ISO 27001 implementation for UK small businesses
The information security standard larger customers ask for, scoped and run to fit a business your size.
60 minutes · No prep · No obligation
Sooner or later, a customer or a tender will ask whether you hold ISO 27001. For a smaller business, that question can feel out of proportion. ISO 27001 has a reputation as an enterprise standard, heavy on documentation and slow to achieve. Some of that reputation is earned, and some of it comes from how the work is sold. This page explains what ISO 27001 is, what certification involves for an SME, and how we keep it proportionate to a business your size.
Understanding ISO 27001
ISO 27001 is the international standard for an information security management system, usually shortened to ISMS. The word that matters there is system. ISO 27001 is not a list of controls you tick off once. It is a way of running security: you decide what information you need to protect, assess the risks to it, put controls in place to manage those risks, and then keep checking that the whole thing still works as your business changes.
That is the part SMEs find surprising. The certificate is not really the goal. It is the evidence. An accredited certification body audits your ISMS and, if it holds up, certifies that you run security in a structured, repeatable way. That is why customers ask for it. ISO 27001 tells them you have a system rather than a one-off effort.
The 2013 standard has lapsed
The current standard is ISO/IEC 27001:2022. It replaced the 2013 version, and the transition window for existing certificates closed on 31 October 2025. Any certification now runs against the 2022 text, and 2013 certificates have lapsed. If a supplier or a template pack still refers to the 2013 version, treat that as a sign the material is out of date.
The 2022 update reorganised the controls in Annex A into four groups (organisational, people, physical, and technological) and added eleven new ones. The new controls reflect how businesses actually operate now, covering areas such as cloud services, threat intelligence, and secure data handling. For an SME that has moved most of its work to the cloud, the 2022 version is a better fit than the standard it replaced, because it stops treating the server room as the place where the risk lives.
The route to certification
The path is fairly predictable, even if the timeline varies. The single biggest decision is scope. Drawn too wide and a manageable project becomes a long one.
- 01
Gap analysis
Where you are now, measured against where the standard expects you to be.
- 02
Set scope
Which parts of the business and which information the ISMS covers. The decision that shapes everything after it.
- 03
Risk assessment
Identify the risks to the information in scope, then decide which controls treat them.
- 04
Build the ISMS
Documentation, technical controls, and the operational processes that make the system real.
- 05
Internal audit & management review
Find problems yourself, before an external auditor does.
- 06
Stage 1 audit
Documentation and readiness review. Has the ISMS been designed and put in place?
- 07
Stage 2 audit
The substantive audit. Does the system you describe match the system you actually run?
- 08
Certified, then maintained
Annual surveillance audits, full recertification every three years. The ISMS keeps running between them.
Is ISO 27001 right for you, or is Cyber Essentials enough?
The two are not rivals. Plenty of businesses hold Cyber Essentials and treat it as a foundation on the way to ISO 27001. The question is which one earns its place for your situation right now.
Cyber Essentials
A recognised security baseline at modest cost and effort. Often enough on its own.
- Five core technical controls
- Weeks to certify, modest fee
- Recognised by insurers and government
- Does not cover governance or risk management
ISO 27001
A managed system for information security. Larger commitment, broader coverage.
- Whole ISMS, governance and continual improvement
- 6 to 9 months for a tightly scoped SME
- Asked for by enterprise customers and tenders
- Ongoing audits and recertification every 3 years
ISO 27001 earns its place when customers or tenders specifically require it, when you handle sensitive data at a scale where a baseline no longer reassures anyone, or when you want security run as a managed system rather than a certificate on the wall. If you are unsure which you need, read the Cyber Essentials page or have the conversation with us before you spend anything.
How we help
There is a well-worn way of selling ISO 27001 to SMEs: a pack of templates and a consultant who gets you through the audit. It works, in the narrow sense that you end up certified. The problem is what you are left with: an ISMS that exists on paper, that nobody owns, and that drifts out of date until the next audit panic.
We do it differently. The advisory work comes first: getting the scope right, keeping it proportionate, and ensuring the ISMS reflects how your business operates. Then the hands-on work, if you want it. We write the documentation with you rather than handing you a folder, implement the technical controls, and run the internal audit. For businesses without an internal owner for security, we can carry the ISMS forward as ongoing security leadership on a vCISO retainer, so it stays alive between audits. Where the 2022 controls call for technical fixes, that connects directly to our remediation service.
Free · 60 minutes · No commitment
ISO 27001 FAQs
Ready for Enterprise Clients?
If a customer has asked about ISO 27001 and you are not sure where to start, book a free 60-minute call. We will talk through your scope, a realistic timeline, and whether certification is the right step for you now.
Free · 60 minutes · No obligation