ISO 27001 for small business — what actually applies when you have 30 employees

The standard wasn't written for you

ISO 27001 was designed to apply to any organization, anywhere. Banks. Hospitals. Software startups. Government departments. A plumbing company with 8 employees.

That's genuinely useful from a standards body perspective. It's less useful when you're trying to figure out what it means for your 30-person SaaS company with two people in IT.

The good news: scope is everything, and a small company can scope an ISO 27001 implementation that's legitimate, auditable, and achievable without a 30-person GRC team.

What "scope" actually means

Your ISMS scope defines the boundaries of what you're certifying. It's documented in a formal scope statement — one of the first things an auditor will read.

You can certify a subset of your operations. A common approach for small companies:

• Scope to your software development and cloud operations (not your back-office HR systems)
• Scope to services delivered to a specific client type or industry vertical
• Scope to a specific geographic region if you operate internationally

A narrower scope isn't gaming the system. It's a legitimate way to get certified in a reasonable timeframe and expand the scope at the next recertification cycle.

Where small companies make mistakes: scoping too broadly. "All of our operations globally" sounds thorough. It means your certification audit covers everything — every system, every location, every employee — and your timeline goes from 12 months to 24.

The 93 Annex A controls

ISO 27001:2022 has 93 controls in Annex A. A common misconception is that you need to implement all 93.

You don't.

You need to implement the controls that are applicable to your risk profile and document in your Statement of Applicability which controls you've excluded and why.

For a 30-person company in professional services:

• Physical security controls (A.7) may be minimal — you're in a leased office, not running a data center
• Supplier relationship controls (A.5.19–5.22) matter if you use SaaS vendors that handle client data
• Access control (A.5.15–5.18) is significant for almost everyone

Module 5 covers Annex A control selection in detail — specifically, how to connect your risk treatment plan to your control selection so the reasoning is defensible to an auditor.

What auditors actually care about at small companies

First-time auditors working with small companies consistently flag two things:

Risk assessment quality. Not the number of risks identified — the rigor of the methodology. A well-documented risk register with 25 risks is better than a poorly documented one with 80. Auditors want to see that you understand your risks and made informed decisions about how to treat them.

Management commitment evidence. ISO 27001 puts significant requirements on leadership (Clause 5). Auditors want to see that your executive team understands what they've committed to, not just that someone signed the policy. This shows up in management review records, leadership training documentation, and how well your team can explain the ISMS in auditor interviews.

The time and resource question

A realistic implementation for a 30-person company with one dedicated internal lead:

• Project management: 4 to 6 hours per week from the lead
• Subject matter experts: 1 to 2 hours per week from IT, operations, HR as needed
• Leadership: 2 to 4 hours per month for briefings and reviews

Total internal time commitment: roughly 600 to 900 hours across a 12-month implementation. Not the equivalent of a full-time hire — but a real commitment from real people who have other jobs.

The companies that fail at DIY ISO 27001 aren't the ones that lack security knowledge. They're the ones that underestimated the project management load and didn't build in the internal time commitment before starting.

One practical recommendation

Before you commit to a timeline, run a preliminary scoping exercise. Write a one-page draft scope statement. List the systems, people, and locations it covers. Estimate the documentation effort against that scope.

If your initial scope statement covers every system your company has ever touched, reduce it.

A certification with a narrow scope that you maintain and understand is worth more than a certification with a broad scope that you can't explain to your own team.

The [First 30 Days Roadmap](/resources#roadmap) covers how to run your initial scoping exercise and what questions to answer before you commit to a timeline.