ISO 27001 Compliance for Small Businesses: Where to Start

By Brian Crocker · Published 5 July 2026

ISO 27001 compliance for small businesses used to be optional. Now it is table stakes. If your UK SMB handles client data, provides IT services, or bids on public sector contracts, you have already been asked "Are you ISO 27001 certified?" in a supplier questionnaire or tender.

The good news: a 12-person software company can achieve certification with the same standard as a multinational bank. The scope, controls, and evidence scale to your size. Here is what ISO 27001 actually requires, what it costs, and 5 steps to get started.

What ISO 27001 requires

ISO 27001:2022 (published October 2022) has two parts:

  1. Management system clauses (4-10) — the ISMS framework. Policy, risk assessment, objectives, internal audits, management reviews, corrective actions. If you hold ISO 9001, this structure is familiar — both follow Annex SL.
  2. Annex A controls (93 across 4 categories) — specific security measures. Not all 93 apply. You decide which are applicable based on your risk assessment and document decisions in a Statement of Applicability (SoA).

The 4 categories: organisational (37 controls), people (8), physical (14), technological (34). The standard does not prescribe specific technologies or products. It requires you to identify risks, choose controls, implement them, and prove they work.

What it costs

Indicative costs for a UK SMB with 10-50 employees:

Cost category Range
Certification body fees (Stage 1 + Stage 2) £3,500-£7,000
Consultancy support (optional) £3,000-£12,000
DIY documentation time 150-400 hours over 3-6 months
Annual surveillance audit £1,500-£3,500
Recertification (every 3 years) £2,500-£5,500

Total first-year cost: £5,000-£18,000. These follow a similar structure to ISO 9001 certification costs. Pursuing both standards together reduces total fees by 20-30% through integrated audits.

5 steps to get started

Step 1: Define your ISMS scope

ISO 27001 Clause 4.3 requires you to document what the ISMS covers: business units, sites, systems, and information assets. For most SMBs, the scope is the entire business.

Caution: scoping too narrowly ("only our London office") creates problems if client data also lives on laptops, cloud platforms, or a co-located server elsewhere. Auditors probe boundaries.

Step 2: Run a gap analysis

Before spending on consultancy, find out where you stand. Score each Annex A control and ISMS clause on a 0-3 scale. Our ISO 27001 gap analysis template walks through this in detail. Allow 2-3 days. The output is your project plan.

Step 3: Conduct your risk assessment

Clause 6.1.2 requires a formal information security risk assessment. You need:

  • A methodology — how you identify, analyse, and evaluate risks. Document it before starting.
  • An asset inventory — information, software, hardware, people, services.
  • Threat identification — data breach, ransomware, insider threat, hardware failure, supplier compromise.
  • Risk evaluation — likelihood x impact on a 3x3 or 5x5 matrix.
  • Treatment decisions — mitigate, accept, transfer, or avoid each risk.

The NCSC publishes free risk management guidance at ncsc.gov.uk. Their Board Toolkit is worth reading first.

Step 4: Implement controls and document

Based on your risk assessment, implement applicable Annex A controls. Minimum documentation:

  • Information security policy (Clause 5.2)
  • Risk assessment methodology and results (Clause 6.1.2)
  • Statement of Applicability (Clause 6.1.3 d)
  • Risk treatment plan
  • Security objectives (Clause 6.2)
  • Internal audit records (Clause 9.2)
  • Management review minutes (Clause 9.3)
  • Corrective action records (Clause 10.2)

Keep it proportionate. A 15-person business does not need 200 pages.

If you already have ISO 9001 documentation, you can reuse document control, internal audit, management review, and corrective action procedures — they are structurally identical. A documentation tool that supports multiple standards makes this easier.

Step 5: Internal audit, management review, certification

Before booking your certification audit, complete:

  • At least one internal audit of your ISMS (Clause 9.2) — the auditor must be independent of the processes audited
  • At least one management review (Clause 9.3) with all required inputs
  • Corrective actions from audit findings, with evidence

Then book with a UKAS-accredited certification body (ukas.com). Stage 1 (documentation review, typically 1 day) then Stage 2 (implementation audit, 2-4 days for 10-50 staff).

Plan 3-6 months from gap analysis to Stage 1 readiness.

UK-specific considerations

UK GDPR. Your ISMS should address Data Protection Act 2018 / UK GDPR requirements: 72-hour breach notification to the ICO (Article 33), DPIAs (Article 35), data subject rights. Guidance at ico.org.uk.

Cyber Essentials. If you hold CE or CE Plus (NCSC/IASME), many technological controls are partially covered — firewalls, secure configuration, access control, malware protection, and patch management map to Annex A controls A.8.20, A.8.9, A.8.2-A.8.5, A.8.7, and A.8.8.

Public sector supply chain. The Cabinet Office Security Policy Framework and MOD Def Stan 05-138 reference ISO 27001 as a baseline for suppliers handling official information.

Practical takeaway checklist

  1. Start with scope and risk assessment, not Annex A controls
  2. Run a gap analysis before committing budget
  3. If you hold Cyber Essentials, map existing evidence against Annex A first
  4. Budget £5,000-£18,000 for year one
  5. Plan 3-6 months preparation plus 2-3 months for the certification process
  6. Use the cost estimator to model cost structure
  7. If pursuing ISO 9001 too, build an integrated system from the start — the DIY guide covers the approach

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.