ISO 27001 for small and medium-sized businesses: a practical implementation guide
ISO 27001 is not just for large enterprises. Organisations without a dedicated security team can achieve certification. This guide covers the six steps to get there, what it costs, and the mistakes that slow people down.
- Organisations without a dedicated security team can achieve ISO 27001 certification
- The process has six stages: scoping, gap assessment, building the ISMS, implementing controls, internal audit, and external certification audit
- Total costs for a small or medium-sized business typically fall between 15,000 and 40,000 euros including consultancy, tooling, and certification fees
- The most common reason projects run over time is an ISMS that is over-engineered for the size of the organisation
- Certification is not the end: surveillance audits happen annually and a full recertification audit every three years
What ISO 27001 actually requires
ISO 27001 is the international standard for information security management systems (ISMS). It sets out a framework for how an organisation identifies, assesses, and manages information security risks. Achieving certification means an accredited third-party auditor has verified that your ISMS meets the standard's requirements.
The standard has two main parts. The main clauses (4 to 10) cover governance: leadership commitment, risk assessment methodology, objectives, documentation, and management review. Annex A contains 93 controls across four themes: organisational, people, physical, and technological. You do not need to implement every control. You need to justify which controls apply to your risk profile and document why you have excluded any that do not.
The 2022 update to the standard (ISO/IEC 27001:2022) replaced the older 114-control Annex A with 93 consolidated controls. If you are starting implementation now, you are working to the 2022 version.
You do not have to certify your entire organisation. Many small and medium-sized businesses certify a specific service line or product, which keeps the scope manageable and reduces audit complexity. Define your scope carefully at the start: it is difficult to reduce it once the project is underway.
Does your business need ISO 27001?
ISO 27001 is not legally mandated in most sectors. Businesses pursue it for four main reasons:
- Client requirements: Enterprise clients and public sector buyers increasingly require ISO 27001 as a procurement condition, particularly in professional services, SaaS, and IT supply chains.
- Competitive advantage: Certification differentiates you from competitors who cannot demonstrate equivalent security maturity.
- Regulatory alignment: ISO 27001 provides a strong foundation for GDPR compliance, NIS2 obligations, and sector-specific requirements like NHS DSPT.
- Internal improvement: The process of implementing the standard forces organisations to document processes, assign ownership of risks, and establish controls they often should have had in place already.
If none of these apply to your situation, ISO 27001 may not be the right priority. Cyber Essentials Plus or a targeted security assessment may deliver more value for less effort.
The six steps to certification
The path from decision to certified typically follows six stages, regardless of organisation size.
Realistic timelines
The gap assessment and scoping phase typically takes two to four weeks. Building the ISMS documentation takes four to eight weeks depending on how much already exists. The implementation and operation period, where you run the ISMS and generate evidence, should be at least three months. Internal audit takes one to two weeks. Stage 1 and Stage 2 certification audits are usually scheduled two to four weeks apart.
The most common cause of delays is scope creep or over-engineering the documentation. Policies written for a 10-person business do not need to be 40 pages long. Proportionality is explicitly built into the standard.
Many organisations try to implement all 93 controls regardless of whether they apply. The Statement of Applicability exists precisely to let you exclude controls that are not relevant to your risk profile. A small software business with no physical product line does not need physical and environmental security controls designed for a data centre.
Cost indications
ISO 27001 has three main cost components: consultancy or internal staff time, tooling, and certification body fees. Depending on the size and complexity of the business, costs can vary a lot, below you can see some estimate costs for SMEs
Organisations that handle more of the work internally reduce the consultancy component significantly. Those starting from a strong baseline (existing security policies, documented asset inventory, established access control processes) also move faster and spend less.
Annual surveillance audits from the certification body typically cost 1,500 to 4,000 euros depending on organisation size and scope. The full recertification audit at year three is similar in cost to the original Stage 2.
"The standard is scalable. A 15-person professional services firm and a 150-person SaaS business need very different ISMS implementations, and the standard accommodates both. The mistake is treating it as a one-size enterprise exercise."
What happens after certification
Certification is not a one-time project. The standard requires continual improvement, and your certificate depends on demonstrating that the ISMS remains effective over time.
In year one post-certification, focus on embedding the ISMS into normal operations: ensure management reviews happen, incidents are logged and reviewed, and the risk register is updated when your business or threat landscape changes. Staff turnover is the most common cause of ISMS drift, so build awareness training into your onboarding process.
Surveillance audits happen at roughly 12-month intervals. They review a subset of the controls and check that any nonconformities from the previous audit have been addressed. They are less intensive than the original Stage 2 but require up-to-date evidence.
At year three, you undergo a full recertification audit. Organisations that maintain their ISMS actively throughout the three years find recertification straightforward. Those that let documentation go stale and only update records in the weeks before the audit tend to find it stressful and expensive.
Getting started
The single most valuable first step is a gap assessment. Before you commit to a project timeline or budget, you need to understand the distance between where you are now and where ISO 27001 requires you to be. A gap assessment typically takes one to two weeks and gives you a clear project plan with estimated effort per workstream.
If you are considering ISO 27001 because a client has asked for it, start by understanding their timeline and whether Cyber Essentials Plus would satisfy their requirement in the interim while you work toward full certification.
Cyvra's audits and compliance team conducts ISO 27001 gap assessments and supports businesses through the full certification process, from scoping through to Stage 2 audit preparation. If you want to understand what your path to certification looks like, the conversation starts with a short call.
Frequently asked questions
How long does ISO 27001 certification take for a small or medium-sized business?
A small or medium-sized business with 10 to 50 staff can typically achieve ISO 27001 certification in six to nine months. The timeline depends on how mature your existing security controls are, how quickly you can implement missing controls, and the availability of your chosen certification body. Organisations starting from a low baseline or with limited internal resource should allow nine to twelve months.
How much does ISO 27001 certification cost for a small or medium-sized business?
Total costs typically range from 15,000 to 40,000 euros, covering consultancy support, internal staff time, any tooling needed to implement controls, and the certification audit fees. Certification body fees for a small organisation are usually 3,000 to 8,000 euros for the two-stage audit. Annual surveillance audits cost less. Organisations that handle more of the work internally reduce costs significantly.
What is the difference between ISO 27001 and Cyber Essentials?
Cyber Essentials is a UK government-backed scheme covering five basic technical controls: firewalls, secure configuration, access control, malware protection, and patch management. It is relatively quick to achieve and mandatory for some UK government contracts. ISO 27001 is a full information security management system standard covering governance, risk management, people, physical security, and 93 controls. ISO 27001 is internationally recognised and carries significantly more weight with enterprise clients and regulated sector procurement teams.
Do small and medium-sized businesses need a consultant to achieve ISO 27001?
No, but most benefit from one. Self-implementation is possible if you have someone internally with the time and information security knowledge to lead it. In practice, most small and medium-sized businesses lack a dedicated security function, and a consultant accelerates the process significantly. A good consultant also helps you avoid over-engineering the ISMS, which is a common mistake that makes ongoing compliance unnecessarily burdensome.
What is a Statement of Applicability in ISO 27001?
The Statement of Applicability (SoA) is a required document that lists all 93 controls from Annex A and states whether each one applies to your organisation, whether it is implemented, and why it has been included or excluded. It is one of the core documents auditors review and must reflect your actual risk assessment decisions, not a generic template. Getting the SoA right is one of the areas where experienced guidance adds the most value.