Can ISO 27001 be done lighter for a small company?
The norm scales; applying it to 10 people is a different exercise than 1000. Start at scope: only the part the customer wants audited.
Try this first
- 1Tighten scope. Not the whole BV but the service you deliver. Targeted scope certifies faster and cheaper.
- 2Re-use existing documents. Personnel handbook, GDPR register, vendor DPAs, backup procedures already fulfil multiple controls.
- 3Pick a sized approach. Template kits or a light implementation via an external consultant. Most SMBs land it that way.
- 4Run PDCA once before the audit. If the cycle stays on paper, the auditor will spot it.
- 5Schedule the external audit only after one internal audit round with findings actually closed.
When to bring us in
Customer demands full Annex A coverage and you have under 10 staff? An SMB-specialised firm is much faster. We can point at parties.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.