top of page
Search

Running ISO 27001 in a 20-Person Company


A Practical Guide for SMEs That Want Certification Without Chaos

Running a small business means balancing agility with proving you are professional enough for big-ticket clients. For many 20-person companies, ISO 27001 feels like a “big corporate” requirement: too heavy, too complex, and too expensive.

That assumption is wrong and increasingly costly to hold.

In 2026, many fast-growing SaaS, fintech, and professional services companies achieve ISO 27001 certification with teams of 15 to 30 people. Not because it is easy, but because they approach it differently. At your size, ISO 27001 is not only a badge of trust. It is a competitive superpower. It proves to enterprise partners and regulators that your security matches theirs, without endless security questionnaires and procurement delays.

Here is how to make it work.

Why ISO 27001 Matters More at 20 People Than at 2,000


For SMEs, ISO 27001 is not only about compliance. It is about:

  • Winning enterprise and international clients - many will not engage without it

  • Passing vendor due diligence faster - reducing the friction of security questionnaires

  • Building credibility with partners and regulators - especially in regulated markets like the UAE and GCC

  • Creating structured internal processes before you scale - it is far harder to retrofit security culture into a 200-person company

In most cases, ISO 27001 is a revenue enabler, not a cost centre. The question is not whether you can afford to pursue it, but whether you can afford to keep losing deals without it.

The Mistake That Derails Most Small Teams


Most small companies fail at ISO 27001 for one reason: they try to copy the enterprise model.

This leads to complex policies nobody reads, controls that cannot be used by a lean team, documentation disconnected from how the business runs, and eventually founder fatigue and team resistance.

The fix is not simplification for its own sake. It is a lean, risk-based, business-aligned approach built for your size

Step 1: Right-Size Your Scope


Do not start with “the entire company.” That approach stalls progress before you begin.

If your 20-person team delivers a specific software product, a defined service line, or handles a particular category of client data, start there. Limit your scope to that environment. You do not need to certify internal processes that do not touch information assets.

A focused scope lets you:

  • Reduce implementation difficulty significantly

  • Reach certification faster

  • Expand scope in later phases as the business grows

Keep it lean. Keep it relevant. A narrow, defensible scope is a sound strategy, not a shortcut.

Step 2: Appoint a Security Champion, Not a Full-Time CISO


At 20 people, you do not need a full-time Chief Information Security Officer. But you do need one accountable person: a Lead Developer, Operations Manager, or engaged founder who owns the process.

Their role is not to do everything. It is to make sure everyone else follows the rhythm. Use external advisors for documentation, gap analysis, and audit preparation, so your internal champion can focus on driving culture instead of paperwork.

Your ISMS does not need 100 documents. At a minimum, you need:

  • An Information Security Policy

  • A Risk Assessment Methodology

  • A Statement of Applicability (SoA)

  • Core operational policies: Access Control, Incident Response, Vendor Management

If your team cannot understand it, it will not work.

Step 3: Run a Risk Assessment That Reflects Reality


Avoid theoretical risk exercises that produce spreadsheets nobody acts on. Focus on real scenarios:

  • What happens if a developer’s laptop is compromised?

  • What if customer data is exposed through an API misconfiguration?

  • What if access is not revoked when an employee leaves?


In a 20-person company, a single unlocked laptop or shared password represents a much higher percentage of your total risk than in a 1,000-person firm. That context should shape your risk assessment and the controls you choose.

Prioritise high-impact risks, likely attack vectors, and business-critical assets. That is what makes your controls meaningful instead of merely compliant

Step 4: Implement Controls That Fit Your Size


ISO 27001 does not require you to implement all 93 controls in Annex A. It requires you to justify your choices. For a 20-person company, the most important controls are typically:

  • Identity and access management - least privilege, MFA, timely off-boarding

  • Endpoint security - laptops, mobile devices, BYOD policies

  • Backup and recovery - tested, documented, and assigned to an owner

  • Logging and monitoring - even basic logging is acceptable at this stage

  • Vendor risk management - especially for SaaS tools handling client data

  • Incident response readiness - a simple, practised plan beats a complex, untested one

You do not need enterprise-grade SOC infrastructure to get certified. You need controls that are proportionate, documented, and used.


Step 5: Make Documentation Reflect Reality


Auditors are looking for one thing: does what you say match what you do?

The most common SME failure here is writing policies based on aspiration, not operations. Policies commit to quarterly reviews that never happen. Incident Response procedures describe processes nobody has practised. Training logs show completions for sessions people do not remember.

Fix this by writing policies based on how your team actually works. Keep commitments realistic. Automate evidence collection where possible so that when audit time arrives, you are pulling reports instead of scrambling for screenshots.

Keep policies short, visual, and actionable. Checklists work. Fifty-page manuals do not.


Step 6: Treat the Internal Audit as a Dress Rehearsal


Before the certification body arrives, you need an internal audit. This is where most small companies stumble. They are too close to their processes to see the gaps.

Internal audit is your opportunity to surface nonconformities on your own terms before an external auditor finds them. If you do not have the expertise to run it objectively, bring in an external advisor for this stage. The cost is minimal compared to failing Stage 2 and extending your audit timeline.

What a Realistic Timeline Looks Like


  • For a focused 20-person implementation:

Phase

Timeframe

Activities

Scoping and Gap Assessment

Month 1

Define scope, assess current state, identify gaps

ISMS Build

Month 2

Policies, risk register, SoA, control selection

Control Implementation

Month 3 to 4

Deploy controls, train team, build evidence

Internal Audit

Month 5

Identify and close non-conformities

Certification Audit

Month 6

Stage 1 (documentation) and Stage 2 (operational)

With the right approach and external support, ISO 27001 can be achieved in 4 to 6 months without disrupting operations.

The Advantage


For small companies, ISO 27001 is not simply a certificate on the wall. Done properly, it becomes:

  • A structured operating model that scales with you

  • A differentiator in competitive enterprise deals

  • A foundation for SOC 2, GDPR, UAE PDPL, and broader compliance

  • A clear signal to clients, partners, and investors that you are built to last

ISO 27001 is not about becoming a large company. It is about building a company that is trusted, resilient, and scalable from day one, which is what high-growth SMEs need.


Ready to Find Out Where You Stand?


ISO 27001 does not have to be a bottleneck. Approached correctly, it becomes the engine that helps you win bigger deals and protect what you built.

Book a Pre-Audit Call with TSSConsult. We will provide you with a clear gap assessment, a realistic timeline, and an implementation roadmap tailored to your size, so you can turn your security posture into a genuine sales asset.



 
 
bottom of page