What small software companies usually already have right

Small software companies often assume ISO 27001 will be a mountain of new work. In practice, the day-to-day habits of a decent engineering team already satisfy a surprising number of controls. The work is mostly about writing down what you do.

You already version and review code

Source control with pull requests and reviews is change management. You have a record of what changed, who approved it, and when. That covers a chunk of the controls around secure development and change control — you just need to point to it.

You already manage access through your tooling

Single sign-on, role-based access in your cloud provider, and per-repo permissions are real access controls. The gap is usually documentation: who reviews access, and how often.

You already monitor and alert

If you have uptime monitoring, error tracking, and on-call, you have the bones of logging, monitoring, and incident response. Formalising “what counts as an incident and who gets told” is often the only missing piece.

You already back up and recover

Managed databases with automated backups and infrastructure-as-code mean you can rebuild. The control auditors want is evidence you’ve tested a restore — so do one, and write down the result.

Where the real gaps usually are

It’s rarely the technical stuff. It’s the surrounding governance:

• No named owner for information security
• No documented supplier review
• No regular, recorded review of any of the above

The engineering is mature. The paperwork is what’s missing.

That’s good news: it means certification is mostly about capturing reality, not rebuilding how you work. See how Plain Compliance maps it.