Challenge: Manual risk management in spreadsheets, ISO 27001 compliance needed
Solution: Risk Register platform
Results: 70% time reduction, ISO 27001 certified in 6 months
The Challenge
The Body Shop Netherlands, part of the global ethical beauty retailer, faced mounting pressure to formalize their information security and risk management practices. With over 40 retail locations across the Netherlands and a growing e-commerce platform processing thousands of customer transactions daily, the company needed to demonstrate robust security controls to customers, partners, and regulators.
Their existing approach relied on Excel spreadsheets maintained by the IT security team. As Marieke van der Berg, IT Security Manager, recalls:
"We had multiple versions of our risk register floating around. The finance team had one version, IT had another, and our compliance officer had a third. When our CEO asked for a risk overview before a board meeting, it took us three days just to consolidate the data and figure out which version was current."
Key challenges included:
No single source of truth: Multiple spreadsheet versions created confusion and conflicting risk assessments
ISO 27001 compliance gap: Auditors required documented workflows, approval trails, and continuous monitoring—impossible with spreadsheets
Limited visibility: Executive leadership had no real-time view of the organization's risk posture
Time-consuming reporting: Generating reports for audits or management took days of manual work
No integration: Risks, controls, and compliance frameworks existed in separate documents with no connections
Why Risk Register?
After evaluating several risk management solutions, The Body Shop Netherlands selected Risk Register in December 2023. The decision came down to three factors:
Purpose-built for ISO 27001: Pre-mapped controls and automated SOA generation meant faster compliance
Intuitive interface: The team could onboard without extensive training—critical for a lean security team
Workflow automation: Built-in approval workflows and notifications eliminated manual coordination
"We needed something that would work out of the box," explains van der Berg. "We didn't have six months to customize a complex enterprise tool. Risk Register gave us 80% of what we needed on day one."
Implementation
The Body Shop Netherlands implemented Risk Register in January 2024 with a phased approach:
Week 1-2: Data Migration
Imported 127 existing risks from consolidated spreadsheet using AI-powered Excel import
Mapped risks to ISO 27001 controls and internal security policies
Defined risk owners across IT, operations, finance, and retail teams
Week 3-4: Workflow Configuration
Set up approval workflows requiring sign-off from department heads and CISO
Configured automated notifications for risk reviews and overdue tasks
Created custom dashboards for executive leadership
Month 2-3: Team Onboarding
Trained 15 risk owners across departments
Established quarterly risk review cycles
Integrated risk management into existing security meetings
Month 4-6: ISO 27001 Certification
Used Risk Register to generate Statement of Applicability (SOA)
Provided auditors with real-time access to risk data and audit trails
Achieved ISO 27001 certification in June 2024
Results
70% Time Reduction in Risk Management
Tasks that previously took hours now take minutes:
Risk reviews: From 3 days to 2 hours (automated notifications and centralized platform)
Report generation: From 1 day to 5 minutes (automated SOA and compliance reports)
Audit preparation: From 2 weeks to 2 days (complete audit trail and documentation)
ISO 27001 Certification in 6 Months
The Body Shop Netherlands achieved ISO 27001 certification in June 2024—faster than the typical 12-18 month timeline. The auditor specifically praised their risk management process and documentation quality.
"The auditor was impressed that we could instantly show the complete history of any risk—who assessed it, when, what changed, and why. That level of transparency would have been impossible with our old spreadsheets."
Improved Risk Visibility
Executive leadership now has real-time dashboards showing:
Top 10 risks by severity
Risk trends over time
Control effectiveness metrics
Overdue risk reviews and tasks
"Our CEO can now see our risk posture at a glance," says van der Berg. "That visibility has elevated security from an IT issue to a board-level conversation."
Better Cross-Team Collaboration
Risk management is no longer siloed in IT. Department heads across retail operations, e-commerce, finance, and HR now actively participate in risk assessments and reviews. The approval workflow ensures accountability without creating bottlenecks.
Quantifiable Business Impact
15 hours/week saved on risk management administration
€45,000 saved in audit preparation costs (reduced external consultant time)
100% on-time risk reviews (vs. 60% with spreadsheets)
3x faster incident response due to clear risk ownership and documented controls
Key Success Factors
Looking back on the implementation, van der Berg identifies three critical success factors:
Executive sponsorship: The CISO championed the project and secured buy-in from department heads
Phased rollout: Starting with IT risks before expanding to other departments allowed the team to learn and refine processes
Integration with existing workflows: Rather than creating new meetings, risk reviews were integrated into existing security and compliance meetings
Looking Ahead
With ISO 27001 certification achieved, The Body Shop Netherlands is expanding their use of Risk Register:
Adding asset management to track critical systems and data
Exploring AI-powered risk suggestions for emerging threats
Extending access to franchise partners for consistent risk management across the network
"Risk Register transformed risk management from a compliance burden into a strategic advantage. We're not just checking boxes—we're making better decisions based on real data. I can't imagine going back to spreadsheets."
Ready to Transform Your Risk Management?
See how Risk Register can help your organization achieve compliance faster and reduce risk management overhead.
This case study is based on a real implementation. Company name and specific details have been used with permission. Results may vary based on organization size, complexity, and implementation approach.