One of the questions we’re often asked is “can a small organization still become certified to a standard like ISO27001 or ISO22301?”. In short the answer is “Yes of course!” but I’ll also give you a longer answer so that I can point out some of the ways in which being smaller is actually a benefit rather than a hindrance when implementing an ISO standard. Official definitions of an “SME” vary by country and organization but often it’s anything less than around 250 employees, so it’s really any number from 250 down to a single employee business and ISO standards apply to any number within that range (yes, including one employee).
ISO standards such as ISO27001 are deliberately designed to apply to organizations in any industry and of any size and some of the reasons why it’s good to be small are as follows. We use ISO27001 as an example, but most of these points also apply to similar management system standards such as ISO22301 and ISO/IEC 20000.
Typically there are fewer people involved in making decisions in a smaller company and so this can mean that they get made more quickly. From experience it also means that the people at the top are on board with the idea of getting certified so it helps with management commitment, which is an essential for success. Document approval can happen quicker too.
In a small organization the person you need to speak to may be in the same office so discussions can be quicker around subjects such as risks, processes, objectives and improvements. Ideas can be raised, discussed and approved or rejected face to face and with less overhead to organize. The number of people involved will also be less as in smaller organizations people often wear several hats i.e. they cover multiple areas of responsibility.
Fewer people, less time to train is a general rule so it’s possible to get around everyone in a small organization for things like awareness training and new procedures. This means that controls can be put in place faster and risks treated as soon as possible.
Compared to a large multi-national a smaller organization will have simpler procedures, systems, information assets, products and services and governance structure so it shouldn’t take as long to understand them and assess the risks to them. It may also be easier to change them to make them more secure and your management system can be designed to be more streamlined.
Registered Certification Bodies (RCBs) use a formula to work out how many days are needed to audit a specific company and the smaller you are, the shorter the audit. A one day Stage 2 (certification audit) is common for micro-businesses which also keeps the cost down.
However, in the interests of balance there are a few ways in which being smaller can be a disadvantage. These include:
But be in no doubt that obtaining certification for a small organization is perfectly achievable and, as we have outlined, is in many ways easier than in a large organization with all those people and complexity. So if you’re small we say go for it – you’ll be glad you did.