Compliance15 Jan 202611 min read

ISO 27001 in 2026: A Practical Certification Guide for SMEs

A senior-consultant walkthrough of ISO 27001:2022 certification for startups and SMEs — Annex A controls, the ISMS lifecycle, audits, a realistic timeline, and where automation cuts the effort.

ISO 27001 is the international standard for an Information Security Management System (ISMS) — a documented, risk-based way of managing the confidentiality, integrity, and availability of your information. Getting certified means an accredited, independent body has audited your ISMS and confirmed it meets the standard. For a startup or SME in 2026, that certificate has become less a "nice-to-have" badge and more a commercial gate: it is increasingly the fastest way to clear enterprise procurement, security questionnaires, and vendor due diligence without re-litigating your security posture on every deal. This guide walks through what the standard actually requires, the 2022 revision you will be certified against, and a realistic, phased roadmap to get there — including where automation and an AI copilot genuinely compress the effort.

What ISO 27001 Actually Is

ISO 27001 is not a checklist of security tools. It is a management-system standard, which means it certifies a process: how you identify risks to your information, decide what to do about them, implement controls, and continually improve. The certificate says your organisation runs a functioning, audited system for managing information security — not that you have bought a particular firewall.

The standard has two parts that matter:

  • Clauses 4–10 — the mandatory management-system requirements. These are non-negotiable and cover context, leadership, planning, support, operation, performance evaluation, and improvement. Every certified organisation implements all of them.
  • Annex A — a catalogue of security controls you select from based on your risk assessment. You do not implement all of them blindly; you justify which apply.

The 2022 revision: 93 controls, 4 themes

If you are certifying in 2026, you are certifying against ISO/IEC 27001:2022. The older 2013 version has been fully retired — the transition deadline passed in 2025 — so there is no ambiguity about which version to target.

The headline change was Annex A. The 2013 version listed 114 controls across 14 domains; the 2022 revision consolidates these into 93 controls grouped under four themes:

  • Organisational (37 controls) — policies, roles, supplier relationships, threat intelligence, cloud service use.
  • People (8 controls) — screening, awareness, remote working, disciplinary process.
  • Physical (14 controls) — secure areas, equipment, physical monitoring.
  • Technological (34 controls) — access control, cryptography, logging, secure development, data leakage prevention.

The 2022 update also introduced 11 new controls reflecting how organisations actually work today, including threat intelligence, information security for cloud services, ICT readiness for business continuity, data masking, data leakage prevention, web filtering, and secure coding. Each control now also carries attributes (e.g. preventive/detective/corrective) that make mapping and reporting easier.

Why It Matters Commercially in 2026

The business case has sharpened considerably. Three forces are converging:

  • Procurement gatekeeping. Enterprise buyers and public-sector tenders increasingly list ISO 27001 as a hard requirement. Without it, you are often filtered out before a conversation starts.
  • Regulatory tailwinds. In the EU, frameworks such as NIS2 and DORA have raised the baseline expectation for demonstrable security governance. ISO 27001 is not a legal substitute for these, but a mature ISMS gives you a large head start on their requirements and a common control language across all of them.
  • Sales-cycle efficiency. A certificate short-circuits the endless security questionnaire. Instead of answering 200 bespoke questions per prospect, you hand over a certificate and Statement of Applicability.

For an SME, the certificate frequently pays for itself on the first one or two enterprise deals it unblocks.

The ISMS Lifecycle

ISO 27001 is built on a continual-improvement cycle — Plan-Do-Check-Act. Understanding this shape prevents the most common mistake: treating certification as a one-off project rather than an operating rhythm.

  • Plan — define scope and context, secure leadership commitment, assess risks, and plan treatment.
  • Do — implement the selected controls, policies, and processes.
  • Check — monitor, measure, run internal audits, and hold management reviews.
  • Act — correct nonconformities and improve.

The certificate is valid for three years, with surveillance audits each year and a full recertification audit at the end. So the "check" and "act" phases never stop — the ISMS is a living system.

Scope, Statement of Applicability, and Risk

Three artefacts sit at the heart of the ISMS and deserve special attention because auditors scrutinise them heavily.

Defining scope

Scope defines the boundary of your ISMS — which parts of the organisation, systems, locations, and services are covered. For a SaaS SME this is usually the platform, the teams building and running it, and the supporting corporate IT. Keep it honest: an artificially narrow scope may pass an audit but will fail to impress the enterprise buyer reading your certificate.

Risk assessment and treatment

This is the engine of the whole standard. The process is:

  1. 1Identify risks to information within scope (by asset, by scenario, or a hybrid).
  2. 2Analyse and evaluate them against defined likelihood and impact criteria.
  3. 3Decide treatment for each: mitigate (apply controls), transfer (e.g. insurance), avoid, or knowingly accept.
  4. 4Produce a Risk Treatment Plan documenting the decisions, owners, and deadlines.

The methodology must be repeatable and documented. Many organisations in Spain and across the EU use MAGERIT, a well-established risk methodology, which maps cleanly onto ISO 27001's requirements and is familiar to auditors working in the region.

The Statement of Applicability (SoA)

The SoA is the single most important certification document. It lists all 93 Annex A controls and, for each, states whether it applies, why, and its implementation status. Controls you exclude must be justified — "we have no physical office, so several physical controls are handled by our cloud provider" is a legitimate, documented exclusion. The auditor uses the SoA as their map through your entire ISMS, so it must be accurate and defensible.

Internal Audit and Management Review

Before an external auditor ever visits, the standard requires you to audit yourself:

  • Internal audit — an independent check (the auditor cannot audit their own work) that the ISMS conforms to the standard and to your own policies, and that it is effective. Findings are logged as nonconformities and corrected.
  • Management review — leadership formally reviews ISMS performance, risks, audit results, and improvement opportunities, and records decisions.

Auditors treat missing or superficial internal audits and management reviews as a serious red flag, because they signal the ISMS is documentation theatre rather than a working system.

The Certification Audit: Stage 1 and Stage 2

External certification happens in two stages, conducted by an accredited certification body (choose one accredited by a recognised national body — in Spain, ENAC).

  • Stage 1 — documentation and readiness review. The auditor checks that your ISMS is designed, documented, and in place: scope, policies, risk assessment, SoA, internal audit, and management review. The output is a list of findings and areas to address. Think of it as a dress rehearsal.
  • Stage 2 — the certification audit. Typically a few weeks after Stage 1, the auditor tests whether the ISMS is genuinely operating. They sample evidence, interview staff, and verify that controls work in practice. Nonconformities are graded minor or major; major nonconformities must be resolved before the certificate is issued, usually via a corrective action plan.

Clear both stages and you are certified for three years, subject to those annual surveillance audits.

A Phased Roadmap

Here is the sequence I recommend to SMEs, condensed into six phases:

  1. 1Mobilise. Secure leadership sponsorship, appoint an ISMS owner, agree scope and objectives, and pick a target certification date.
  2. 2Assess the gap. Compare current practice against the standard and Annex A. This produces your work backlog.
  3. 3Build the foundation. Write the core policies, define the risk methodology, run the risk assessment, and draft the SoA and Risk Treatment Plan.
  4. 4Implement controls. Close the gaps — access control, logging, supplier management, secure development, awareness training, and so on. Crucially, start generating evidence as you go.
  5. 5Operate and check. Run the ISMS live for a period, then conduct the internal audit and management review. You need a track record of the system actually working.
  6. 6Certify. Engage the certification body for Stage 1, remediate findings, then pass Stage 2.

Realistic Timeline and Effort for an SME

Timelines vary with starting maturity, scope, and how much attention the project gets. The table below reflects a typical SME (say, 15–80 people) starting from reasonable-but-informal security practices.

PhaseTypical durationPrimary effort
Mobilise & scope2–3 weeksLeadership, ISMS owner
Gap analysis2–4 weeksISMS owner + consultant
Risk assessment, SoA, policies4–8 weeksISMS owner, control owners
Control implementation8–16 weeksEngineering, IT, HR, ops
Operate + internal audit + mgmt review4–8 weeksWhole organisation
Stage 1 & Stage 2 audits4–8 weeksISMS owner + auditor
Total (elapsed)~4–9 months

Most SMEs land somewhere between four and nine months. The single biggest variable is not the paperwork — it is how quickly control gaps can be closed and how much evidence you can accumulate to prove the ISMS has been operating, not just designed.

Common Pitfalls

Having guided organisations through this, the recurring failure modes are predictable:

  • Treating it as a documentation exercise. A binder of policies nobody follows fails Stage 2. Auditors test operation, not prose.
  • An over-narrow or dishonest scope. It may pass, but it undermines the certificate's commercial value and invites awkward buyer questions.
  • Weak leadership involvement. The standard explicitly requires top-management engagement; absent it, resourcing and management reviews collapse.
  • Leaving evidence to the end. Evidence must accumulate over time — access reviews, logs, training records, tickets. You cannot retrofit a six-month audit trail the week before Stage 2.
  • A risk assessment disconnected from reality. Generic, copied risk registers that do not reflect your actual systems and threats are transparent to a good auditor.
  • Under-resourcing the ISMS owner. Made a part-time afterthought for one overloaded person, the programme stalls.

How Automation and an AI Copilot Compress the Effort

Most of the pain in ISO 27001 is not intellectual — it is administrative: maintaining the SoA, keeping the risk register current, collecting evidence continuously, mapping controls, and staying audit-ready between surveillance visits. This is precisely where a modern GRC platform changes the economics.

Automation helps in concrete ways:

  • Continuous evidence collection replaces the pre-audit scramble — control status and audit trails are captured as work happens.
  • A living SoA and risk register stay synchronised with your controls instead of drifting out of date.
  • Framework crosswalks let one control satisfy ISO 27001, ENS, NIS2, DORA, SOC 2, and GDPR at once — invaluable if you are heading toward multiple certifications.
  • An AI compliance copilot can draft policies, suggest control mappings, flag gaps, and answer "are we audit-ready?" in plain language — cutting the guesswork that slows first-time certifiers.

Done well, automation does not replace the judgement of an ISMS owner or consultant; it removes the manual toil so their time goes to decisions that actually matter.

Conclusion

ISO 27001 in 2026 is eminently achievable for an SME — typically in four to nine months — provided you treat it as an operating system rather than a paperwork sprint, resource the ISMS owner properly, and start generating evidence from day one. Get the scope, risk assessment, and Statement of Applicability right, run the internal audit and management review honestly, and the two-stage certification audit becomes a confirmation rather than a gamble.

This is exactly the work ISMShed was built to streamline: its AI Compliance Copilot, MAGERIT-based risk management, continuous evidence collection, and multi-framework crosswalks compress the administrative load so your team can focus on the decisions that pass audits. And when you want experienced hands alongside the platform, Axelia's GRC consultants — themselves ENS Media certified and ISO 27001 aligned — can guide you from gap analysis to a certificate. If certification is on your 2026 roadmap, that combination is a practical place to start.

Talk to an expert

Don't wait for the guide. Book a call with our AI-CISO team and get a tailored roadmap to ISO 27001, NIS2, ENS or DORA compliance.