ISO 27001

Guide for SMEs

Table of contents

1. Introduction 3
2. What is ISO 27001 and why does my company need it? 3
3. What is an ISMS and what are the requirements? 4
4. How much does ISO 27001 cost? 6
5. How long does it take to get ISO 27001 certified? 8
6. How much time and effort will my team need to invest? 9
7. What are the categories and controls of ISO 27001? 11
8. How to accelerate ISO 27001 implementation with Secfix? 11

2
1. Introduction

If you're reading this, you're probably

running a small or medium-sized
business and are keen on boosting your
company's information security. Maybe
you've had to answer plenty of security
questions from big enterprises, or
you've involved your executive team in
sales talks to show how safe your
company is. Imagine how much easier it
would be if your company's security
standards were clear right from the
start, thanks to an ISO 27001
certification.

As your business grows, keeping your

services and data safe and private becomes crucial. Any kind of security problem – like
data breaches or leaks – can really affect your business's smooth running and future.

This guide is here to help you set up a solid information security management system
(ISMS) that meets the ISO 27001 standard updated to the 2022 version. We'll walk you
through preparing for an external review of your ISMS, which is a big step towards getting
your ISO 27001 certification.

By getting an ISO 27001 certification, you'll find it easier to win new business. This guide
will show you how this certification can simplify your sales process, cut down the time
spent on security forms, and strengthen your company's security from the ground up.

2. What is ISO 27001 and why does my company

need it?

ISO 27001 is like a badge of honor for your business's information security. It shows
everyone - your clients, partners, and even your team - that you're serious about

3
protecting data. It's all about recognizing risks, understanding how they can affect your
business, and putting in place strong measures to keep harm away.

Think of ISO 27001 as a high-quality seal of approval for how you handle IT security. It
helps align your team, your processes, and your tech to ensure that all the important
information you handle is kept safe, accessible, and intact.

Why your company needs ISO 27001

● Building Trust: This certification is especially important if you deal with sensitive
data for other businesses. It's a clear signal that you can be trusted with important
information.
● Winning More Clients: Many clients prefer working with ISO 27001 certified
companies. It gives you an edge over competitors and makes the sales process
smoother, showing you're committed to protecting client data.

💡 Fact: An ISO 27001 certification is one of the best ways to show potential customers
that you have their best interests at heart. This brings many benefits to your
company.

3. What is an ISMS and what are the

requirements?

An ISMS is a carefully planned system that manages your company's information security.
It includes rules, methods, and tools designed to protect your business from IT risks. It's
about setting standards for how your team handles sensitive information and interacts
with data assets.

Requirements of an effective ISMS:

1. Scope of the ISMS: This is about determining which parts of your business the ISMS will
cover. It's a crucial first step, as it sets the boundaries for where and how your information
security measures will be applied. Whether it covers a specific department or the entire
organization, the scope should be clear and align with your business objectives.

4
2. Creating an ISMS Information Security Policy: This policy is the foundation of your
ISMS. It should lay out the overarching strategy for managing information security and
include details on:
● Information Security Objectives
● Leadership and Commitment
● Roles, Responsibilities, and Authorities
● Approach to Assessing and Treating Risk
● Control of Documented Information
● Communication
● Internal Audit
● Management Review
● Corrective Action and Continual Improvement
● Policy Violations

3. Conducting a Comprehensive Risk Assessment: This step involves identifying

potential security risks, evaluating their likelihood and potential impact, and determining
how to handle them. It's about understanding where your information security might be
vulnerable and planning accordingly.

4. Developing a Detailed Risk Treatment Plan: Based on the risk assessment, this plan
outlines specific actions for each identified risk. It includes assigning someone responsible
for each risk, setting deadlines for when actions should be completed, and deciding
whether to accept, mitigate, transfer, or avoid each risk.

5. Creating a Thorough Asset Inventory: This involves listing all the information assets
within your organization, including physical devices like computers and servers, as well as
intangible assets like data and intellectual property. Each asset should be classified and
have an assigned owner responsible for its security.

