ISO 27001:2022 Certification Roadmap for SMBs

ISO 27001:2022 certification has evolved from a nice-to-have differentiator to a business necessity. Enterprise clients increasingly require it from their suppliers, regulators reference it in compliance frameworks, and cyber insurers offer premium reductions for certified organizations. For small and medium-sized businesses (SMBs), the path to certification can seem daunting, but with the right approach, it is achievable within 6-12 months.

Understanding ISO 27001:2022

ISO 27001 is the international standard for Information Security Management Systems (ISMS). The 2022 revision brought significant changes:

Key Changes from 2013 to 2022

• Annex A controls reduced from 114 to 93 controls, reorganized into 4 themes instead of 14 domains
• New control themes: Organizational (37), People (8), Physical (14), Technological (34)
• 11 new controls added including threat intelligence, cloud security, ICT readiness for business continuity, and data masking
• Emphasis on risk-based approach with more flexibility in implementation
• Stronger alignment with other ISO management system standards

The Four Control Themes

1. Organizational Controls (37): Policies, roles, responsibilities, threat intelligence, asset management, access control, supplier relationships, incident management, business continuity, compliance
2. People Controls (8): Screening, employment terms, awareness training, disciplinary process, post-employment responsibilities, remote working, security event reporting
3. Physical Controls (14): Physical perimeters, entry controls, securing offices, monitoring, asset protection, equipment maintenance, clear desk/screen, storage media
4. Technological Controls (34): Endpoint devices, privileged access, information access restriction, secure authentication, capacity management, malware protection, vulnerability management, logging, network security, cryptography, secure development, data masking, DLP

The Certification Roadmap

Phase 1: Gap Analysis and Planning (Months 1-2)

Week 1-2: Scope Definition

• Define the boundaries of your ISMS (which business units, locations, and systems are included)
• For SMBs, it is often practical to include the entire organization
• Document the scope statement including exclusions and justifications

Week 3-4: Initial Gap Assessment

• Assess your current security posture against ISO 27001:2022 requirements
• Review existing policies, procedures, and technical controls
• Identify gaps requiring remediation before certification

Week 5-8: Project Planning

• Develop a realistic project timeline with milestones
• Allocate budget (typical SMB range: EUR 15,000-50,000 for implementation plus EUR 5,000-15,000 for the certification audit)
• Assign project team roles (ISMS Manager, process owners, internal auditors)
• Select certification body and schedule the audit

Phase 2: ISMS Foundation (Months 3-4)

Mandatory Documentation:

• Information Security Policy
• Risk Assessment Methodology
• Statement of Applicability (SoA)
• Risk Treatment Plan
• ISMS Scope Document
• Roles and Responsibilities
• Competence Requirements
• Internal Audit Procedure
• Management Review Procedure
• Corrective Action Procedure

Risk Assessment:

1. Identify information assets within scope
2. Identify threats and vulnerabilities for each asset
3. Assess likelihood and impact of risk scenarios
4. Calculate risk levels using your chosen methodology
5. Determine risk treatment options (mitigate, accept, transfer, avoid)
6. Document residual risk and obtain management approval

Statement of Applicability (SoA):

• List all 93 Annex A controls
• Indicate which are applicable and which are excluded
• Justify all exclusions
• Reference implementation status and related policies

Phase 3: Control Implementation (Months 5-8)

Priority 1: Quick Wins (Month 5)

• Information security policy approved by management
• Asset inventory completed and classified
• Access control procedures documented and implemented
• MFA deployed on all critical systems
• Security awareness training program launched

Priority 2: Core Controls (Months 6-7)

• Vulnerability management process operational
• Incident response procedures documented and tested
• Backup and recovery procedures validated
• Supplier security assessment process established
• Logging and monitoring capabilities deployed

Priority 3: Advanced Controls (Month 8)

• Business continuity plans documented and tested
• Cryptographic controls policy implemented
• Secure development lifecycle integrated
• Data classification and handling procedures operational
• Physical security controls verified and documented

Phase 4: Internal Audit and Management Review (Months 9-10)

Internal Audit Program:

• Plan audits covering all ISMS processes and Annex A controls
• Use internal auditors or engage an independent third party
• Document findings with severity classification (major nonconformity, minor nonconformity, observation)
• Create corrective action plans for all nonconformities
• Verify effectiveness of corrective actions

Management Review:

• Present ISMS performance to top management
• Review items must include: audit results, interested party feedback, risk assessment status, corrective action status, improvement opportunities
• Document management decisions and actions required
• Ensure management commitment is visible and documented

Phase 5: Certification Audit (Months 11-12)

Stage 1 Audit (Documentation Review):

• Auditor reviews ISMS documentation for completeness
• Verifies scope, policy, risk assessment, SoA
• Identifies any concerns for Stage 2
• Typically 1-2 days for SMBs

Stage 2 Audit (Implementation Assessment):

• Auditor verifies that controls are implemented and effective
• Interviews staff across the organization
• Reviews evidence of ISMS operation
• Tests a sample of controls from the SoA
• Typically 3-5 days for SMBs

Possible Outcomes:

• Certification granted: No major nonconformities found
• Certification with conditions: Minor nonconformities found, corrective action evidence required within 90 days
• Certification denied: Major nonconformities found, re-audit required after remediation

Budget Planning for SMBs

| Cost Category | Estimated Range (EUR) | |---|---| | Gap analysis and consulting | 5,000 - 15,000 | | Documentation development | 3,000 - 10,000 | | Technical controls implementation | 5,000 - 20,000 | | Training and awareness | 2,000 - 5,000 | | Internal audit | 2,000 - 5,000 | | Certification audit (Stage 1 + 2) | 5,000 - 15,000 | | Total | 22,000 - 70,000 |

Tips for SMB Success

1. Start with what you have: Most SMBs already have many controls in place. Document what exists before building new processes.
2. Keep it proportionate: ISO 27001 requires controls appropriate to your risk level. A 50-person company does not need the same controls as a multinational.
3. Use templates wisely: Start with templates but customize them for your organization. Auditors can spot generic copy-paste documentation.
4. Involve everyone: Information security is not just an IT responsibility. Involve HR, legal, operations, and management from the start.
5. Choose the right certification body: Compare prices, experience with SMBs, and auditor availability in your region.

Maintaining Certification

Certification is not the end. ISO 27001 requires ongoing maintenance:

• Surveillance audits: Annual audits by the certification body (years 1 and 2)
• Recertification audit: Full audit every 3 years
• Continuous improvement: Regular risk assessments, internal audits, and management reviews
• Incident management: Document and learn from all security incidents

Conclusion

ISO 27001:2022 certification is a realistic goal for SMBs willing to invest 6-12 months of focused effort. The key is a structured approach, proportionate controls, and genuine management commitment. The return on investment comes through competitive advantage, customer trust, reduced breach risk, and often lower insurance premiums.

Ready to start your ISO 27001 journey? Contact our certification experts for a tailored gap analysis.