Do small businesses need ISO 27001 certification?

Not every small business needs formal certification. But if your clients, enterprise partners, or procurement departments require it, then ISO 27001 becomes a competitive necessity. Even without going for full certification, adopting the framework improves your security posture and makes compliance with GDPR and NIS2 easier.

How long does it take to get ISO 27001 certified?

For a small business, the process typically takes 6 to 18 months. The timeline depends on how much you already have in place, the complexity of your operations, and how quickly you can allocate resources to it. Most SMBs land around 9 to 12 months.

How much does ISO 27001 certification cost for an SMB?

Total costs for an SMB typically range from 10,000 to 50,000 euros. This includes consultant fees (if used), internal time investment, any tooling you need, and the certification audit itself. The certification body audit alone usually costs between 5,000 and 15,000 euros depending on company size.

What is the difference between ISO 27001 and NIS2?

ISO 27001 is a voluntary international standard for information security management that you choose to certify against. NIS2 is a European directive that creates legal obligations for organisations in specific sectors. They overlap significantly in what they require, but ISO 27001 certification can help demonstrate NIS2 compliance.

Can I do ISO 27001 without a consultant?

Yes, especially as a smaller organisation. The standard is publicly available and many resources exist to guide you through it. That said, a consultant can speed up the process and help you avoid common pitfalls. Many SMBs use a hybrid approach with a consultant for the initial setup and gap analysis, then handle ongoing management internally.

ISO 27001 for Small Businesses: What It Actually Means and How to Get Started

General, Security

4/28/2026

A client sends you a vendor questionnaire. One of the boxes asks: "Are you ISO 27001 certified?" You check "No" and move on, but the question sticks. The next RFP has the same requirement. Then your insurance broker mentions it. Suddenly, three letters and five numbers keep showing up in conversations you can't afford to ignore.

ISO 27001 is the international standard for information security management. For years, it was the domain of large enterprises with dedicated security teams and six-figure budgets. That's changing. More and more SMBs are finding that clients, partners, and regulators expect them to take information security seriously, and ISO 27001 is often the benchmark they point to.

This guide explains what ISO 27001 actually requires, who needs it, what it costs, and how to prepare for it as a small business without a full-time security team.

What is ISO 27001, in plain language?

ISO 27001 is a framework for managing information security. Not just IT security, but the security of all information your organisation handles, whether it's stored in a database, written in an email, or sitting in a filing cabinet.

The standard asks you to build an Information Security Management System (ISMS). That sounds heavy, but it's essentially a structured way to:

Identify what information you need to protect
Assess the risks to that information
Put controls in place to manage those risks
Document what you do and why
Review and improve your approach over time

The current version is ISO 27001:2022, which updated the previous 2013 edition. The 2022 version restructured the controls (now 93, down from 114) and added focus areas like cloud security and threat intelligence.

Who actually needs ISO 27001?

Nobody is legally required to get ISO 27001 certified. It's a voluntary standard. But "voluntary" and "optional" aren't the same thing in practice.

You'll likely need ISO 27001 if:

Enterprise clients require it. Large organisations increasingly demand ISO 27001 from their suppliers, especially if you handle their data or connect to their systems. No certification, no contract.
You respond to RFPs and tenders. Public sector procurement and enterprise RFPs regularly list ISO 27001 as a requirement or strong preference.
Your industry expects it. SaaS companies, IT service providers, managed service providers, and data processors are the most common SMBs pursuing certification.
You want to prove your security posture. Rather than answering the same 200-question security questionnaire from every client, an ISO 27001 certificate gives a single, recognised answer.
Insurance premiums matter. Some cyber insurance providers offer better terms for certified organisations.

If none of these apply to you right now, that doesn't mean they won't in a year. Supply chain security requirements are tightening across Europe, pushed by both market pressure and regulations like NIS2.

The three pillars of ISO 27001

ISO 27001 comes down to three things. Once you understand them, the standard stops being intimidating.

1. The Information Security Management System (ISMS)

The ISMS is your documented system for managing information security. It covers:

Scope: What's included? Your entire organisation, or a specific department or service?
Policy: A high-level information security policy that sets the direction
Roles and responsibilities: Who owns information security? Who does what?
Objectives: What are you trying to achieve with your security programme?
Documentation: Policies, procedures, records, and evidence that you follow them

For an SMB, the ISMS doesn't need to be a library of documents. It needs to be proportionate to your size and the risks you face. A 15-person software company needs a different ISMS than a 500-person manufacturer.

2. Risk assessment and treatment

This is where ISO 27001 gets practical. You need to:

Identify risks to the confidentiality, integrity, and availability of your information
Assess each risk for likelihood and impact
Decide what to do about each risk: mitigate it, accept it, transfer it (insurance), or avoid it
Document your risk treatment plan

The standard doesn't prescribe a specific risk methodology. You can use whatever works for your organisation, as long as it's consistent and repeatable. For most SMBs, a simple risk matrix (likelihood x impact) is sufficient.

This overlaps heavily with what NIS2 requires for risk management. If you've already done a risk assessment for NIS2, you're partway there.

