Bollin Group Case Study

Bollin Group is a major player in the outdoor clothing and equipment marketplace which owns a carefully selected portfolio of brands, such as Mountain Equipment, Sprayway, Ronhill and Bridgedale, and which has increased its turnover from £6m in 1992 to circa £90m in 2023.  Behind the Group’s success is a family-owned business with a set of strong core values, including integrity, transparency, high-performing products and a high degree of corporate social responsibility.  

Bollin Group operates in a highly competitive environment spanning both B2B and B2C markets, and, as such, is exposed to numerous challenges and threats that could impact its long-term viability, including global conflicts, economic and political instability, currency fluctuations, weather-related risks, and cyber threats.  Recognising the critical importance of information and cyber security, Stephen Cann, Bollin Group’s CEO, has adopted a balanced, pragmatic, and risk-based approach to safeguarding its operations.

Cybersecurity Strategy and Achievements

Bollin Group has taken significant steps to address the primary cyber and information security risks facing its business.  By identifying its key threats, the organisation has strategically invested in solutions tailored to meet its specific needs.  As part of this effort, Bollin Group implemented an overarching governance approach, a cybersecurity platform and successfully achieved Cyber Essentials (CE) certification.  Building on this foundation, Bollin Group went on to develop an information security management system which was certified to ISO 27001 in April 2024, by QEC, a UKAS-accredited certification body.

While many organisations pursue ISO 27001 primarily to meet client or tender requirements, Bollin Group approached it more as a strategic tool for improving its approach to cyber and information security.  The Standard, grounded in risk management and continuous improvement, aligns seamlessly with Bollin Group’s goals of adapting to evolving cyber threats and governance challenges.  A key requirement for Stephen Cann in implementing ISO 27001 was to do so at a pace that enabled the management system to be thoroughly embedded into business as usual, and for staff to be fully trained so that they truly understand the new security processes and reap their many benefits.

Partnership with URM

In its journey to strengthen cyber and information security, Bollin Group has worked extensively with URM Consulting Services (URM), a service provider that has become a trusted partner.  Stephen Cann points to three key reasons for the success of this partnership:

1. Breadth of Expertise

Stephen Cann believes that one of URM’s unique qualities is the breadth of its information security and cyber expertise, which bridges technical, governance, risk management and compliance services.  This breadth allows for a holistic, integrated and risk-based approach to help Bollin Group meet its cyber and information security goals. As Stephen Cann explains, “it is the calibre of its consultants, be they risk managers, penetration testers, GDPR specialists, Cyber Essentials assessors, ISO 27001 implementers and auditors, combined with its Abriska risk management software, that sets URM apart from its competitors”.

2. Pragmatic Approach

As Stephen Cann goes on to explain, “It’s one thing having the required technical knowledge, it’s another thing for a consultant to apply that knowledge to the context of our organisation. To use a sporting analogy, we view cyber and information security as a marathon not a sprint.  I am not a believer in doing everything all at once.  Our approach has been risk based and incremental, remediating our biggest risks first before moving on.  I believe this approach is far more sustainable and effective.  And URM’s consultants fully understand this and are very pragmatic and tailored in their guidance and advice.  They know we are not implementing ISO 27001 purely for the certificate, but more as a framework for continual improvement, and at a pace where new systems and processes can be fully understood and absorbed by our team and be business as usual”.

3. Shared Values

Bollin Group’s growth has been built on strong relationships and, as Stephen Cann explains, working with like-minded organisations is a very important component.  “We hope our employees, stakeholders, suppliers and customers feel that we are nice people to do business with, and equally we expect that of our suppliers.  All the team at URM are nice people to do business with.  The relationship with everyone we've met, from our account manager to all of the different consultants, has been excellent.  The strength of our relationship is undoubtedly underpinned by shared core values, most notably integrity, honesty, fairness and responsiveness.  Both organisations take their corporate social responsibilities very seriously and both are committed to worthy charitable causes.  All of this fosters a close cultural fit that adds great strength to our working relationship."

Conclusion

Through a forward-looking and risk-based approach, Bollin Group has looked to position itself to navigate the complex landscape of cybersecurity and information security mangement effectively.  It has achieved this with the support of URM’s consultants and account manager who understand the Group’s particular needs for implementing sustainable, appropriate solutions and practices that staff can fully understand and adopt.  This pragmatic approach ensures long-term value and seamless integration into Bollin Group’s operations.

‍