ISO 27001 Certification Journey for SMB – Do More With Less: An Introduction

Note: Article by "Waqar Mehboob"

Main Hero Image

Traditionally, security budgets haven’t considered compliance costs for SMBs (small and medium-sized businesses), which are organizations that typically have less than 200 personnel), even though they are increasingly being asked to demonstrate compliance with ISO 27001 or similar standards.

The cost of the ISO 27001 certification project, ongoing cost for control operations, Information Security Management System (ISMS) maintenance, and support costs have a financial impact. On top of this, there’s an increasing gap between supply and demand in cybersecurity skills, high staff turnover challenges, and an increasing shift towards a “gig economy” work culture.

Globally, the regulatory compliance pressure is increasing, especially on privacy compliance. Cyber-attacks are happening, and victims don’t have recovery plans. Additionally, enterprise and government sector customers increasingly demand security certifications from their service providers. Even if these providers fall in the SMB segment.

So, I’m writing this series to jumpstart your certification journey for ISO 27001 so that you can get secured and compliant as fast as possible. At the same time, move towards a sustainable ISMS operation (while keeping costs low, of course).

I mainly refer to my experiences with SMB organizations when writing these articles.

However, please be reminded

“Your ISO 27001 certification is the start of your cybersecurity journey and not the end of it”

I’m going to focus on three topics:

1.     Automation & Technology:

How to use Tugboat Logic, CertiKit, JIRA, and several other technology solutions, which help focus less on repeated actions and more on practical and meaningful tasks.

 2.     Workflow & Processes:

How to implement the ISO 27001 control processes (e.g., change management, user access management, incident management etc.) more cost-efficient and effectively.

 3.     Skills & People:

How to find your needed skills and expertise. There are pros and cons around full-time staff with additional skills and responsibilities. Having them dedicated to ISO27001 controls, or getting consultants to help the team. I will also discuss Internal Audit resourcing internally versus outsourcing to a 3rd party.

Each topic will have at least a few articles dedicated to them. But the exact amount will depend on the complexity of the subject.

I’ll use examples from my experience to elaborate on what I’m explaining and provide detailed & helpful advice in each article.

I hope to share some of my experiences helping clients.

Stay tuned for upcoming articles, and please leave me comments and feedback.