The Ultimate Guide to ISO 27001 for Small Business

Home / ISO 27001 / The Ultimate Guide to ISO 27001 for Small Business

How does ISO 27001 apply to a small business and the SME. Why it applies, what applies, how it applies and how much it costs. I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Certification for Small Business.

The Ultimate Guide to ISO 27001 for Small Business - Fay Barker

The challenge for the small business

You have been asked for ISO 27001 certification. You are small business or a start-up. You have little idea where to start but you most likely think

  • We can do with out this
  • We cannot afford it
  • We do not have the resource
  • We know we are secure
  • We are busy on our actual business

Why they ask for ISO 27001 for Small Businesses

The reason small businesses are asked for ISO 27001 certification is simple. Companies want to get and understanding and assurance that they are doing the right thing for information security. They have two choices. They can either spend time and money and do and audit themselves. Or they can rely on an industry standard and global certification where someone has done the work already. People are busy. The easy option is to rely on the work of someone else. Hence the requirement for the ISO 27001 certification.

The Small Business Objection

The small business objection is clear. This is often a new area for the business. It comes at a cost of both time and money. At a time when resources are focussed on the business and the products and services, little can be afford by way of diversion. We work with companies that are technically very savvy and switched on. They understand security. They understand technology.

What Options Do Small Businesses have for ISO 27001

There are 3 simple options open to the small business and SME when it comes to ISO 27001.

Option 1: Do it yourself

Option 2: Get someone else to do it

Option 3: Some where in the middle

Start-up, early stage and growth business is our niche. Our approach, depending on our client covers all 3 options.

If you consider the time verses money seesaw – it is getting this balance right for the particular client. We developed all our policies and all our ISMS documents to be templates that businesses can take and implement. We also streamlined our processes specifically to help the small and SME business. Our pricing is keenly set to meet the needs of the small business.

ISO 27001 Templates – Do it Yourself

To save money over 1,000 businesses have taken the option to get ISO 27001 Certification themselves with our ISO 27001 Templates Toolkit. It really comes down to the fact that it is not that hard and they are saving as a minimum £10,000 in consulting fees. There are a lot better things these businesses can do with £10,000.

ISO 27001 for Small Business FAQ

How do I implement ISO 27001 in my small business / SME?

For ISO 27001 certification you are going to want to deploy policies, the required documentation for the ISMS and implement the required business controls. The level of implementation should be proportionate to your size.

How much does ISO 27001 cost for a small business?

That depends on how you go about doing it but expect to pay around £6,000 to the certification body just to take the certification audit. To implement it you are going to decide if you are going to do it yourself or get someone to help you. We specialise in startup, early stage and growth business and we tailor our approach to the needs of the client. It is a seesaw balance between your time and your money. The more you do, the less cash outlay you have.

Is there an alternative to ISO 27001 for my small business?

No. Not really. If you are being asked for ISO 27001 certification by your clients then they expect it. It is designed for companies of any size from 1 man bands up to large corporates.

Everything is in the cloud so do I really need ISO 27001?

Yes. Your cloud provider should be ISO 27001 certified and that is going to vastly reduce the amount of work you need to do but you still have work to do. ISO 27001 is not a technology standard. It is a business management standard. The controls cover all aspects of your business.

As a small business what are my options for ISO 27001?

You have 3 options for ISO 27001 certification. You can do it yourself. You can get someone to do it for you. You can find a middle ground and balance between the first two options.

Why does ISO 27001 for small business and SME cost so much?

Cost is relative. The smaller you are the more any cost is going to seem excessive. There are ways to reduce costs when you are a smaller company but you will still incur cost. The cost of the ISO 27001 certification audit for example is pretty much set in stone. Even if you shop around the variation in pricing will be minimal. The question to ask is if the commercial gains of having it out weigh the costs of having it. If not, then maybe don’t do it. You are in business to make money after all.

As a small business how hard is it to do ISO 27001 myself?

That is going to depend on what experience you have. It isn’t that hard in reality. Although if you have no experience the learning curve can be steep and the required documentation can be daunting. You can consider templates and getting guidance and training.

Why is ISO 27001 important for small businesses?

It isn’t. And it is. It is only important to you if you see value in it. That value is usually driven by a commercial benefit. If you have a commercial contract that will make you money and that contact requires it then you will go for it. If there is no commercial benefit then you will not. Of course it is good and best practice to implement good information security but the reality is, as a small business or small company, you have a lot of completion for your valuable resources of time and money.

Can a business of 2 people get ISO 27001 certified?

Yes a business of any size can get ISO 27001 certification. Even a company of 1 employee can get ISO 27001 certified.

You are wondering if why ISO 27001 makes commercial sense

When it comes to standards for information security it is rarely at the top of any ones agenda for spend. People rarely think, I have all this lovely profit let me spank some of it on a security standard. We have to face facts that there are competing demands on those precious financial resources. The time will come though when it makes very real commercial sense to invest in ISO 27001 certification and associated certificates and they will make you money. That time comes as a business matures and the clients that it seeks to on board become more established clients.

The Ultimate Guide to ISO 27001 for Small Business co author Fay Barker
The Ultimate Guide to ISO 27001 for Small Business author Stuart Barker the ISO27001 Ninja

Supplier Management 

The pressures on more established businesses are the management of their own risk and their own legal and regulatory obligations. To mitigate that risk they will seek from you some assurance that you are doing the right thing. The quickest and easiest way to do that is to pass the cost and the effort on to you. Faced with performing an audit of you and spending time and resources to establish if you are doing the right thing it is easier and cheaper for them to ask you for certifications to established standards. In that way they know that qualified, professional auditors have reviewed your processes and solution and they have established if you are doing the right thing. Bingo, time and money saved for them.

Competitive Advantage

It is also rare that you will be the only person that does what you do and any business worth its sourcing salt is going to look to do some kind of market evaluation to compare costs and services and ideally get the best deal it can for its own financial resources. How do they choose a supplier? A quick leveller is to ask all potential suppliers to provide copies of certificates. It is a hygiene factor. For those that don’t have it they then have to way up the risk you pose and in all likely hood will discount you. Take for example banks, or any public sector body – they just won’t do business with you unless you can tick the certifications boxes. 

High Table Fay and Stuart

Do. Or do Not.

I am not saying you have to or should wait until you get that first contract that asks you for it. There is a lot of good best practice in ISO 27001 and starting the journey and operating TO the standard will reap some quick wins and dividends without the cost of going through certification. A real benefit is meeting the requirements of the GDPR Principle 6 maintain adequate security. If you do it right. Add to which when the time is right, the road to certification will be quicker and easier. Consider that the average time form engaging the certification body to gaining the certificate is 6 months with a range from 3 to 12 months depending on the scheduling and availability of the certifiers then leaving it to last minute is clearly not going to help you win that contract. You can always fast track your implementation with the ISO 27001 toolkit, but what ever you do ….

My advice is to have ISO 27001 on your radar and when the time is right for you be sure to go for certification.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing