Small and medium-sized businesses often sell their products and services to larger companies.
As part of the purchasing process, these larger companies usually set requirements on the information security of their suppliers, especially when personal data is shared—such as in the case of SaaS services or consulting and data analysis services.

In such scenarios, most SMEs are faced with the decision to either pursue the costly route of information security certification or lose the customer. Many companies opt for ISO 27001 certification to be better equipped for future customers and markets. The path and experiences with SMEs are outlined below.

The ISO/IEC 27001 standard is compact, with only around 30 pages.
It is divided into chapters 0-3, which provide an introduction, and chapters 4-10, which outline the requirements. Annex A contains measures from A5 to A18, which are directly linked to the measures and action descriptions from the ISO 27002 document.

In principle, all requirements from chapters 4-10 of the standard must be met. However, the requirements in Annex A can be waived under justified circumstances. A risk-based approach is applied, with the central core being the assurance of the CIA criteria. This involves:

• C: Confidentiality – Ensuring that information is not accessible to unauthorized individuals.
• I: Integrity – Ensuring that information is accurate, correct, and complete.
• A: Availability – Ensuring that information is accessible to authorized individuals when needed.

The goal of ISO 27001 is to establish and operate a management system that ensures information security, based on the criteria mentioned above.

For SMEs, most challenges arise in maintaining the processes and the required resources (time, knowledge), creating awareness among employees, and defining which technical measures need to be taken and which organizational measures are sufficient.

The costs for ISO 27001 certification consist of the following components:

• The costs of the certification audit
• The costs for internal resources (e.g., employees)
• The costs for external consulting
• The costs of implementing technical measures

The certification costs are calculated in accordance with ISO 27006, where the audit time is determined. Factors such as IT complexity and business complexity are considered in this calculation. The audit time also depends on the size of the company (number of employees). For instance, the audit period typically starts at 5 days and can extend to around 19 days for companies with 1,000 employees.

In particular, the time employees need to spend on implementing the management system should not be underestimated. This includes tasks such as creating and reviewing guidelines, adapting internal processes, obtaining offers for technical measures, coordinating and implementing solutions, and overseeing overall project management. The necessary training to develop and demonstrate competencies in the ISMS team should also not be overlooked.

In summary, the introduction of an information security management system provides SMEs with an excellent opportunity to reach new customer groups. However, considering the required resource commitment, the process must be carefully planned, with a time horizon of at least 6-12 months.