ISO 27001 for SMEs

ISO 27001 compliance, without the spreadsheets.

Plain Compliance asks simple questions about how your business actually works, then maps your answers to all 93 ISO 27001 controls — producing a first-pass gap analysis, risk register and evidence map. No spreadsheets to fill in.

Start your free gap analysis See how it works

The problem

Most ISO tools start with controls. Your business doesn’t.

Traditional tools

They hand you 93 controls and an empty spreadsheet, then expect you to reverse-engineer your business to fit. It’s slow, confusing, and easy to abandon.

How SMEs actually think

You think in processes: how people get hired, how systems get accessed, what happens when something breaks. Plain Compliance starts there — with your business, not the standard.

Most SMEs already do more security than they realise. The hard part is turning what you actually do into compliance artefacts an auditor or customer can understand.

How it works

Start with a conversation, not a spreadsheet.

  1. 1

    Answer plain-English questions

    No control numbers, no jargon. Just clear questions about how your business actually runs day to day.

  2. 2

    Identify existing controls

    We translate your answers into the security controls you already have in place — often more than you expected.

  3. 3

    Generate likely gaps

    See where you fall short of ISO 27001 expectations, in priority order, without wading through the full standard.

  4. 4

    Map evidence to controls

    Connect the things you already do and document to the specific controls an auditor will ask about.

  5. 5

    Build an improvement plan

    Leave with a short, realistic list of next steps — not a 93-row spreadsheet you will never finish.

Plain-English questions

Tell us how your business works. We’ll map it to compliance.

A few of the questions we ask — no security background required.

How do new staff get access to systems?

What happens when someone leaves?

Which suppliers could seriously affect your business?

What would happen if a developer laptop was compromised?

See the full walkthrough →

What you get

Real compliance artefacts, generated from your answers.

Gap analysis

A clear view of where you meet ISO 27001 and where you don’t — prioritised, not overwhelming.

Risk register

A starter register of the risks that actually matter to your business, ready to refine.

Evidence map

A map of what you already do and document, linked to the controls it supports.

Control mapping

Your real-world practices mapped to all 93 ISO 27001 Annex A controls in plain language.

Action plan

A short, realistic set of next steps to close your most important gaps first.

Who it’s for

Made for SMEs who are already doing the work, but need help proving it.

Start with 20 questions. Leave with a clearer picture.

No spreadsheet to fill in. No jargon to decode. Just a practical first pass at ISO 27001 built around your business.

Start your free gap analysis See the 20 questions

From the blog

View all →
Plain Compliance

A control reference we keep coming back to

Control Stack is a clear, Australian-focused reference for ISO 27001, ASD ISM and Essential Eight controls — useful for understanding what a control is actually asking for.

  • resources
  • iso-27001
Plain Compliance

The 20 questions that reveal most ISO 27001 gaps

You don’t need to read the whole standard to find your biggest compliance gaps. These 20 plain-English questions surface most of them.

  • iso-27001
  • getting-started
Plain Compliance

Why SMEs should start with evidence, not controls

Starting an ISO 27001 project with the control list feels productive — but it’s the slow way round. Start with what you already do instead.

  • iso-27001
  • evidence