Example engagement — illustrative
A first ISO 27001 certification for a growing SME
Professional services SME (~30 staff) · ISO 27001
The challenge
A professional services firm was being asked for ISO 27001 by prospective clients but feared the standard was designed for large corporations and would overwhelm a team of its size.
What we did
- Set a tightly defined ISMS scope proportionate to a 30-person business
- Carried out a gap analysis against ISO 27001:2022 to separate real work from noise
- Produced lean, usable policies and a risk register the team would actually follow
- Documented the Statement of Applicability with a clear rationale for each control
- Coached staff through internal audit, management review and the Stage 1 and Stage 2 audits
The outcome
The SME achieved certification with a management system sized for its business, not a copy-paste corporate framework.
Background
There is a persistent myth that ISO 27001 is only for big organisations. This illustrative example pushes back on that. A professional services SME of around 30 people had won interest from larger clients whose contracts required certified information security, and the directors worried that pursuing the standard would bury a small team in bureaucracy meant for banks and multinationals.
What we did
The answer to “won’t this be too much?” is scope and proportion. We defined the information security management system narrowly and sensibly, covering the services and systems that actually handled client data, and no more. A gap analysis against ISO 27001:2022 then separated genuine work from theoretical requirements, so effort went where it mattered. Our guide to what an ISMS is gave the directors a plain-English grounding before decisions were made.
We deliberately wrote lean documentation. The policies were short enough that staff would read and follow them, the risk register captured the handful of risks that genuinely applied, and the Statement of Applicability recorded a clear rationale for each Annex A control included or excluded. We then walked the team through the routines certification requires — a first internal audit and a management review — so that when the certification body arrived, the system was already in motion. This is where many small firms stumble, so we coached staff on what to expect at Stage 1 and Stage 2 rather than leaving them to face the auditor cold.
Result
The firm achieved ISO 27001 certification with a management system that fits a 30-person business and can grow with it. Rather than a folder of unread policies, the directors ended up with a security routine the team runs — and a certificate that answers their larger clients’ procurement requirements.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.