ISO 27001 for SMBs: a plain-language guide
By ComplyBricks · Last reviewed Jul 12, 2026
ISO/IEC 27001 is the international standard for managing information security. It is voluntary — you adopt it to manage risk and to earn a certificate customers trust — and it pairs naturally with the compliance obligations many EU SMBs already face. This guide explains what it involves.
What ISO 27001 is
ISO/IEC 27001 (current version: 2022) sets the requirements for an information security management system (ISMS) — a risk-based, continually improving system for protecting the confidentiality, integrity and availability of information. It is certifiable by accredited certification bodies.
The two parts
1. The management-system clauses (4–10)
These are the mandatory requirements you are audited against:
- 4 — Context: understand your organisation, interested parties, and ISMS scope.
- 5 — Leadership: management commitment, an information security policy, roles.
- 6 — Planning: risk assessment and treatment, security objectives.
- 7 — Support: resources, competence, awareness, documented information.
- 8 — Operation: run the risk assessment and treatment; operate the controls.
- 9 — Performance evaluation: monitoring, internal audit, management review.
- 10 — Improvement: handle nonconformities and continually improve.
2. Annex A controls
Annex A is a reference set of 93 controls grouped into four themes:
| Theme | Controls |
|---|---|
| Organizational | 37 |
| People | 8 |
| Physical | 14 |
| Technological | 34 |
You select the controls that apply to you based on your risk assessment — you don't implement all 93 blindly.
The Statement of Applicability (SoA)
The SoA lists every Annex A control, whether it applies, and the justification for including or excluding it. It's a central certification artifact and the bridge between your risk assessment and your controls.
The certification process
- Scope and gap analysis — decide what the ISMS covers and where you stand.
- Build the ISMS — risk assessment, policies, control implementation, the SoA.
- Operate it — generate the records and evidence auditors will want to see.
- Certification audit — Stage 1 (documentation review) then Stage 2 (implementation) by an accredited body.
- Maintain it — certificates typically run on a three-year cycle with annual surveillance audits and recertification at the end.
First-time certification commonly takes several months to about a year, depending on your size and starting maturity — treat any specific timeline as illustrative.
Why SMBs pursue it
- Sales and procurement: customers increasingly require it before signing.
- Risk management: a structured, repeatable way to manage security.
- A foundation for other obligations: much of an ISO 27001 ISMS supports NIS2 and GDPR — see NIS2 vs ISO 27001.
How it relates to NIS2 and GDPR
ISO 27001's ISMS and Annex A controls cover a large part of NIS2's Art. 21 security measures and GDPR's Art. 32 security requirement. Certification doesn't automatically make you NIS2- or GDPR-compliant — those add obligations ISO 27001 doesn't — but doing the security work once and mapping it across frameworks is the efficient path.
References
- ISO/IEC 27001:2022
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →