top of page

ISO27001 and SME

Updated: Jul 19, 2022

How can small, and Micro businesses implement ISO27001?!

When I attend live events and talk to entrepreneurs, and business owners, one of the questions I get most often is about the information security standard ISO27001. And the question is, “Can it work for a small business?”

The answer to this question is a resounding YES!

According to the UK Companies Act 2006, a small company is defined as one that does not have a turnover of more than £6.5million, a balance sheet total of more than £3.26 million and not more than fifty employees.

We have helped countless small businesses implement ISO27001 (and other standards) and helped many Micro businesses. Again, according to Companies House, a micro business has less than £632,000 turnover or less, or £316,000 or less on its balance sheet and less than 10 employees.

So, can ISO27001 work for them too? Again… the Answer is Yes!

We’ve guided organisations to complete certification to ISO2001, who employ just 4 or 5 people. At the time of writing, I’m working with someone who has 3 people in their business.

The problem with ISO27001

The idea that implementing a standard like ISO27001 is complicated and requires hundreds of policies and procedures has sadly been propagated by some Consultants and salespeople from the start.

However, Consultants Like Us understand that it is a complex topic, with many moving parts, but it doesn’t have to be complicated. Neither does it need to take over your entire business or prevent you from doing business! Do you NEED Consultants Like Us? No. Does it make it easier if you do? Yes.

But to put it simply, if implemented correctly, ISO27001 should simply be a way of working that becomes part of who you are.

ISO27001 has also suffered an identity crisis due to many people’s experiences of ISO9001, the Quality Standard. In the past, ISO9001 was a standard that required everything to be written down – a documented process for every process! And so, the ‘Process Manual’ was born!

Thankfully, things have changed, and both ISO27001 and ISO9001 are focused more on risk and ensuring appropriate controls are in place to manage risks (and issues) associated with security and quality, respectively.

So how can an SME implement ISO27001 effectively? What should they do?

5 Steps to ISO27001

1. Understand why

Why do you want to do ISO27001? What is the need? Are clients asking for it? Are you losing bids and tenders because you don’t, have it? Have you had an incident or breach? Knowing why you want to do anything is going to give you the motivation to keep moving forward when your motivation is waning.

2. Get buy-in

It does not matter if you are 3 people in a room, or on the board of a multi-national conglomerate – you need support from the decision-makers. Therefore, you need to understand your ‘why’ from the outset. Leadership is integral to the success of your implementation because, without it, you won’t get the resources you need, and it will ultimately become a paper exercise, leading to a paper shield that protects no one.

3. Get a copy of the standard

This may sound obvious – but have you read the standard? If you have not purchased a copy then follow the link here, buy it, and read it. Is it an exciting read? No! But if you are going to understand what’s required then you need to read it!

4. Gap Analysis

Now you have read the standard, it’s time to look at your business through the lens of ISO27001. Where are your gaps? Do you have the policies required? Do you have the leadership and resources? What about training and awareness? Performing a gap analysis on what the standard requires and what you have in place allows you to develop a clear picture of what you need to do. This becomes your programme of work.

5. Get started (but ask for help if you need it)

You have got support. You have read the standard, and you know where the gaps are… so it’s time to start filling in the gaps.

But let us be clear, you are going to be able to do this a whole lot quicker if you get help. I often tell people that I could build a house if I wanted to, but it’s going to take me a long time to learn the skills required. The result will be a house – but not of the quality I was hoping for.

If you are struggling, or you are not interested in doing this alone – then call out for help from Consultants Like Us, who are able to fast-track you to where you need to be.


There is clearly a lot more to implementing ISO27001 than these five steps, but I promise you that if you’re SME, the above will get you on the path toward certification. Consultants Like Us do this, day in and day out, so I understand that to us, it looks easy, but I promise you that if you keep it simple and remember that it’s about the journey towards certification where you’ll learn more, then you’ll do well.

The bottom line is that ISO27001 can be implemented in large or small businesses. Micro businesses do not have to miss out either, and the benefits of implementing the standard are the same irrespective of the size of the business; Increased security, trust, confidence and the ability to win new business.

I would say that is a win for everyone.

Give me a call

Interested in ISO27001 and building trust with your clients then give me a call today, and we’ll discuss how easy it can be to implement, when approached practically and in a structured way.

PS: ISO27001 is a fantastic way to demonstrate compliance with the GDPR too. It does not make you GDPR Compliant, but it undoubtedly shows that you care about processing (personal) data securely.

20 views0 comments


bottom of page