ISO 27001 for Small Business

How does ISO 27001 apply to a small business and the SME. Why it applies, what applies, how it applies and how much it costs.

Estimated reading time: 6 minutes

The challenge for the small business

You have been asked for ISO 27001 certification. You are small business or a start-up. You have little idea where to start but you most likely think

  • We can do with out this
  • We cannot afford it
  • We do not have the resource
  • We know we are secure
  • We are busy on our actual business
Hargobind Blog Side Bar Image High Table ISO 27001
Fay High Table Sidebar Image ISO 27001

Why they ask for ISO 27001 for Small Businesses

The reason small businesses are asked for ISO 27001 certification is simple. Companies want to get and understanding and assurance that they are doing the right thing for information security. They have two choices. They can either spend time and money and do and audit themselves. Or they can rely on an industry standard and global certification where someone has done the work already. People are busy. The easy option is to rely on the work of someone else. Hence the requirement for the ISO 27001 certification.

The Small Business Objection

The small business objection is clear. This is often a new area for the business. It comes at a cost of both time and money. At a time when resources are focussed on the business and the products and services, little can be afford by way of diversion. We work with companies that are technically very savvy and switched on. They understand security. They understand technology.

What Options Do Small Businesses have for ISO 27001

There are 3 simple options open to the small business and SME when it comes to ISO 27001.

Option 1: Do it yourself

Option 2: Get someone else to do it

Option 3: Some where in the middle

Start-up, early stage and growth business is our niche. Our approach, depending on our client covers all 3 options.

If you consider the time verses money seesaw – it is getting this balance right for the particular client. We developed all our policies and all our ISMS documents to be templates that businesses can take and implement. We also streamlined our processes specifically to help the small and SME business. Our pricing is keenly set to meet the needs of the small business.

ISO 27001 for Small Business FAQ

How do I implement ISO 27001 in my small business / SME?

For ISO 27001 certification you are going to want to deploy policies, the required documentation for the ISMS and implement the required business controls. The level of implementation should be proportionate to your size.

How much does ISO 27001 cost for a small business?

That depends on how you go about doing it but expect to pay around £6,000 to the certification body just to take the certification audit. To implement it you are going to decide if you are going to do it yourself or get someone to help you. We specialise in startup, early stage and growth business and we tailor our approach to the needs of the client. It is a seesaw balance between your time and your money. The more you do, the less cash outlay you have.

Is there an alternative to ISO 27001 for my small business?

No. Not really. If you are being asked for ISO 27001 certification by your clients then they expect it. It is designed for companies of any size from 1 man bands up to large corporates.

Everything is in the cloud so do I really need ISO 27001?

Yes. Your cloud provider should be ISO 27001 certified and that is going to vastly reduce the amount of work you need to do but you still have work to do. ISO 27001 is not a technology standard. It is a business management standard. The controls cover all aspects of your business.

As a small business what are my options for ISO 27001?

You have 3 options for ISO 27001 certification. You can do it yourself. You can get someone to do it for you. You can find a middle ground and balance between the first two options.

Why does ISO 27001 for small business and SME cost so much?

Cost is relative. The smaller you are the more any cost is going to seem excessive. There are ways to reduce costs when you are a smaller company but you will still incur cost. The cost of the ISO 27001 certification audit for example is pretty much set in stone. Even if you shop around the variation in pricing will be minimal. The question to ask is if the commercial gains of having it out weigh the costs of having it. If not, then maybe don’t do it. You are in business to make money after all.

As a small business how hard is it to do ISO 27001 myself?

That is going to depend on what experience you have. It isn’t that hard in reality. Although if you have no experience the learning curve can be steep and the required documentation can be daunting. You can consider templates and getting guidance and training.

Shopping Cart