ISO 27001 has a reputation for being complicated, expensive, and built for large organisations. That reputation isn’t entirely fair — but it has kept many small businesses from pursuing certifications they genuinely need.
This ISO 27001 for small businesses guide cuts through the noise of larger enterprises and explains what ISO 27001 actually looks like for a small team.
Is ISO 27001 Really Relevant to Small Businesses?
Yes — and increasingly so. It’s all I deal with on a day-to-day basis (I won’t deal with larger organisations).
The standard itself doesn’t have a minimum size requirement. It’s been designed to scale. A business with ten employees and a well-implemented ISMS can achieve the same certification as a business with ten thousand.
More importantly, the reasons to pursue ISO 27001 are becoming more common for small businesses:
- Enterprise customers are asking for it. If you sell software, professional services, or data processing to larger organisations, procurement teams increasingly require ISO 27001 as a minimum standard. What started as a requirement for tech companies is spreading to legal, accounting, marketing, and many other sectors.
- Cyber insurance premiums are rising. Insurers are asking harder questions about security controls. Certification is increasingly used as evidence that you’re a lower-risk client. They are starting to not hand out insurance to organisations that have done nothing to protect themselves.
- Data protection regulation has teeth. GDPR fines and ICO enforcement actions have reminded organisations that data security matters — and ISO 27001 provides a structured way to demonstrate you take it seriously.
- You handle sensitive data. If your clients share personal data, financial information, or commercially sensitive material with you, they have an interest in how you protect it. ISO 27001 is how you prove it.
The Myths That Put Small Businesses Off
“We’re too small to be a target.”
This is the most dangerous myth in information security. Small businesses are disproportionately targeted by cybercriminals precisely because they’re less likely to have robust controls. Ransomware attacks don’t discriminate by headcount. In fact, they know how to exploit smaller businesses and where they are weakest – and it’s the agility and less defined business practices of an SME that they’ll go for.
“We can’t afford it.”
The cost of certification for a small business is far lower than most people assume. A UKAS-accredited certification audit for a small organisation typically costs between £3,000 and £6,000 (assuming low risk and low complexity data). Add a document toolkit (under £500) to launch you off to a good start and some staff time, and you’re well under £10,000 in many cases. Compare that to the average cost of a data breach — or the value of the enterprise contract you couldn’t win without it.
Read the full guide to ISO 27001 certification costs.
“We don’t have a dedicated security team.”
You don’t need a dedicated team or a dedicated full-time security manager. ISO 27001 requires someone to take ownership — and that’s often the MD, an operations manager, or an IT manager wearing an extra hat. With the right tools and support, one person can lead an ISO 27001 project alongside their normal responsibilities.
“The documentation will be overwhelming.”
There are 14 mandatory documents under ISO 27001, plus the Annex A controls. That sounds like a lot until you realise that many of these documents are relatively short — some are a single page — and can be created from templates in a matter of hours.
What ISO 27001 Looks Like in a Small Business
Here’s what a fully compliant ISMS might look like in a smaller organisation. Please don’t take this as a mandatory list of documents, rather an indication of the key documentation and processes you’ll need:
Policies (a folder in SharePoint or Google Drive)
- Information security policy (typically just two to three pages)
- Acceptable use policy
- Password and authentication policy
- Remote working policy
- Incident response procedure
- Data retention policy
- Supplier security policy (for supplier evaluation and management)
Risk management:
- A risk register in a spreadsheet, updated at least annually and when significant things change
- A risk treatment plan documenting what you’ve decided to do about each risk
Asset management:
- An asset register listing the information assets in scope (data, systems, physical assets)
Supplier management:
- A list of key suppliers with notes on their security and any relevant contracts or agreements
Training records:
- Evidence that all staff have completed information security awareness training
Audit and review:
- An internal audit, conducted at least annually
- A management review, held at least annually
Incident records:
- A log of security events and incidents, even minor ones
That’s the core of it. For most small organisations, all of this fits in a single shared folder with a dozen documents and two spreadsheets.
What’s Different for Small Businesses vs. Large Ones?
The standard is the same, so you need to do all the same major things, but the approach should be proportionate. By this, I mean that you adopt and adapt 27001 to your business and its risk appetite.
Proportionality is built in. ISO 27001 allows you to exclude Annex A controls that aren’t relevant to your organisation and justify those exclusions in your Statement of Applicability. A five-person remote-first company probably doesn’t need a policy for “secure data centres” — and that’s fine.
Risk-based thinking is your friend. The standard asks you to implement controls that are proportionate to the risks you face. A small business is unlikely to face the same threats as a bank, and its controls don’t need to match a bank’s either.
Simpler scope is easier to manage. If you operate from one office (or fully remotely), use SaaS tools rather than on-premise servers, and have a clear, limited set of data assets, your scope can be tight. A tight scope means less documentation, a shorter audit, and a more manageable ongoing programme.