3. Annex A controls

Annex A is a catalogue of 93 security controls, organised into four themes:

Organisational controls (37): policies, roles, supplier management, incident management
People controls (8): screening, training, awareness, responsibilities
Physical controls (14): access control, equipment security, secure areas
Technological controls (34): access management, encryption, logging, network security

You don't need to implement all 93 controls. You select the ones relevant to your risks and document why you excluded the rest in a Statement of Applicability (SoA). For a small SaaS company, physical controls around secure server rooms might not apply if everything runs in the cloud. That's fine, as long as you've documented the reasoning.

How ISO 27001 and NIS2 overlap (and differ)

If you're an EU-based SMB looking at both ISO 27001 and NIS2, you're probably wondering how they relate. They cover similar ground, but they're different in nature.

| | ISO 27001 | NIS2 | |---|---|---| | Type | Voluntary international standard | Mandatory EU directive | | Enforced by | Certification bodies (voluntary) | National regulators (mandatory) | | Scope | Any organisation, any sector | Specific sectors and size thresholds | | Focus | Information security management | Cybersecurity and incident reporting | | Penalties | None (you lose certification) | Fines up to 10M EUR or 2% of turnover |

There's a lot of overlap. Both require risk assessments, incident management, supplier management, access control, and documentation. If you build an ISMS that meets ISO 27001, you'll cover a large part of what NIS2 asks for too.

The key differences: NIS2 includes mandatory incident reporting to regulators (within 24 hours for significant incidents) and applies legal penalties. ISO 27001 doesn't require external reporting and has no fines. NIS2 is sector-specific; ISO 27001 applies to any organisation.

For a practical deep-dive on NIS2, see our NIS2 getting started guide.

Realistic timeline for SMBs

Getting ISO 27001 certified takes time, but less than most people assume. For a typical SMB (10-100 employees), here's a realistic timeline:

| Phase | Duration | What happens | |---|---|---| | Gap analysis | Month 1-2 | Assess what you have vs. what ISO 27001 requires | | ISMS design | Month 2-4 | Define scope, policies, risk methodology | | Risk assessment | Month 3-5 | Identify, assess, and treat risks | | Control implementation | Month 4-8 | Put Annex A controls in place, write procedures | | Internal audit | Month 8-10 | Test your ISMS against the standard | | Management review | Month 10-11 | Leadership reviews the ISMS and signs off | | Certification audit | Month 11-14 | Stage 1 (documentation review) + Stage 2 (implementation audit) |

Total: 9-14 months for most SMBs. If you already have solid documentation from GDPR compliance or NIS2 preparation, you can move faster through the early phases.

What does it actually cost?

Cost is the question everyone asks and nobody wants to answer with specifics. Here's an honest breakdown for an SMB:

Internal costs:

Staff time: your biggest expense. Expect 1-2 people spending 20-40% of their time on the project for 6-12 months
Training: ISO 27001 Lead Implementer or internal auditor courses run 1,500-3,000 EUR per person

External costs:

Consultant (optional but common): 5,000-25,000 EUR depending on scope and level of support
Certification body audit: 5,000-15,000 EUR for the initial certification (Stage 1 + Stage 2)
Annual surveillance audits: 3,000-8,000 EUR per year
Re-certification every 3 years: similar cost to the initial audit

Total first-year investment: roughly 10,000-50,000 EUR, depending on how much consultant support you use and the size of your organisation.

Is that a lot for an SMB? It can be. But compare it to losing a 200,000 EUR contract because you couldn't check the ISO 27001 box, or paying higher cyber insurance premiums year after year. For many SMBs, the ROI becomes clear when they look at the deals they're winning (or losing).

How to prepare without a dedicated security team

Most SMBs don't have a CISO or a security department. That's fine. Here's how to approach it:

1. Assign an owner. One person needs to own the project. This could be the IT manager, operations lead, or even the managing director. They don't need to be a security expert; they need to be organised and have management backing.

2. Start with what you have. If you've done any GDPR documentation, supplier risk assessments, or NIS2 preparation, you already have building blocks. Map what you have to ISO 27001's requirements before building new.

3. Use a structured tool. Spreadsheets work until they don't. A tool like ComplianceHive helps you manage your documentation, track risks, maintain supplier records, and keep everything audit-ready in one place.

4. Consider a consultant for the gap analysis. Even if you do most of the work internally, paying a consultant for 2-3 days to do a gap analysis can save you months of going in the wrong direction.

5. Don't aim for perfection. The standard expects a management system that's appropriate for your organisation. A 20-person company with a lean, well-maintained ISMS will pass certification. An overly complex system that nobody follows won't.

How ComplianceHive helps

ComplianceHive is built for SMBs that manage compliance without large teams. For ISO 27001 preparation, it gives you:

Documentation management for policies, procedures, and records with version history
Risk register to identify, assess, and track risk treatment
Supplier management with risk scoring and contract tracking
Software inventory to map your technology landscape
Audit trail showing what was done, when, and by whom

There's no "click here to become ISO 27001 certified" button. Certification requires an external audit by an accredited body. But ComplianceHive gives you the foundation that makes audit preparation manageable, especially when you're dealing with ISO 27001, GDPR, and NIS2 at the same time.

Try ComplianceHive free for 30 days and start building your information security management system today.