Can a Small Company Actually Get ISO 27001 Certified?
Yes. Certification scope is defined by the company, not headcount, so a small company usually has a smaller ISMS to run. The real constraint is who has the hours to own it.
Yes, a small company can get ISO 27001 certified, and the confusion usually comes from assuming the standard is built for large enterprises with dedicated security teams. Certification scope is defined by the company itself, not gated by headcount. A smaller company typically has a smaller, more tractable ISMS scope, fewer systems, fewer third parties, simpler data flows, which can make implementation faster than a sprawling enterprise's, not harder. The real constraint for a small company is not eligibility. It is the same bandwidth problem every framework in this series runs into: someone has to actually own the risk assessment, the Annex A control implementation, and the ongoing surveillance-audit cycle, and a small team rarely has a dedicated person for that.
Our ISO 27001 framework page covers what the certification actually requires end to end. This post answers the narrower question a lot of founders ask first: does our size disqualify us before we even start.
Where does the "ISO 27001 is for big companies" idea come from?
The assumption is understandable. ISO 27001 defines 93 controls across four themes in Annex A, organized, people, physical, technological, and that list reads like something written for a company with a security team, a facilities team, and an IT team who each own a slice of it. A ten-person company looking at that list can reasonably wonder if the standard was even written with them in mind.
But the standard does not require every control to apply to every company. Which controls are in scope, and why, is documented per company in a Statement of Applicability. A company with three systems and two vendors has a shorter, more honest list than a company with thirty systems and a hundred vendors. The 93 controls are the full menu, not a mandatory checklist every certified company has to tick in full.
What actually varies by company size?
Scope. That is essentially the whole answer. A small company's Information Security Management System, its ISMS, covers whatever systems, data, and processes the company defines as in scope, and a small company's footprint is usually smaller by every measure that matters to an auditor: fewer production systems, fewer third-party vendors to review, simpler data flows between fewer moving parts. Mapping and securing that footprint is a smaller, more tractable job than doing the same for an enterprise running dozens of systems across multiple business units.
This is the opposite of the intuition founders start with. A sprawling enterprise does not get an easier path to certification because it has more people; it gets a harder scoping problem because it has more systems, more legacy integrations, and more places for the ISMS to have quietly drifted out of sync with reality. A small company's implementation can genuinely move faster, not because the bar is lower, but because there is less surface area to bring into compliance in the first place.
What stays exactly the same regardless of size?
The process itself does not bend for company size. Certification runs in two stages: a documentation review of your ISMS and Statement of Applicability (Stage 1), then an audit of whether the controls are actually operating (Stage 2). A successful Stage 2 audit issues a certificate valid for three years, with annual surveillance audits in between confirming the ISMS is still running, not archived the day after the certificate was issued.
None of that shrinks for a smaller company. A five-person company and a five-hundred-person company go through the same two stages, the same three-year cycle, and the same annual surveillance audits. The auditor is not checking your headcount. They are checking whether the risk assessment you ran, the controls you selected, and the Statement of Applicability you wrote match what is actually happening on your systems. A small company that can demonstrate that clearly is in exactly the same position as a large one that can.
So what actually stalls a small company on ISO 27001?
Not eligibility, bandwidth. This is the same constraint we wrote about for SOC 2 and small teams, and it shows up here in almost the same shape. A large company has a compliance or security function whose job includes running the ISMS: doing the risk assessment, implementing the Annex A controls that are actually missing, keeping the Statement of Applicability current, and carrying all of it through the annual surveillance audits. A small company usually does not have that seat. The work lands on an engineer or the founder, on top of the job they were already doing.
ISO 27001 makes this sharper than SOC 2 does, because "management system" is the operative word in ISMS. It is not a one-time audit you pass and file away. The risk assessment has to be revisited, the controls have to keep operating, and an annual surveillance audit will catch an ISMS that quietly stopped being followed after the certificate was issued. A smaller scope makes the initial implementation more tractable, but it does not remove the ongoing ownership question: who is going to run this every year, not just get it certified once.
Frequently asked questions
Can a small company get ISO 27001 certified? Yes. Certification scope is defined by the company itself, not gated by headcount. A smaller company typically has a smaller, more tractable ISMS scope, fewer systems, fewer third parties, simpler data flows, which can make implementation faster than a sprawling enterprise's, not harder.
Is ISO 27001 only for large enterprises? No, that is a common assumption but not how the standard works. ISO 27001 does not set a minimum company size or a minimum number of employees. It certifies that whatever information security management system you define and scope is actually operating, at whatever scale that system is.
Does ISO 27001 certification take less time for a small company? It can, because the ISMS scope tends to be smaller: fewer systems to bring into scope, fewer vendors to review, fewer data flows to map. What stays constant regardless of size is the two-stage audit and the three-year certification cycle with annual surveillance audits in between.
What is the hardest part of ISO 27001 for a small company? Not eligibility, bandwidth. A small team rarely has a dedicated person to own the risk assessment, implement the Annex A controls, and carry the ISMS through every annual surveillance audit on top of their actual job. That ongoing ownership, not the certification rules, is what actually stalls small companies.
Does a small ISMS scope mean fewer Annex A controls apply? Often, yes. Annex A control applicability is documented per company in a Statement of Applicability, and a company with fewer systems and simpler data flows naturally has fewer controls that are relevant. The controls that do apply still have to be implemented and kept operating, not just written down.
Can a startup with a handful of employees pass an ISO 27001 audit? Yes, provided the ISMS the company defined is actually operating the way its documentation says it does. Auditors are not checking headcount, they are checking whether the risk assessment, the Annex A controls in scope, and the Statement of Applicability match what is really happening on the systems in scope.
Last reviewed: July 12, 2026.
Where Scadable fits
Scadable is built for the small company that clears the eligibility question fine and then runs straight into the bandwidth one. The problem we solve is the same one across every framework we cover, SOC 2 included: we define the ISMS scope, run the risk assessment, implement the Annex A controls that are actually missing, and keep the evidence current through every annual surveillance audit, so your engineer or your founder is not the one carrying an ISMS on top of shipping product. It is real work done by a real team behind the scenes, not a checklist a small team still has to operate itself. Book a call to see what ISO 27001 looks like when it stops being your team's second job.
