Introduction
A large enterprise client has just sent you a tender document.
Somewhere in the requirements, one line stops you cold: "Suppliers must hold ISO 27001 certification or be able to present a certification roadmap within 6 months."
You put the document down. You know the acronym — you've heard it mentioned in meetings, in RFPs, or from a competitor.
But what does it actually mean for your business? How much does it cost, how long does it take, and where do you even start?
1. ISO 27001: Beyond the Label, a Real Transformation
ISO 27001 is the international reference standard for information security. It defines the requirements for an Information Security Management System (ISMS) — a structured set of policies, processes, responsibilities, and controls that allow an organisation to manage its information-related risks in a continuous and structured way.
The current version (ISO 27001:2022) covers 93 security controls organised into four themes:
Organisational
Everything related to governance and the rules of the game:
- Security policies,
- Role and responsibility management,
- Supplier relationships,
- Incident management,
- Business continuity,
- Legal and regulatory compliance.
People
This theme covers the full employee lifecycle, from recruitment to departure, and everything related to their behaviour around security:
- Pre-employment background checks,
- Contractual clauses,
- Awareness and training,
- Disciplinary procedures for non-compliance.
Physical
Everything that protects physical spaces and equipment:
- access control to buildings and server rooms,
- protection against disasters (fire, flooding),
- equipment security,
- secure disposal of storage media,
- clean desk policy.
Technological
The most extensive category:
- Identity and access management,
- Encryption,
- Logging and monitoring,
- Network security,
- Vulnerability management,
- etc.
Being compliant with ISO 27001:2022 is more than a one-off audit you pass once to collect a certificate. It is a living governance framework, built on a continuous improvement cycle: plan, do, check, act.
In practical terms, for your business, this means:
- Formalising how you manage access rights,
- Backing up your data,
- Responding to incidents,
- Training your staff on security,
- And selecting your suppliers in a way that supports this compliance.
What many business leaders discover along the way is that certification transforms both the IT team's practices and the overall organisation in equal measure.
2. Who Does This Actually Affect?
Three years ago, ISO 27001 was largely the domain of large enterprises, telecoms operators, and financial sector players.
That is no longer the case. Today, the triggers are multiplying for SMEs.
The first trigger remains the tender process (public or private) that includes a security clause.
The second is the industry itself: if you handle health data, financial data, or if you are a subcontractor to an entity covered by the NIS2 directive, certification is no longer optional.
The third trigger is perhaps the most common: an existing client informs you that ISO 27001 is becoming a contractual requirement from the next contract renewal. It is no longer an option or even a recommendation — it is a condition. And often, the deadline is tight.
Information security has become a systematic criterion in the supplier qualification processes of European large accounts. For ambitious SMEs, this is increasingly not a choice.
3. The Certification Journey, Step by Step
The path to ISO 27001 certification unfolds in five key stages. Realistically, you should expect between 9 and 18 months for an SME, depending on its initial maturity level and the resources committed.
1. Gap analysis
Understanding where the organisation currently stands relative to the standard's requirements. This is the essential starting point for accurately scoping the effort ahead.
2. Implementing the ISMS
Drafting policies, assigning responsibilities, and defining the certification scope.
3. Risk treatment
Identifying critical assets, assessing threats, and documenting the controls selected or excluded in accordance with Annex A of the standard.
This is followed by an internal audit — a formal review conducted in-house or by a third party — and a formalised management review.
Finally, an accredited certification body carries out the certification audit in two stages:
- A documentation review
- An on-site audit to verify real-world implementation
Certification is valid for three years, with annual surveillance audits.
4. What Does It Actually Cost?
This is the question everyone asks and that few articles dare to answer with real numbers. The figures below are estimates — they vary according to the size of the organisation, its initial maturity, the certification scope, and the level of external support chosen. Treat them as benchmarks, not as quotes.
Based on practices observed in 2025–2026, an external consultant or integrator typically represents the most variable part of the budget: commonly cited ranges run from €15,000 to €50,000 for a mixed approach, where the company remains actively involved. Full outsourcing can easily exceed €100,000.
The certification audit with an accredited body represents an estimated cost of between €5,000 and €15,000.
On top of this comes a significant internal workload: between 0.5 and 1 full-time equivalent over 6 to 12 months.
Finally, tooling — GRC software, document management, risk tracking — typically represents between €2,000 and €10,000 per year.
For an SME of 50 to 200 people taking a mixed approach, the first-year investment generally falls between €25,000 and €80,000, followed by €8,000 to €20,000 per year to maintain certification.
These are order-of-magnitude figures consistent with available benchmarks, but your actual situation will depend on a prior gap analysis.
Worth noting: certain subsidies and support programmes can cover a significant portion of these costs — a lever that is often overlooked.
A well-chosen GRC tool, such as the solution developed by Prism Technology on Odoo, can significantly reduce the documentation burden and therefore the reliance on external consultants — and with it, the overall bill.
5. The 3 Mistakes That Cause Failure
The first mistake, and by far the most common, is treating ISO 27001 as an IT project.
It is a business-wide project. Without active involvement from senior leadership and business functions, policies remain lifeless documents — and the certification audit will expose this without mercy.
The second mistake is underestimating the documentation workload without a dedicated tool.
Managing compliance evidence — versioned policies, risk registers, audit logs, management review minutes — quickly becomes unmanageable in spreadsheets.
The third mistake is preparing for certification without thinking about how to sustain it over time.
Obtaining the certificate is one milestone; keeping it is another. The standard requires annual surveillance audits and ongoing ISMS review.
Organisations that don't plan for maintenance from the outset find themselves repeating most of the work two years later.
6. How a GRC Tool Changes the Game
This is where a native GRC platform makes a tangible difference.
At Prism Technology, we have built a GRC solution on Odoo that centralises all ISMS documentation, automates policy review reminders, generates compliance evidence on demand, and provides real-time visibility into control progress.
For the SMEs using it through their certification journey, the time spent on documentation preparation is reduced because much of the data already lives in their Odoo ERP. This translates directly into fewer consulting days billed and less pressure on internal teams.
Compliance is no longer a year-end scramble: it becomes a continuous, visible, and manageable process.
Conclusion
ISO 27001 is not out of reach for an SME — it is, above all, a matter of organisation and the right tooling.
The companies that succeed in their certification are not necessarily the largest or the most technically advanced: they are the ones that approached the project methodically, with the right partners and the right tools from the start.
At Prism Technology, we make the ISO 27001 certification journey easier for SMEs with our native GRC solution on Odoo.
Want to know where you actually stand?