6. Performing an Internal Audit: Before external audits, you'll need to conduct internal
checks to make sure your ISMS aligns with ISO 27001 standards. This process helps
identify and fix any issues and ensures you're ready for the certification audit.

Unlike a certification audit, which mandates engaging an external third-party auditor for
the assessment, the internal audit can be executed by either your organization's personnel
or an external independent entity, such as a consulting firm.

💡 Fact: The internal audit function is a requirement under the ISO 27001 standard.

5
7. Preparing for External Audits (Stage I and Stage II): These audits are key to achieving
ISO 27001 certification.

The Stage I audit involves a thorough evaluation of documentation, conducted by an

external ISO 27001 auditor. In this stage, the auditor will review your documentation
(including your policies, the statement of applicability (SOA), risk register and your internal
audit report). After the audit, you'll receive a report detailing any nonconformities, and
you'll have 30 days to address these issues. Once you’ve fixed the nonconformities, you’ll
be allowed to move on to the Stage II Audit.

The Stage II audit involves reviewing what you’ve implemented in the company. As an
example, if you’ve written in your policies that you conduct security awareness training
with employees once a year, the auditor will ask you for proof of the training certificates. If
you’ve written down that you use a password manager in the company, the auditor will
check if this is available in all of the company devices. Having all the evidence of what
you’ve done for the audit in one place is super important for this stage.

8. Executing Regular Management Reviews: This involves top management regularly

reviewing the ISMS to ensure it remains effective and aligned with business goals. These
reviews should happen at least annually and ideally more frequently, keeping pace with
the evolving information security landscape.

4. How much does ISO 27001 cost?

The costs of getting ISO 27001 certified varies based on your company's size and
workforce. It typically includes expenses for audit preparation, the certification process
itself, and ongoing surveillance audits to maintain the certification. It is crucial that you
understand the costs before you get started with your ISO 27001 journey. Here’s an
example of the costs for a company with 10-100 employees to help you plan effectively:

6
Image 1: Costs of an ISO 27001 certification with or without Secfix

1. Implementation Costs:
When it comes to implementing ISO 27001, there are primarily two paths you can take.
● The consultant-led approach: The first is hiring a consultant, which is a more
traditional and more expensive route. This option might cost your business about
80,000 to 150,000 EUR annually and could take between 12 to 18 months to
complete.

7
 ● The automation-led approach: Alternatively, automation tools like Secfix offer a
more cost-efficient and time-saving solution and the cost ranges between 10.000 to
30.000 EUR. Secfix’s annual subscription, tailored to your company's size and the
specific frameworks you need, can significantly reduce both the duration and the
expenses compared to hiring a consultant.

2. Internal Audit Costs:

Internal audits are a requirement for ISO 27001. Usually, this will cost you between 3,000
and 5,000 EUR each. You’ll need these audits annually before your external audit.

3. External Audit Costs:

External audit costs are divided into four different costs:
● Year 1: ISO 27001 Certification
● Year 2: Surveillance Audit
● Year 3: Surveillance Audit
● Year 4: Recertification

For a company with a workforce ranging from 10 to 100 employees, the initial certification
audit is likely to cost between 6,000 to 14,000 EUR. In the following two years, surveillance
audits are required to maintain the certification, costing between 4,000 to 8,000 EUR each.
The recertification will cost similarly to the initial certification.

4. Additional Security Tools and Services:

In addition to these direct costs associated with the certification process, don't overlook
the budget for other necessary security tools and services. These may include password
management solutions, vulnerability scans, and cloud security configurations, which
typically require an allocation of about 1,000 to 2,000 EUR per year. While not a strict
requirement for ISO 27001, conducting penetration tests (pentests) is highly
recommended to strengthen your cybersecurity posture. For small businesses, the cost for
pentests can range from 6,000 to 12,000 EUR annually.

8
5. How long does it take to get ISO 27001
certified?
1. Certification Phase
The average time for certification with Secfix is 3-6 months, which is significantly shorter
compared to the 12-18 months it typically takes with the traditional methods. The speed
of certification depends on the company size and internal resources.

