ISO 27001: making it achievable and useful for SMEs
For many SME leaders, ISO 27001 can feel like something reserved for large enterprises with deep pockets and compliance teams. The reality is very different. Increasingly, it’s becoming a practical – and in some cases essential - step for businesses that want to grow, win contracts, and manage risk properly.
At FACT3, ISO 27001 had been on our roadmap for several years. As an IT managed service provider evolving into a managed security services provider, we recognised that it wasn’t enough to advise clients on security best practice – we needed to demonstrate it ourselves. Certification gives independent proof that we take information security and risk management seriously, and that matters more than ever in today’s landscape.
How do businesses get ISO 27001?
There’s no shortcut: ISO 27001 requires commitment. In our case, the process involved more than 230 hours of internal effort and a financial investment in the region of £20–25k.
The real work goes beyond time and cost. It starts with understanding how your business operates and mapping that against the standard, alongside assessing risk to determine which of the 92 Annex A controls are needed. For us, that meant reviewing and refining existing policies, identifying gaps, and making sure everything reflected how we actually work – not just what looked good on paper.
Crucially, ISO isn’t a tick-box exercise. During the audit, you have to provide evidence – often multiple examples – to prove that what you say in your policies is what you actually do. That requires buy-in across the whole business, not just from leadership or IT.
And once you achieve certification, it doesn’t stop. Ongoing audits mean you need to embed good practice into day-to-day operations. For me, ISO 27001 is as much about long-term cultural maturity as it is about passing an audit.
Why should SMEs go for ISO 27001?
So why should an SME invest this level of time and resource?
The answer is simple: expectations are rising. Supply chain risk is under increasing scrutiny, and larger organisations are placing more pressure on their partners to demonstrate robust security practices. We’re already seeing this filter down into tenders, supplier assessments, and even cyber insurance requirements.
ISO 27001 helps you respond to that pressure with confidence. It shows that you understand your risks, that you’re actively managing them, and that your business is built on a structured, repeatable approach to security.
Just as importantly, it drives internal clarity. By implementing an information security management system, you gain a clearer view of how your business operates, where your risks lie, and how to mitigate them effectively.
How can FACT3 support SMEs with ISO 27001?
Having gone through the process ourselves (and achieved certification with no audit findings) we understand both the challenges and the opportunities.
For SMEs, the key is making ISO 27001 practical. It should fit your business, not overwhelm it. One of the biggest pitfalls I see is over-engineering; it’s not useful to put processes in place that don’t actually work day-to-day, just to satisfy an audit.
That’s where we help. From initial gap analysis and roadmap planning through to policy development, technical controls, and audit preparation, we bring structure and real-world experience to the process.
Alongside leading FACT3’s ISO 27001 journey, I’ve also recently achieved Certified Information Systems Security Professional accreditation. It’s a globally recognised certification that covers security across an entire business – from risk and governance through to architecture and operations – and it’s known for testing real-world judgement, not just theory. That broader perspective means the advice we give isn’t just about getting through ISO, but about building security practices that genuinely work.
If you’re considering ISO 27001, or just want to understand what it might look like for your business, drop us a line. We’d love to help you on your journey.
Author biography
Andy Potkins, Head of Service Delivery, FACT3 | CISSP, FACT3