Small and medium-sized businesses often sell their products and services to larger companies. As part of the purchasing process, these usually place requirements on the information security of your suppliers. Especially in areas where personal data is shared. For example, with SaaS services or even consulting and data analysis services.

Most SMEs are then faced with the decision to take the costly route of information security certification or lose the customer. In many cases, companies opt for ISO 27001 certification in order to be equipped for future customers and markets in the future. This path and experiences with SMEs are outlined below.

The ISO/IEC 27001 standard is compact, with only around 30 pages. It is divided into chapters 0-3, which provide an introduction, and chapters 4-10, which explain the requirements. Annex A, in turn, contains measures from A5 to A18. These are directly linked to the measures and action descriptions from the ISO 27002 document.

In principle, all requirements from chapters 4-10 of the standard must be met. However, the requirements in Annex A cannot be met under justified circumstances. A risk-based approach is chosen, the central core of which is to ensure the CIA criteria. This involves:

• C: Confidentiality refers to the goal that information is not made available to unauthorized persons
• I: Integrity refers to the goal that information is accurate/correct and complete.
• A: Availability refers to the goal that information is accessible to authorized persons when it is needed.

The aim of ISO 27001 is to set up and operate a management system that ensures information security (in the form of the criteria mentioned above).

For SMEs, most challenges arise in maintaining the processes and the resources required for them (time, knowledge), creating awareness among employees and defining which technical measures need to be taken and which organizational measures are sufficient.

The costs for ISO 27001 certification consist of the costs of the certification audit, the costs for internal resources (employees, etc.), the costs for external consulting and the costs of implementing technical measures.

The certification costs are calculated in accordance with ISO 27006, where the audit time is determined. Factors such as IT complexity and business complexity are included here. The audit time also depends on the size of the company (number of employees). The audit period starts at 5 days and is staggered, for example, around 19 days for companies with 1,000 employees.

In particular, the time that employees have to spend to implement the management system should not be underestimated. This involves creating and reviewing guidelines, adapting your own processes, obtaining offers for technical measures, coordination and implementation, and overall project management. The necessary training to develop and demonstrate competencies in the ISMS team should also not be neglected.

In summary, it can be said that the introduction of an information security management system offers SMEs an excellent opportunity to tap into further customer groups. However, in view of resource commitment, the process must be well planned and should provide a time horizon of at least 6-12 months.