ISO 27001 for SMBs without €50k in consultancy fees

ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.

ISO 27001 has a reputation for costing €30–80k in consultancy. For an SMB with 15–60 employees, that's overkill. What you actually need is an Information Security Management System (ISMS) that fits your size, demonstrably works, and gets you through the audit.

What do you really need?

1. A security policy (±10 pages). Not 80.
2. A risk register that's realistic for your business.
3. A set of implemented controls from Annex A — not all of them, just the relevant ones.
4. Evidence that you're applying the controls: logs, reviews, incident records.
5. An annual management review.
6. Internal audits (once a year, in-house or outsourced).

The Annex A subset that matters for SMBs

Annex A contains 93 controls. For a typical SMB, 30–40 are relevant. The rest you justify as "Not Applicable" in your Statement of Applicability. The key areas:

• A.9 Access Control — the largest category and the biggest risk.
• A.6 Organisation of Information Security — roles and responsibilities matrix.
• A.16 Incident Management — log book and procedure.
• A.12 Operations Security — backups, malware, monitoring.
• A.13 Communications Security — network segmentation, encryption in transit.
• A.18 Compliance — GDPR, DPIA, contractual requirements.

Certification costs — realistically

For a 30-person SMB at a Dutch certification body (Kiwa, DEKRA, LRQA):

• Stage 1 + Stage 2 audit: €4,500–8,000
• Annual surveillance audits (years 2 and 3): €2,000–3,500
• Recertification in year 3: comparable to Stage 2

See the full cost breakdown.

Timeline: realistically

From scratch to certificate: 5–8 months. With an existing security foundation: 3–5 months.

• Month 1: gap analysis + scope
• Months 2–3: policy + risk register + SoA
• Months 3–5: implement controls and gather evidence
• Month 5: internal audit + management review
• Month 6: Stage 1 (documentation)
• Months 7–8: Stage 2 (implementation)

When is a consultant actually worth it?

For the gap analysis and initial policy structure (2–5 days of effort). Not for day-to-day execution — that needs to be done internally.

See also: pre-audit checklist, what is an ISMS?, and ISO vs SOC 2 for international clients.