ISO 27001 readiness
Honest framing of when an SMB really needs ISO 27001, the rough timeline and cost, and what an Annex A statement looks like.
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Unlike Cyber Essentials, it's not a checklist of technical controls — it's a documented, audited management system you operate continuously.
Most UK SMBs do not need ISO 27001. The exceptions are companies whose customers (typically large enterprises, financial services or the public sector) explicitly require it as part of supplier due diligence.
This pillar collects readiness guidance, gap-analysis templates and decision frameworks so you can decide honestly whether to pursue it.
Tools that fit this pillar
Free interactive checks you can run right now — no account required.
Policy generator
Generate plain-English security policies (acceptable use, BYOD, incident response) tailored to your business.
Why here: Generate the baseline policies an auditor will expect.
SMB cyber risk self-assessment
A 15-minute, plain-English self-assessment for small businesses — with a printable PDF report mapped to Cyber Essentials.
Why here: Risk treatment is the spine of an ISMS.
Authoritative sources
We point you at the originals — government, regulator and standards bodies. Bookmark these.
- ISO/IEC 27001:2022 standard ↗
- IASME — IASME Cyber Assurance ↗
Lower-overhead UK alternative for SMBs.
- UKAS — find an accredited certification body ↗
Looking for something else? Browse all guides or jump straight to the tool index.