<p>A B2B software company with 35 employees nearly lost their largest client when the client's procurement department added ISO 27001 certification as a vendor requirement. The company had strong security practices but no formal certification. The quote they received from a compliance consultancy: €85,000 for implementation plus €15,000 annually for maintenance and surveillance audits.</p> <p>They didn't have €85,000 for compliance. But they also couldn't afford to lose a client representing 20% of their revenue. So they found a middle path — one that achieved certification for roughly a third of the quoted price.</p> <h2>What ISO 27001 Actually Requires</h2> <p>Strip away the jargon and ISO 27001 requires you to do three things:</p> <ol> <li><strong>Identify your information security risks.</strong> What data do you handle? What could go wrong? How likely is each risk, and how bad would it be?</li> <li><strong>Implement controls to manage those risks.</strong> For each risk, have a documented plan to prevent it, detect it, or respond to it.</li> <li><strong>Prove you're actually doing what you said you'd do.</strong> Documentation, logs, and audit trails that demonstrate your controls are operating as designed.</li> </ol> <p>The standard defines 93 controls across four domains (organizational, people, physical, and technological). You don't need to implement all of them — only the ones relevant to your risk assessment. A software company with no physical data center doesn't need physical access controls for server rooms.</p> <h2>Where Small Companies Overspend</h2> <p>Consultancies charge premium rates because they bring a comprehensive, often over-engineered approach. For an enterprise, this is appropriate. For a 30-person company, much of it is unnecessary:</p> <p><strong>Over-documentation.</strong> You need policies and procedures, but they don't need to be 50-page documents. A clear, concise 2-3 page policy covering access control, incident response, or data classification is perfectly acceptable. Auditors care that the policy exists, is followed, and is reviewed regularly — not that it's exhaustive.</p> <p><strong>Specialized GRC platforms.</strong> Governance, Risk, and Compliance (GRC) software costs €500-2,000/month. For a small company, a well-organized document management system with version control handles the same function. Your policies, risk assessments, and audit evidence can live in your existing business platform.</p> <p><strong>Dedicated compliance staff.</strong> You don't need a full-time Information Security Officer. You need someone with allocated time (4-8 hours per week) who takes responsibility for the ISMS (Information Security Management System) and coordinates the ongoing activities.</p> <h2>The Practical Path to Certification</h2> <h3>Phase 1: Scope and Gap Analysis (2-4 weeks)</h3> <p>Define what's in scope. For most small companies, this is "our SaaS application and the systems used to develop and operate it." Don't scope your entire business — focus on the part that clients care about.</p> <p>Then assess where you already comply. Most modern businesses already do many things ISO 27001 requires: password policies, access controls, backups, incident handling. The gap is usually in documentation and formal process, not in actual security practices.</p> <h3>Phase 2: Risk Assessment (2-3 weeks)</h3> <p>List your information assets (customer data, application code, infrastructure, personnel records). For each asset, identify threats and vulnerabilities. Score them by likelihood and impact. This sounds daunting, but for a focused scope, you're looking at 30-50 risks, not hundreds.</p> <h3>Phase 3: Implement Controls (4-8 weeks)</h3> <p>For each identified risk, implement or document the control that addresses it. Many controls are technical (encryption, access management, logging) and are likely already in place if you use a modern platform. Others are procedural (incident response, onboarding/offboarding, supplier assessment) and need to be documented and formalized.</p> <p>Platform features that directly satisfy ISO 27001 controls:</p> <ul> <li><strong>Audit logging:</strong> Satisfies control requirements for monitoring and logging (A.8.15, A.8.16)</li> <li><strong>Role-based access control:</strong> Satisfies access management requirements (A.5.15, A.8.2)</li> <li><strong>Encryption at rest and in transit:</strong> Satisfies cryptographic controls (A.8.24)</li> <li><strong>Backup and recovery:</strong> Satisfies continuity requirements (A.8.13, A.8.14)</li> <li><strong>Document version control:</strong> Satisfies documented information requirements (clause 7.5)</li> </ul> <h3>Phase 4: Audit and Certify (4-6 weeks)</h3> <p>Choose a certification body (make sure they're accredited). The audit happens in two stages: Stage 1 reviews your documentation, Stage 2 tests that your controls actually work. For a small scope, the entire audit process typically takes 2-3 days on-site.</p> <h2>Realistic Budget</h2> <p>For a company of 20-50 employees with a focused scope:</p> <ul> <li><strong>Consultant support (if needed):</strong> €10,000-20,000 for guided implementation</li> <li><strong>Internal time:</strong> 200-300 hours across the project (primarily one lead person)</li> <li><strong>Certification audit:</strong> €5,000-10,000 depending on scope and certification body</li> <li><strong>Annual maintenance:</strong> €3,000-5,000 for surveillance audits, 2-4 hours per week for ISMS management</li> </ul> <p>Total first-year cost: €15,000-30,000. Significant, but far from the €85,000 quote — and far less than losing your biggest client.</p> <p>The key is starting with what you already have. If your business platform provides audit trails, access controls, and document management, you've already handled a substantial portion of the technical controls. The work is in documenting what you do, filling the gaps, and demonstrating it to an auditor.</p>