Here are two typical use cases that showcase the certification timeline:

● 5 Weeks to ISO certification: Small companies with 2-30 employees and at least
one person working full-time on the certification process.

For example, Bao, a Munich-based company with 14 employees, achieved ISO

certification in just 5 weeks. Their Head of IT dedicated 3 weeks of full-time work to
the certification. Since they had no existing processes for information security and
data handling, they built everything from scratch within those few weeks. You can
read more about Bao's journey here.

● 3-6 months to ISO certification: Companies with 31-500 employees who want to
pursue ISO certification alongside other activities. In this case, at least two people
are working on the ISO certification, and there is no strict deadline. For instance,
Velaris, a UK company with approximately 50 employees, assigned a BizOps and
DevOps employee to the project. They dedicated 6-10 hours per week for 10 weeks,
while also managing their regular daily tasks. Similar to Bao, Velaris had no
established processes in place, so they built everything from scratch using Secfix.
You can read about Velaris' certification here.

Many customers achieve full certification even quicker than this, however it is important to
give prospects a range, to temper expectations.

2. Maintenance Phase
Maintenance is a critical aspect of ISO 27001 certification. The certification lasts for 3 years,
and during this time, regular surveillance audits are conducted. These audits involve the
auditor returning in year 2 and year 3 to verify that the customer has maintained their

9
Information Security Management System (ISMS) throughout the year. In year 4, the
company needs to conduct a recertification.

Failing to provide sufficient evidence of maintenance can result in the certificate being
revoked. Typically, customers are required to provide extensive time-stamped evidence to
satisfy the auditor.

6. How much time and effort will my team need

to invest?
To give you an idea of what the project looks like, below is a list of the key tasks to be
completed:

● Configuration of Infrastructure
● Security Awareness Training
● Inventory Management
● Policy Documentation and Implementation
● Vendor Management
● Risk Assessment
● Access Management
● End-point security monitoring
● Evidence collection
● Internal audit and management review

Below is a further breakdown of the internal resource allocation required for ISO 27001

10
Image 2: Time and effort required for ISO 27001 certification

7. What are the categories and controls of ISO

27001?

In the 2013 version, the controls were still divided into 14 different clauses with 114
controls. In the current version of ISO 27001:2022, 93 controls are instead assigned to the
following four categories:

11
 ● Organizational (37 controls)
● People (8 controls)
● Technological (34 controls)
● Physical (14 controls)

The alteration in terminology serves to enhance the comprehension of how Annex A

controls contribute to information security. The prior domain names were formulated with
an IT professional audience in mind, rather than management. As organizations aim to
attain ISO 27001:2022 certification, it becomes essential for them to revise their Statement
of Applicability to align with this revised structure. You can read more about the changes
in controls from ISO 27001:2013 to ISO 27001:2022 here.

12
8. How to accelerate ISO 27001 implementation
with Secfix?
Secfix accelerates the ISO 27001 certification process by automating compliance-related
tasks. This automation significantly reduces the traditionally lengthy and costly journey to
becoming and maintaining ISO 27001 compliance by up to 90%. Designed and developed
in Germany, the Secfix platform stands as a testament to quality and reliability.

Our platform is made for digital companies that commonly utilize a variety of cloud-based
tools, including task trackers like Jira and GitHub, identity providers such as Google
Workspaces and Office 365, HRIS systems like Personio, and cloud services like Azure or
AWS. The Secfix Platform integrates these tools to create an automated checklist with over
250 checks that will tell you what your company needs to do to become and remain
compliant.

Key Benefits of the Secfix Platform

● Time Efficiency: The Secfix Platform can expedite the implementation of security
standards like ISO 27001 and SOC 2 by up to 90%, transforming a process that
could take months into weeks.

● Customizable Security Policies: Access a library of customizable, auditor-verified

security policies. These policies are designed to be user-friendly and can be easily
disseminated to your employees via the platform.

● Continuous Compliance Monitoring: Post-certification, the platform ensures

continued compliance with minimal effort. Its automated checks and reminders
keep your business aligned with ISO 27001 standards, effectively placing your
compliance management on autopilot.

13
Schedule your first free consultation with Secfix!

14