ISO 27001 for Small Businesses

Many SMEs assume ISO 27001 is reserved for large enterprises. That is a misconception – and an increasingly costly one. The standard defines no minimum scope and makes no demands on company size or headcount. What it requires is a working information security management system (ISMS) – and that can exist just as well in a 15-person business as in a 15,000-person corporation.

The driver is often external: customers, clients and tenders increasingly demand ISO 27001 as a prerequisite – including from small suppliers and IT service providers. The NIS2 Directive amplifies this pressure through supply-chain obligations: organisations subject to NIS2 must also impose security standards on their service providers.

Small businesses benefit from a structural advantage: shorter decision paths, fewer departmental silos, direct access to leadership. An SME that pursues ISO 27001 with intent can achieve it in considerably less time than a corporation with 50 sites – provided the scope is clearly defined and the project approach is realistic.

The most important decision at the start of the project is the scope definition: which areas, processes and sites does the ISMS cover? Small businesses have a substantial advantage here: an organisation with one site, a manageable IT landscape and clearly delineated business processes can choose a tightly framed scope – significantly reducing effort and audit costs.

A typical scope for a small IT service provider with 20 employees might cover the delivery of managed services including the systems used and customer data – without the entire corporate organisation. Such a lean scope can be brought to certification readiness in 6–9 months and remains entirely comprehensible to customers and auditors.

Blackfort supports small businesses with scope definition in a structured workshop: which information assets are critical? Which processes must be protected? Where does the scope strike a balance between certifiability and economic feasibility? The output is a scoping document that serves as the basis for gap assessment and project planning.

We recommend small businesses follow a clearly structured four-phase approach that respects available resources while remaining focused on a concrete certification goal.

Phase 1 – Gap assessment (4–6 weeks): stocktake of current security posture, maturity assessment, prioritised implementation plan. Phase 2 – ISMS build (3–5 months): draft core policies (information security policy, risk treatment plan, Statement of Applicability), introduce baseline technical measures, raise staff awareness. Phase 3 – Maturation & internal audit (1–2 months): the ISMS runs in operation, initial internal audits identify corrective actions, open issues are closed. Phase 4 – Certification audit: Stage-1 audit (documentation review) and Stage-2 audit (on-site) by the accredited certification body.

A realistic total timeframe for a small business with 20–50 employees: 7–10 months, with around 20–30 % of internal capacity from the ISMS owner. Where that effort cannot be carried internally, an external information security officer (external ISO) is the right answer – a person who oversees the ISMS in a specialist capacity without requiring a dedicated full-time role.

Resource planning is the most critical factor. Many SMEs underestimate the fact that ISO 27001 is not a purely technical project – it requires contributions from leadership, IT and business functions. Failure to clarify upfront who is responsible internally and what capacity is realistically available risks a project that stalls halfway.

Documentation should be minimal but lived. The most common trap for small businesses: extensive policies that disappear into a drawer. ISO 27001 does not assess the quantity of documentation but how well it is understood and applied. A small set of clear policies that are genuinely followed day to day is better than a voluminous manual without buy-in.

The choice of certification body has consequences. Not every certifier is equally suitable for small businesses. Some are geared to corporate structures and have more demanding audit processes. Blackfort has many years of experience preparing small businesses for certification and advises on the selection of a certification body that fits the company size.

For small businesses with up to 50 employees and a clearly delineated scope, total initial certification costs of EUR 25,000 to 60,000 are realistic – spread across gap assessment, external consulting, certification audit and internal resources. Annual follow-on costs for surveillance audits are EUR 4,000 to 7,000.

The biggest lever for cost reduction lies in a clearly defined scope, sufficient internal capacity and a strong starting position (e.g. existing IT documentation, security tooling already in use). Organisations that already hold a TISAX assessment or have well-documented IT security concepts can leverage significant synergies.

A detailed breakdown of all cost blocks – including a comparison table for different company sizes – is available on our ISO 27001 costs page.