance software platform, designed by an IRCA Registered Principal Auditor, available at PICMS.com. TAC recommends PICMS to clients who want to maintain evidence, audits, actions and documentation after their consultancy engagement. TAC is an independent ISO consultancy; PICMS is the software product.

How much does ISO consultancy cost?

Our consultancy services are tailored to your specific needs, so costs vary based on scope, complexity, and the standards you're pursuing. We offer free initial consultations to understand your requirements and provide a detailed quote. Contact us to discuss your project.

An AI audit is a comprehensive assessment of your artificial intelligence systems to ensure they meet ethical, legal, and operational standards. Our AI audits cover algorithmic transparency, bias detection, risk management, and ISO/IEC 42001 compliance.

Is TAC a consultancy or a software company?

TAC is primarily an ISO consultancy and audit support business, led by an IRCA Registered Principal Auditor. We are not a general software development agency. Where clients need ongoing ISO management software after consultancy, we recommend PICMS — a separate platform at PICMS.com.

The Golden Thread: From Building Safety Act to ISO Compli...

The Golden Thread isn't just a Building Safety Act obligation — it's the principle behind every ISO standard. Here's how to build yours the right way.

The Building Safety Act 2022 introduced a phrase that compliance professionals have used for decades but rarely explained well: the golden thread. For higher-risk residential buildings, dutyholders must now maintain a continuous, accurate, accessible record of decisions, changes, and evidence across the building's lifecycle. Miss a step, lose the thread, lose the cert. In the post-Grenfell regulatory environment, the standard is unforgiving.

What few SMEs realise is that this isn't a construction-industry idea — it's the same principle that underpins every ISO management standard. If you're certified to ISO 9001, ISO 45001 or ISO 27001 (or working towards them), you already have a golden thread obligation. The question is whether yours is real, or a folder of disconnected documents with a "Quality Manual" cover sheet.

What the Building Safety Act actually requires

The Hackitt Review's recommendations, now embedded in the Building Safety Act 2022 and the Higher-Risk Buildings (Key Building Information etc.) Regulations 2023, define the golden thread as information that is:

Accurate — reflects what was actually decided and built, not what was originally planned

Accessible — retrievable by the right people at the right time, throughout the building's life

Continuous — gaps in the record are gaps in safety

Up to date — changes are captured at the point they happen, not reconstructed after an incident

Read those four properties again and ask yourself: does your ISO management system meet that bar? For most SMEs I audit, the honest answer is "partially". Documents exist, but the links between them — between a risk assessment and the incident it was supposed to prevent, between a corrective action and the management review that discussed it — live in someone's head, not in the system.

The ISO clauses already demand a golden thread

Every modern ISO management standard contains the same backbone clauses. The wording varies slightly between standards but the obligation is identical:

Clause 7.5 — Documented Information (ISO 9001:2015, 45001:2018, 27001:2022). Organisations must determine, create, control, and maintain documented information necessary for the system to operate. Crucially, this isn't a list of documents — it's a system of records.

Clause 7.5.3 — Control of Documented Information. Documents must be available, suitable, adequately protected, and traceable. The phrase auditors care about is "available where and when needed". A document buried three folders deep on a shared drive fails this test.

Clause 9.2 — Internal Audit. Audits must verify the system is implemented effectively. Without a golden thread, an internal audit becomes archaeology: digging through emails and spreadsheets to reconstruct what happened.

Clause 9.3 — Management Review. Top management must review the system using inputs that include audit results, nonconformities, CAPA effectiveness, and risk trends. If those inputs aren't already linked, management review becomes a fortnight of pre-meeting scrambling.

In other words: the Building Safety Act didn't invent the golden thread. It just made explicit what ISO has demanded since 2008.

What a real golden thread looks like for an SME

Forget the abstract definitions. A working golden thread, for a small or medium business, has five practical properties:

1. Documents link to risks

Your method statement isn't just a method statement. It's the control measure for hazards identified in your risk assessment. Your training records aren't isolated — they're the competence evidence for the people you've assigned to high-risk tasks. The link has to be queryable, not just remembered.

2. Risks link to incidents

When an incident happens, your investigation should be able to answer one question quickly: was this hazard in our risk register? If yes, why did our controls fail? If no, why did we miss it? Without the link, the investigation defaults to "human error" and the system learns nothing.

3. Incidents link to corrective actions (CAPAs)

Every incident worth investigating produces a CAPA. The CAPA must connect back to the incident that triggered it, the root cause analysis, the proposed control change, the verification of effectiveness. Auditors check this chain. Most SMEs lose it at the verification step.

