There is a common assumption that ISO 27001 is designed for large organisations with dedicated security teams, compliance budgets, and the resources to sustain an ongoing programme. This assumption is wrong — and it costs small businesses real opportunities. The standard itself has no minimum size requirement. Organisations with 10 employees can and do achieve certification. The question is not whether it is feasible for a small business, but whether the return justifies the investment at your current stage.
Why Small Businesses Are Increasingly Getting Certified
Enterprise procurement teams have become significantly more rigorous about vendor security assessment in recent years. The 2020-2022 wave of supply chain attacks demonstrated that large organisations were being compromised through their smaller suppliers. As a result, enterprise vendor security questionnaires now routinely include ISO 27001 as a threshold requirement — not a preference but a binary qualifier. If your target market includes enterprise accounts, not having the certificate can mean not making the shortlist.
For small B2B SaaS companies, professional services firms, and managed service providers, this dynamic is particularly acute. These businesses handle sensitive client data as a core part of their value proposition. Their clients have their own security obligations and need assurance that their suppliers are managing information assets responsibly. A 15-person SaaS company supplying into the NHS or financial services sector faces the same security questions as a 500-person one.
How ISO 27001 Scales for Small Organisations
The standard requires proportionality. Clause 6.1 requires risk assessment "appropriate to the context of the organisation." Annex A controls are selected based on risk — not mandated wholesale. A 15-person cloud-hosted SaaS company with no physical office of its own will legitimately implement a different control set than a 1,000-person organisation running its own data centre. The ISMS documentation for a small business can be genuinely lean — a policy set, risk register, SoA, and evidence of core controls.
Scope management is the key lever. A small business should define its ISMS scope tightly, covering the specific systems and processes that handle sensitive information. A five-person development team at a 20-person company might scope the ISMS around the SaaS product and its associated infrastructure, excluding the administrative functions that do not touch sensitive data. A tighter scope means fewer audit days, lower certification body fees, and a faster implementation path.
Common Objections — and the Reality
"It's too expensive for us."
For a 10-to-30-person organisation with a focused scope, realistic all-in costs for first-year certification typically fall between €6,000 and €18,000. This includes certification body fees, documentation, and implementation support. If your organisation is losing or being blocked from a single enterprise contract worth more than this, the business case is immediate. For organisations at the lower end of this range — doing much of the documentation work themselves using templates — total costs can be below €8,000.
"We don't have the internal expertise."
You do not need a dedicated information security manager to implement ISO 27001 at a small business scale. Many small companies designate an existing staff member — often a technical co-founder, IT lead, or operations manager — as the ISMS owner, and use external support for the elements that require specialist knowledge: the risk assessment methodology, the Statement of Applicability, and audit preparation. The ongoing maintenance, once the ISMS is established, is manageable alongside other responsibilities.
"We're too small to be a target."
Small businesses are frequently targeted precisely because they are assumed to have weaker defences. Ransomware operators do not select targets based on organisation size — they select based on vulnerability. The security discipline that ISO 27001 instils — access controls, patching, backup testing, incident response — is valuable regardless of whether you pursue formal certification.
A Lean Approach to Implementation at SME Scale
The most efficient path to certification for a small business is a structured, template-driven approach. Start with a pre-built policy set and documentation framework, adapt it to your organisation's specifics, conduct a risk assessment using a structured methodology, and build evidence of your controls in operation. The implementation timeline for a focused small business ISMS — with committed internal effort and external guidance for the specialist elements — is typically six to nine months from starting to Stage 1 audit.
The biggest time cost in small business ISO 27001 implementation is not writing policies — it is building evidence that controls are operating. Access control reviews, training logs, patch records, backup test results. These take time because they require systems to have been running under the new controls for a period before you can collect evidence. Plan for this when setting your timeline.
Realistic Costs for a 10-50 Person Business
First-Year Cost Breakdown (10–50 people)
- Certification body fees (Stage 1 + Stage 2): €3,000 to €7,000 depending on scope and body chosen
- Documentation and templates: €500 to €2,000 if using a professional template set
- External implementation support (gap analysis, SoA, risk assessment guidance): €2,000 to €8,000 depending on how much work you do internally
- Staff time cost: typically 2-4 days per month across a 6-9 month implementation period
- Annual ongoing costs (surveillance audit + maintenance): €3,000 to €6,000
Our implementation services are designed specifically for companies at this scale — practical, structured support that gets you to certification without the overhead of a large consultancy engagement. Start by exploring our template library to understand exactly what you will need to produce.