Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog Can a Small Business be ISO Certified?

Can a Small Business be ISO Certified?

One of the questions we’re often asked is “can a small organization still become certified to a standard like ISO27001 or ISO22301?”.

In short the answer is “Yes of course!” but we’ll also give you a longer answer so that we can point out some of the ways in which being smaller is actually a benefit rather than a hindrance when implementing an ISO standard.

ISO standards such as ISO27001 are deliberately designed to apply to organizations in any industry and of any size and some of the reasons why it’s good to be small are as follows. We use ISO27001 as an example, but most of these points also apply to similar management system standards.

Choosing an RCB for your audit can be difficult

1. Decisions can be made more quickly

Typically there are fewer people involved in making decisions in a smaller company and so this can mean that they get made more quickly. From experience it also means that the people at the top are on board with the idea of getting certified so it helps with management commitment, which is an essential for success. Document review and approval can happen quicker too.

2. Communication lines are shorter

In a small organization the person you need to speak to may be in the same office so discussions can be quicker around subjects such as risks, processes, objectives and improvements. Ideas can be raised, discussed and approved or rejected face to face and with less overhead to organize. The number of people involved will also be less as in smaller organizations people often wear several hats i.e. they cover multiple areas of responsibility.

3. Training can be delivered faster

Fewer people, less time to train is a general rule so it’s possible to get around everyone in a small organization for things like awareness training and new procedures. This means that controls can be put in place faster and risks treated as soon as possible.

4. Less complexity

Compared to a large multi-national, a smaller organization will have simpler procedures, systems, information assets, products and services and governance structure so it shouldn’t take as long to understand them and assess the risks to them. It may also be easier to change them to make them more secure and your management system can be designed to be more streamlined.

5. The certification process is shorter

Registered Certification Bodies (RCBs) use a formula to work out how many days are needed to audit a specific company and the smaller you are, the shorter the audit. A one day Stage 2 (certification audit) is common for micro-businesses which also keeps the cost down.

But it’s not all positive...

However, in the interests of balance there are a few ways in which being smaller can be a disadvantage. These include:

  • Access to funds – budgets for training and other implementation activities may be restricted
  • In-house skills – you may need to buy in more skills as they may not exist in-house
  • Impact of staff turnover, holidays and sickness – key people being unavailable may affect your project more than it might in a larger team
  • Limited resources – people involved on the certification project may also have a day job and this can stretch the timescales more than you would like
  • It may make certain controls like segregation of duties more informal and potential for risk
  • The management system loses priority – it is a fact of life that the busier staff get with business priorities, that the maintenance and supporting operations of the management system could take a back seat. This has a real possibility of impacting your continued certification s its something to watch out for.

In summary

Be in no doubt that obtaining certification for a small organization is perfectly achievable and, as we have outlined, is in many ways easier than in a large organization with all those people and complexity. So if you’re a small business looking to certify to one or multiple ISO standards, we say go for it – you’ll soon see the benefits!

 

Editor’s note: The original post was published in November 2016, and updates have been made in February 2022 for accuracy and comprehensiveness.

More ISO Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO standard of your choice, go to our guidance pages where you can find more specific information about each standard and more downloadable resources.

More ISO Guidance

We’ve helped more than 7000 businesses with their compliance

Testimonials

Love the product, love the style, and especially the presentation. Every time I show it to executive levels, they are impressed with the overall view, and how it translates easily.

Net Road Show
USA

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy