ISO 27001 for SMBs: a plain-language guide

By ComplyBricks · Last reviewed Jul 12, 2026

ISO/IEC 27001 is the international standard for managing information security. It is voluntary — you adopt it to manage risk and to earn a certificate customers trust — and it pairs naturally with the compliance obligations many EU SMBs already face. This guide explains what it involves.

What ISO 27001 is

ISO/IEC 27001 (current version: 2022) sets the requirements for an information security management system (ISMS) — a risk-based, continually improving system for protecting the confidentiality, integrity and availability of information. It is certifiable by accredited certification bodies.

The two parts

1. The management-system clauses (4–10)

These are the mandatory requirements you are audited against:

  • 4 — Context: understand your organisation, interested parties, and ISMS scope.
  • 5 — Leadership: management commitment, an information security policy, roles.
  • 6 — Planning: risk assessment and treatment, security objectives.
  • 7 — Support: resources, competence, awareness, documented information.
  • 8 — Operation: run the risk assessment and treatment; operate the controls.
  • 9 — Performance evaluation: monitoring, internal audit, management review.
  • 10 — Improvement: handle nonconformities and continually improve.

2. Annex A controls

Annex A is a reference set of 93 controls grouped into four themes:

Theme Controls
Organizational 37
People 8
Physical 14
Technological 34

You select the controls that apply to you based on your risk assessment — you don't implement all 93 blindly.

The Statement of Applicability (SoA)

The SoA lists every Annex A control, whether it applies, and the justification for including or excluding it. It's a central certification artifact and the bridge between your risk assessment and your controls.

The certification process

  1. Scope and gap analysis — decide what the ISMS covers and where you stand.
  2. Build the ISMS — risk assessment, policies, control implementation, the SoA.
  3. Operate it — generate the records and evidence auditors will want to see.
  4. Certification audit — Stage 1 (documentation review) then Stage 2 (implementation) by an accredited body.
  5. Maintain it — certificates typically run on a three-year cycle with annual surveillance audits and recertification at the end.

First-time certification commonly takes several months to about a year, depending on your size and starting maturity — treat any specific timeline as illustrative.

Why SMBs pursue it

  • Sales and procurement: customers increasingly require it before signing.
  • Risk management: a structured, repeatable way to manage security.
  • A foundation for other obligations: much of an ISO 27001 ISMS supports NIS2 and GDPR — see NIS2 vs ISO 27001.

How it relates to NIS2 and GDPR

ISO 27001's ISMS and Annex A controls cover a large part of NIS2's Art. 21 security measures and GDPR's Art. 32 security requirement. Certification doesn't automatically make you NIS2- or GDPR-compliant — those add obligations ISO 27001 doesn't — but doing the security work once and mapping it across frameworks is the efficient path.

References

  • ISO/IEC 27001:2022

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →