top of page

ISO 27001 For Small Business

What is ISO 27001?

 

ISO 27001 is an internationally recognised standard for establishing, implementing and maintaining an Information Security Management System (ISMS) within a business. It is one of the most globally recognised standards, in regard to information security. The standard was last updated in 2022. Its aim is to protect all information assets within an organisation. 

 

ISO 27001 uses a risk-based approach, referencing a set of 93 controls (referred to as Annex A) across 4 domains: Organisational, people, physical and technical. What controls are applicable is dependent on your organisational context, scope and risk. 

 

Why should a small business consider ISO 27001?

 

Small businesses are not susceptible to cyber attacks. An effective ISMS helps demonstrate management of cyber security within a small organisation, bolstering their cyber resilience. 

ISO 27001 offers a range of benefits for small businesses. It provides a structured framework approach for managing information security risk. This allows a small organisation to ensure the confidentiality, integrity and availability of information (commonly known as the CIA triad). ISO 27001 allows a small organisation to demonstrate to stakeholders that they take information security seriously, improving trust.  

Furthermore, ISO 27001 helps small businesses comply with information security legal and regulatory requirements. The framework provides a clear demonstration of managing information security, helping you comply with relevant laws and regulations. This means the reduced likelihood of fines and penalties associated with lack of compliance. 

From a compliance standpoint, an ISMS that conforms to the ISO 27001 standard can help with conforming to article 32 of the EU General Data Protection Regulation (GDPR). An effective ISMS showcases the consideration of the CIA triad within the organisation. You can read further about the link between ISO 27001 and GDPR here

ISO 27001 also provides a great competitive advantage. Some businesses require compliance with ISO 27001 as a condition of doing business. Having this competitive advantage could better position your organisation to attract new clients and opportunities. 

The benefits offered by ISO 27001 are huge for a small organisation. Strengthening your security posture helps protect your organisation, whilst also enhancing your reputation and potential opportunities.

You can read more about why ISO 27001 might be a great fit for small businesses in our blog post:

ISO 27001 - The gold standard of Cyber Security for Small Businesses?

 

How can we help? 

 

Practical Infosec can help by offering consulting around the implementation of the ISMS, using the ISO 27001 standard. We can guide you through the process, getting you to the audit stage. 

 

Typically, ISO 27001 is not a priority for smaller businesses due to its associated costs. Depending on your timescales and requirements, we spread the process out over a yearly program as part of our Security Journey service, costing from £1,500 per month. 

 

What does the process look like? 

 

ISO 27001 is designed around the context of your organisation and setting the scope for the ISMS. From there, the process involves identifying, managing and mitigating information security risk. The risk management stage allows us to design a program around continuous improvement of the ISMS, involving people, process and technology. This will then be audited internally, then externally and if correctly implemented, achieving certification to ISO 27001. 

 

ISO 27001 is typically implemented through the PDCA Cycle:

  • Plan - What you wish to achieve and how to do it 

  • Do - Implementing what you have planned for 

  • Check - Confirming if things went as planned 

  • Act  - Closing the gap between planned and check phase 

 

Once certification is achieved, a big step is demonstrating your commitment to continuous improvement of the ISMS. The Certification body will then reassess you on a 3 year interval, as part of the 3 year re-certification audit.  

For a small business looking to implement ISO 27001 over a 12 month period, the approximate process would look like: 

Next Steps

If you would like to enquire about ISO 27001 or ask any questions, you can book a free call here

or get in touch.

bottom of page