Auditors understand your context. A good certification body will audit you against what ISO 27001 requires for an organisation of your type and size, not against some imagined enterprise standard.
The Practical Steps to Get Started
Step 1: Do a gap analysis
Before anything else, understand where you are now. A gap analysis compares your current security practices to what ISO 27001 requires. It tells you what you already have in place (more than you think), what needs creating, and what needs improving.
Download a free gap analysis template here.
Step 2: Define your scope
Decide which parts of your business will be covered by the ISMS. For most small businesses, this is straightforward — it’s the whole business. But if you have distinct business units or want to limit scope to a particular service, this is when you define that.
Read the full guide to defining your ISMS scope.
Step 3: Get your documentation in order
This is where most of the work happens. You need policies, a risk assessment, a Statement of Applicability, and supporting procedures. Using a document toolkit dramatically compresses this phase — instead of writing from scratch, you adapt pre-built templates.
Explore the ISO 27001 toolkit.
Step 4: Implement and operate your controls
Documentation isn’t enough. You need to implement your controls (e.g. actually enforce your password policy) and operate your ISMS (e.g. actually conduct your staff training, actually run a management review). Auditors will look for evidence that things are happening, not just that policies exist.
Step 5: Choose a certification body and get audited
Contact a UKAS-accredited certification body early — before your documentation is finalised. They’ll give you a quotation and confirm scheduling. Most do a Stage 1 (documentary review) followed by a Stage 2 (on-site or remote evidence review).
Read the guide to choosing a certification body.
Do You Need a Consultant?
Not necessarily — but it depends on your starting point and your confidence.
If you’re technically minded, have some experience with process documentation, and have capacity to lead the project, you can absolutely implement ISO 27001 yourself using a toolkit. Many small businesses do.
If you want a guaranteed outcome, a fixed timeline, and guidance from someone who has done this dozens of times, external support is worth considering. A good consultant can significantly reduce the total time and effort involved, and can help you avoid the common mistakes that delay certification.
Read more about the 90-day consultancy programme.
The Bottom Line
ISO 27001 is not too complicated, too expensive, or too enterprise-focused for small businesses. Thousands of small businesses in the UK hold ISO 27001 certification, and the number is growing as customers and regulators expect higher standards.
The key is to approach it proportionately — tight scope, practical documentation, and a focus on making your ISMS genuinely useful rather than just a paper exercise.
If you’re ready to start, the ISO 27001 basics guide is a good next step. Or if you want to hit the ground running, the toolkit gives you everything you need in one place.
ISO 27001 Online Course + Full Toolkit
Stop guessing. Follow a proven step-by-step process.
“Highly recommended for anyone looking to understand ISO 27001, whether attempting it on your own or even using a consultant.“
Verified Trust.me Review
✓ Full toolkit included
✓ Learn as you build
✓ 12-month access
✓ 6 hours of video
✓ Email consultancy
✓ 30-day upgrade credit to consultancy
£285
Instant access
FAQs
Is there a minimum size for ISO 27001 certification?
No — the standard has no minimum headcount or turnover requirement. ISO 27001 is designed to scale, and the risk assessment process means your controls are proportionate to your actual context. Some certified organisations have fewer than five employees.
How many mandatory documents does ISO 27001 require?
ISO 27001:2022 requires 14 categories of documented information, covering things like your information security policy, risk assessment results, Statement of Applicability, and internal audit records. In practice, a small business can cover most of these with a handful of concise documents — many are a page or two, not lengthy manuals. A document toolkit gives you pre-built templates so you’re adapting rather than writing from scratch.
Can a small business get ISO 27001 certified without a consultant?
Yes, many do. If you have someone who can own the project — even part-time — and you use a structured toolkit, DIY certification is realistic. The areas where a consultant adds most value are the initial gap analysis, the risk assessment methodology, and pre-audit preparation. If budget is tight, consider a light-touch engagement for those specific stages rather than full consultancy throughout.
What’s the difference between ISO 27001 and Cyber Essentials for small businesses?
Cyber Essentials is a UK government-backed scheme that focuses specifically on five technical security controls (firewalls, secure configuration, access control, malware protection, and patch management). It’s simpler to achieve and is often required for public sector contracts. ISO 27001 is broader — it covers governance, risk management, supplier security, physical security, and business continuity alongside technical controls. Many small businesses pursue Cyber Essentials first and ISO 27001 once they have enterprise customers asking for it.
Will ISO 27001 certification help a small business win more contracts?
Often, yes — particularly in B2B sectors where larger customers conduct supplier due diligence. Enterprise procurement teams, public sector buyers, and regulated industries like financial services and healthcare frequently ask suppliers to evidence ISO 27001 certification as part of onboarding. For businesses in those markets, certification can be the difference between winning or losing a contract rather than simply a nice credential to have.
