ISO 27001, explained for small businesses.
What it is, why your customers keep asking about it, and how to start without drowning in jargon or controls.
What ISO 27001 actually is
ISO 27001 is an international standard for managing information security. At its heart it’s simple: understand your risks, decide what to do about them, put sensible controls in place, and keep checking they work. The framework around that is called an Information Security Management System (ISMS).
The standard includes a set of 93 reference controls (Annex A in the 2022 edition) covering things like access, suppliers, backups, and incident response. You don’t implement all of them — you apply the ones relevant to your risks, and explain the rest.
Why your customers ask for it
For larger buyers and government departments, ISO 27001 is a shorthand for “this supplier takes security seriously.” Increasingly it shows up in tenders, vendor questionnaires, and contract terms. For an SME, being able to demonstrate progress — even before certification — can be the difference between winning and losing a deal.
Common misconceptions
You need a dedicated security team.
Most SMEs run their ISMS with one owner and a handful of part-time contributors. Proportionate is the goal.
You start by writing policies.
You start by understanding what you already do. Policies describe reality — they shouldn’t invent it.
It takes a year before you see value.
A first-pass gap analysis is useful on day one — for sales conversations, questionnaires, and prioritising work.
Where to start
The most common mistake is starting with the controls. It feels productive, but you end up describing an idealised business instead of your real one.
Start with evidence instead: write down what you already do. Plain Compliance does this by asking about your business in plain English, then mapping your answers to the standard. You get a first-pass gap analysis that tells you what’s already covered and what to tackle next.
Frequently asked questions
Do we need ISO 27001 if a customer is just asking a few security questions?
Often not straight away. But the work you do to answer a security questionnaire is the same work that underpins ISO 27001. Starting with a gap analysis means you answer the questionnaire today and have a head start on certification later.
Isn’t ISO 27001 only for big companies?
No. The standard scales to your size. A small software team or MSP can run a perfectly credible information security management system — the trick is keeping the scope and documentation proportionate.
How is this different from Essential Eight or Cyber Essentials?
Those are control checklists; ISO 27001 is a management system. The good news is they overlap heavily. The practices we surface in your gap analysis support all of them, so you’re rarely starting from scratch.
Do we have to implement all 93 controls?
No. The 93 Annex A controls in ISO 27001:2022 are a menu, not a mandate. You apply the ones relevant to your risks and justify any you exclude. We map your business to all 93 so you can see what’s covered, what’s relevant, and what you can reasonably leave out.
See where you stand against ISO 27001.
Get a first-pass gap analysis without drowning in jargon — built around how your business actually works.