Small and medium-sized businesses are increasingly faced with the question of whether they should—or even can—implement an Information Security Management System (ISMS) in accordance with ISO 27001. While organizations of all sizes encounter challenges during implementation, SMEs often face a unique concern: can they realistically manage the costs, effort, and resources required to achieve certification?

In this series of articles, we examine the most common challenges from the perspective of small businesses and present practical approaches for overcoming them.

The First Challenge: Do We Have the Resources for ISO 27001 Certification?

For most SMEs, the greatest challenge when implementing and operating an ISMS is the availability of resources—particularly financial resources and personnel.

Although the effort required naturally depends on factors such as company size, organizational complexity, the number of business units, and locations, the resources required unfortunately do not scale proportionally with company size. Relative to their size, smaller organizations typically face a significantly greater investment of time and money.

There are several ways to address this challenge. One obvious approach is to spread the ISMS implementation over a longer period by introducing it step by step. While this can reduce the immediate workload, it also carries the risk that the project gradually loses momentum—a fate shared by many long-running initiatives. Careful planning is therefore essential.

Instead, it is worth focusing on one of the core principles of both an ISMS and ISO 27001 itself: appropriateness and a risk-based approach.

Solution 1: Take Clause 4 (Context of the Organization) Seriously

An ISMS—and ISO 27001 in general—is often perceived as highly bureaucratic. In particular, the requirements of Clause 4 (Context of the Organization) are frequently treated as little more than a formal exercise.

However, as the standard itself prescribes, the first step in implementing an ISMS should not be writing policies. Instead, organizations should begin by understanding their own context and asking questions such as:

  1. What do we actually want to achieve by implementing an ISMS? Equally important: what are not the objectives of the project?
  2. Which internal and external challenges should the ISMS address? Which information security topics are most important to the organization, and which are currently of little or no relevance? (See ISO 27001, Clause 4.1.)
  3. Who are the organization’s interested parties, and what are their expectations regarding information security? (See ISO 27001, Clause 4.2.)

Prioritization at this early stage can significantly reduce the effort required later. Based on these considerations, organizations should define a reasonable and appropriate scope for the ISMS.

Many organizations automatically include the entire company within the scope of both the ISMS and the certification from the outset. In reality, this is neither required nor always advisable. ISO 27001 not only allows limitations to the scope—it explicitly anticipates them (see Clause 4.3).

Typical scope boundaries may include specific business processes, individual business units, or selected company locations. Depending on the organization’s context, the scope may also be limited to particular categories of information, such as personal data or customer information.

Naturally, the scope should be reviewed regularly. As the ISMS matures, it can gradually be expanded, making phased implementation a practical and effective strategy.

Solution 2: A Risk-Based Approach and Proportionality

The core of an ISO 27001 Information Security Management System is not the individual information security controls listed in Annex A (such as patch management). Instead, the foundation of the standard is risk management (Clauses 6 and 8) and continual improvement.

This principle is shared by regulatory frameworks such as NIS2 (see Article 21(1): “appropriate and proportionate technical, operational and organizational measures”) and DORA, whose central requirement is the establishment of an ICT risk management framework under Article 6.

In practice, this means that a thorough and genuinely meaningful risk assessment—rather than a purely formal exercise—is essential. Only then can an organization allocate its limited resources to the security measures that are truly necessary and effective. The risk assessment itself should be based on an appropriate information security and risk management strategy. One of the key considerations is the organization’s risk appetite, as defined by senior management. Depending on the business strategy—for example, achieving rapid market entry in an early-stage startup—it may be entirely legitimate to consciously accept certain information security risks.

Once the identified risks have been assessed and evaluated, appropriate risk treatment measures must be selected. By definition, risk management also recognizes risk acceptance as a legitimate treatment option. Naturally, this does not mean that all risks should simply be accepted without careful consideration.

The most important consequence is this:

Organizations are not required to implement every control contained in Annex A of ISO 27001 or include every control in their Statement of Applicability (SoA).

A common misconception is that every Annex A control that is in any way relevant to the organization must automatically be implemented. However, the wording of the standard clearly contradicts this interpretation:

  • "…select appropriate information security risk treatment options…" (Clause 6.1.3 a)
  • "…determine all controls that are necessary to implement the information security risk treatment option(s) chosen…" (Clause 6.1.3 b)

Organizations must, however, justify for every Annex A control whether it has been included or excluded from the SoA.

For example, simply because a company develops some software—such as small internal utilities or features for its corporate website—it does not automatically follow that a comprehensive secure software development lifecycle based on controls A.8.4 and A.8.25–A.8.31 must be implemented or included in the Statement of Applicability.

Instead, the organization should invest its limited resources where they provide the greatest reduction in risk. If software development is merely a supporting activity, other controls may deserve higher priority. If, however, software development is a core business process, then those Annex A controls should naturally receive significantly greater attention.

Prioritizing Risks and Security Measures

Attempting to implement every technical and organizational security measure at once is neither practical nor advisable. ISO 27001 explicitly requires organizations to prioritize both risks and the measures used to address them.

Likewise, an ISMS is not only considered “complete” once every identified risk has been treated and every planned measure has been implemented. At its core, an Information Security Management System consists of a structured and repeatable risk management process, controlled documentation (see Clause 7.5), effective communication (see Clause 7.4), and processes for continual improvement, including performance and effectiveness evaluations (Clause 9) as well as the management of nonconformities (Clause 10).

What is certified under ISO 27001 is the management system, not the organization’s absolute level of information security.

This means that certification is, in principle, already possible once these management and governance processes have been demonstrably implemented and are operating effectively. It is not a prerequisite that every selected Annex A control has already been fully implemented. What matters is the existence of a structured implementation plan and clear evidence that this plan is being followed and continuously executed.

This again reflects the earlier principle of phased implementation, allowing organizations to build their ISMS gradually in line with their available resources.

Conclusion

Introducing and certifying an ISO 27001 Information Security Management System can undoubtedly be a significant challenge for small and medium-sized organizations, particularly when financial and personnel resources are limited.

However, these challenges can be managed successfully by focusing on what matters most and using the available resources in a targeted and efficient manner. An ISO 27001-compliant ISMS does not have to become an overwhelming bureaucratic exercise. On the contrary, the standard is intentionally written in a flexible way, allowing organizations to build an ISMS that is proportionate to their size, complexity and business needs.

In the next article of this series, we will explore another common challenge for small organizations: process capability—in other words, how to establish defined processes that are not only documented, but consistently followed in day-to-day operations.