Why SMEs should start with evidence, not controls

Almost every SME starting ISO 27001 makes the same first move: they download the list of Annex A controls and start working through it. It feels organised. It’s also the slow way round.

The problem with starting at the controls

When you start with the controls, you’re forced to imagine an idealised version of your business — one that already has a formal access policy, a vendor risk process, a tested continuity plan. You end up writing aspirations, not facts. Then, months later, an auditor asks for evidence and the gap between the document and reality becomes obvious.

Start with what you already do

Most SMEs are already doing far more security than they realise:

• You probably remove access when people leave — you just haven’t documented it.
• You probably have backups — you’ve just never formally tested them.
• You probably vet important suppliers — informally, over a coffee.

Each of these is evidence. Written down and linked to a control, it becomes the backbone of your ISMS.

Evidence-first, in practice

1. Describe how your business actually works, in plain language.
2. Identify the controls that description already satisfies.
3. Only then look at what’s genuinely missing.

This flips the project from “implement 93 controls” to “document what we do, then fill a handful of real gaps.” It’s faster, more honest, and far more likely to survive an audit.

That’s exactly the order Plain Compliance works in. See how it works.