Do we need compliance as a start-up?

One of the most common questions we get from founders is: Do we need to worry about compliance yet? For those of you with limited time, the simple answer is yes!

Now, for those of you who want to know why we’re seeing this shift, and to know why your customers and investors are focusing so much on this over the incredible products and services you offer, let’s read on.

At TQC, we predominantly work in the start-up, scale-up, and small- to medium-sized-company ecosystems. We engaged with fourteen companies across twenty-seven contracts in this space in 2025. Across all these companies, we have seen a growing trend in the industry to confirm adherence to the standards even at this early stage.

What once was a ‘Ticket to trade’ for larger organisations is now rapidly becoming a must for everyone from start-ups onwards. With even teams of just two or three people now being asked to produce their ISO 27001 certificate to sign their first customers.

If you sell into larger organisations, you’ve probably already felt the shift yourselves. Where you might have historically had a short one-page assessment, these are now evolving into certification requests for ISO 9001, Cyber Essentials, ISO 27001, and many others. But why?

This is why.

For those of you with an analytical mind, a few stats might set the scene:

• The UK government’s Cyber Security Breaches Survey 2025 reports that cyber incidents remain widespread, especially among organisations in complex supply chains, and highlights supply-chain risk as a growing concern for UK businesses and charities.

• The NCSC’s 2025 review emphasises that many incidents in the past year originated not from direct attacks, but from vulnerabilities in connected partners, suppliers or software vendors. Supply-chain and third-party risk is now a headline theme, not a footnote.

• Analysis of cyber supply-chain breaches suggests that around 62% of data breaches start with a third-party vendor. One recent summary of third-party risk statistics notes that 30% of breaches in 2024 involved a third-party vendor, roughly double the previous year, and that this figure is likely an underestimate.

  
  

With the associated potential fines, loss of reputation, and generally competitive markets. It’s not difficult to see why companies are so focused on who they let into their ecosystem, and why start-ups are being asked to prove, not just promise, when it comes to security and compliance.

But AI will save the day?

It can help, but save the day? Let's dig a little deeper. UK press coverage in late 2025 has highlighted supply-chain cyberattacks affecting major brands and critical infrastructure, with reports warning that these attacks are becoming “unmanageable” and that UK businesses are “paying the price” as attackers increasingly exploit smaller vendors to island-hop into bigger targets.

Likewise, UK ministers have been urging small businesses to bolster their cybersecurity, explicitly calling out the role of supply chains and offering toolkits and guidance. But we at TQC understand how challenging this can be for start-ups, where it feels like you’re already working every hour possible and are juggling more plates than you care to mention. But that doesn’t mean it’s something you can actually ignore.

As we start seeing more companies falling short in using AI without adequate protection, I point here to the well-known case of Deloitte Australia, which in October 2025 made a rather unflattering splash in the press when it was revealed that they produced a report for the Australian government, after charging a not so small fee to do so, on a compliance framework that contained significant mistakes because parts of it were generated using AI.

We know AI hallucinates. I recently made a post on LinkedIn where, while using it to sanity-check a short 30-page report, it generated content on five occasions that wasn't in the report. Thankfully, we here at TQC always double-check what it generates and use it for what it is, a tool, not another subject matter expert within our team.

What does that mean for start-ups?

Many start-ups rush to obtain certifications such as ISO 27001 or SOC 2, often viewing them as quick “trust logos” to tick the box. They do this not because they don’t care about compliance, but because they left it too late; they’ve just not left themselves enough time, having come out of an investor or customer meeting where they’ve promised to get it within the next few weeks to satisfy a need raised, but without any of the infrastructure being in place. It’s worth just noting here that many UKAS accredited auditors have a delay, so you’ll need to engage them at least six months before you ‘need’ certification. And don’t even get me started on unaccredited reports or certifications, or I’ll be here all day, and this blog will become somewhat of a mature-only piece of literature.   

These tight timelines, implementation without guidance, or purchasing a pack of documents mean the company won’t actually have real, mature internal compliance practices and documented controls. I use an example from a recent video we did. In it, I talked about a company that produced documents in an audit listing a role they never held at the company. That’s a sure-fire way to show everyone you’re just practising “security theatre”, and that pack of SOPs you brought might have got you through stage 1, but they’d be picked apart and rightly so by any investigation or test of their actual controls. And without turning this into a sales pitch, that’s precisely what we do at TQC. We build the compliance infrastructure and cultures to ensure your start-up can shine in the compliance world, and you have the tools needed to scale the management systems as you grow, not just getting you a badge for your website, but ensuring you’re set up for ongoing success.