4. CAPAs link to management review

CAPAs without management oversight quietly stay open forever. ISO 9001 Clause 9.3.2(d) explicitly requires management review to consider the status of corrective actions. If your management review minutes don't reference specific CAPAs by ID, you don't have a golden thread — you have a status meeting.

5. Everything is queryable for audit

The auditor's nightmare question is: "Show me every document, training record, risk control, and CAPA related to this incident". If answering that takes more than ten minutes, your golden thread has gaps. If it takes a week, you don't have one.

Why most SMEs fail the golden thread test

The pattern repeats across nearly every SME I audit before they engage TAC. The components exist:

A SharePoint folder of policies and procedures

A risk register in Excel

An incident log on Microsoft Forms

A training matrix maintained by HR

A CHAS portal, a Constructionline portal, a SafeContractor portal — each with its own copy of slightly different evidence

Audit findings in a shared Word document

Each piece is technically compliant. None of them link to each other. The thread is in the head of the SHEQ Manager. When that person leaves, or is on holiday, or is simply busy, the system fails — silently — until an auditor pulls on it and the whole jumper unravels.

This is what I call compliance theatre: the appearance of a system, without the connective tissue that makes it real. It passes a surveillance audit when the auditor is friendly. It fails when the auditor is curious. It collapses when an incident demands real traceability.

How TAC builds a real golden thread

I'm an IRCA Registered Principal Auditor with 24 years of SHEQ experience across the British Army and the civilian sector. I've sat on both sides of the audit table. What I bring to an SME engagement is the auditor's-eye view of where threads break — and how to weave them back together without rebuilding your entire management system from scratch.

A typical TAC engagement starts with a gap diagnostic: a structured map of where your evidence already exists, where the links are missing, and what an auditor would actually find if they pulled on each thread. From there, we design the connections — between modules, between procedures, between people — that turn your existing components into a coherent system.

The methodology is platform-agnostic. You can run a golden thread on paper if you're disciplined enough. Most SMEs aren't, and most shouldn't try.

The platform that makes the golden thread automatic

I built PICMS — the Proactive Intelligent Compliance Management System — to deliver the golden thread digitally for SMEs who didn't want to maintain it by hand. PICMS uses cross-module document linking via vector search and junction tables: when you upload a procedure, it automatically links to the risks, hazards, and controls it relates to. When you log an incident, it surfaces the relevant policies, training records, and prior CAPAs. When you record a management review, it pulls the live CAPA status, audit findings, and risk register state without anyone copy-pasting.

I'm not going to oversell it on this page. PICMS is a tool. The golden thread is a methodology. TAC's job is to make sure your methodology is right; PICMS happens to be the easiest way to operate it day-to-day if you want a platform rather than a binder.

What to do next

If you hold an ISO certification, or you're working towards one, ask yourself the question every auditor will eventually ask you: "Show me the thread." If you can't answer that in under ten minutes, you have work to do — and the work is far less than starting from scratch.

TAC offers a free 30-minute consultation to map your current state and identify the highest-leverage thread gaps in your management system. We work with SMEs across construction, engineering, manufacturing, healthcare, professional services, and tech. We don't sell certification — we make sure when the auditor turns up, your system speaks for itself.

Book your 30-minute golden thread review: trainingassuranceconsultancy.com/contact

Frequently asked questions

Is the golden thread legally required for non-construction SMEs?

The Building Safety Act 2022 mandate is specific to higher-risk buildings (HRBs) — typically residential buildings ≥18m or 7+ storeys. The principle, however, is embedded in every ISO management standard your organisation may hold. If you're certified to ISO 9001, 45001, 14001, 27001 or any other ISO management standard, you already have an obligation to maintain documented information that is accurate, accessible, and traceable.

Can we maintain a golden thread on spreadsheets?

Technically yes. Practically, it's the failure mode I see most often. Spreadsheets don't link to each other automatically. Versions diverge. People drop columns when they're in a hurry. The methodology can survive on paper if your team has the discipline; in practice, most SMEs benefit from a platform that enforces the linking automatically.

How long does it take TAC to build our golden thread?

For an SME holding one ISO standard with reasonable existing documentation, a thread audit and remediation plan is usually four to six weeks of focused engagement. Companies holding three or more standards, or pursuing fresh certification, plan for two to three months. The TAC engagement model is fixed-fee per phase — no open-ended billing.

What's the difference between TAC and a certification body?

Certification bodies (like LRQA, BSI, NQA, SGS) perform the independent third-party audit that issues your ISO certificate. They are required by accreditation rules to remain impartial — they cannot advise you on how to fix what they find. TAC is the consultancy you engage before the certification body arrives, to make sure they don't find anything significant when they do.

The Golden Thread: From Building Safety Act to ISO Compliance — Why Every SME Needs One