For many SMEs and startups, ISO/IEC 27001:2022 can feel challenging, especially when there is no dedicated compliance team. Smaller organisations may not have a CISO, GRC manager, or internal auditor on payroll. Despite these constraints, many lean companies may pursue certification successfully when following structured approaches, though results can vary.
For small teams, the question is less about whether ISO 27001 is technically achievable without dedicated staff, and more about which approaches are practical in a lean operating environment. This article explores practical considerations for lean teams, including what ISO 27001 may expect from smaller organisations, which responsibilities may need to be assigned even part-time, tasks that can often be handled in-house, areas where effort is sometimes underestimated, and approaches that may help make ISO 27001 more manageable for small teams.
TL;DR – Is ISO 27001 Possible Without a Compliance Team?
For SMEs and startups, pursuing ISO 27001 without dedicated compliance staff is achievable through a practical, ownership-based approach, though final certification always remains subject to the auditor’s independent assessment. Smaller teams may find success by:
- Assigning clear ownership for key responsibilities, even if part-time
- Using structured templates rather than creating documentation from scratch
- Focusing on maintaining consistent evidence rather than producing extensive paperwork
- Planning for ISO 27001 as an ongoing process, rather than relying on last-minute implementation
Activities that are often challenging for lean teams include:
- Treating ISO 27001 as a side project without any assigned owner
- Activating controls only a few weeks before an audit
- Expecting tools, consultants, or templates to fully manage compliance on their own
Why ISO 27001 Feels Hard Without a Compliance Team
ISO 27001 can be adapted for smaller teams, but common assumptions sometimes lead to unexpected challenges.
|
Common Assumption |
Practical Consideration |
|
“We need a compliance hire” |
Smaller teams often need clear ownership rather than additional headcount |
|
“Auditors expect enterprise tooling” |
Auditors generally focus on consistent evidence of controls |
|
“Policies must be perfect” |
Policies that are actively applied and referenced tend to be valued more than perfectly worded documents |
|
“This is mostly documentation” |
Demonstrating actual evidence of controls often carries more weight than the documents themselves |
Many small-team challenges arise from:
- Unclear or unassigned ownership of responsibilities
- Evidence collection starting too late in the process
- One individual informally handling all tasks without cross-checks
ISO 27001 does not inherently disadvantage lean teams; challenges are more often associated with undefined or inconsistent systems rather than team size or resources.
Common Auditor Expectations for Small Teams
ISO 27001 typically does not expect:
- A dedicated compliance department
- Specific job titles
- Expensive platforms
For small or lean teams, auditors generally look for evidence that you have:
- Defined the scope of your ISMS
- Assessed information security risks relevant to your operations
- Selected Annex A controls applicable to your context (93 controls under ISO/IEC 27001:2022)
- Assigned responsibility for key controls (even part-time roles can be sufficient)
- Applied controls consistently over a period of time
- Reviewed and considered improvements to the system
What “Evidence” Really Means
Auditors tend to focus on records that show controls are applied in practice:
- A Jira ticket showing when access was granted
- A Slack or email approval for administrative rights
- A quarterly access review spreadsheet with timestamps and sign-off
ISO 27001 generally emphasises practical operation of controls rather than purely theoretical documentation.
The 3-Month Rule Of Thumb
A common assumption among small teams is: “We will switch everything on right before the audit.”
What Auditors Typically Look For
Auditors generally assess operating effectiveness, not just whether something exists. In practice, they may look for:
- Evidence covering roughly three months of activity
- Successor and predecessor records, rather than a single snapshot
- Patterns and consistency, rather than isolated examples
This is not a formal ISO requirement, but it reflects a common expectation in audits. Teams that start collecting evidence only shortly before an assessment may find it challenging to demonstrate consistent operation.
Minimum ISO 27001 Roles for Small Teams
In small teams, individuals often take on multiple responsibilities. Thinking in overlapping “hats,” rather than formal job titles, can help assign ISO 27001 tasks efficiently. Actual responsibilities may vary depending on team size, skills, and availability.
1. ISMS Owner (often Founder or Operations Lead)
Typically responsible for overall ISMS coordination and leadership oversight.
Estimated time commitment may range around 1 – 2 hours per week for smaller scopes, depending on complexity.
Common responsibilities may include:
- Coordinating ISMS activities and documentation
- Reviewing and approving risks and policies
- Participating in management review discussions
Teams may find it helpful to track key ISMS decisions and approvals in a central system.
2. Technical Control Owner (Engineering / IT)
Typically focused on technical and system-related controls.
Responsibilities may include:
- Implementing and maintaining technical controls
- Managing access, logging, and system changes
- Providing evidence related to configuration and operational changes
Automation tip: Exporting evidence from systems such as ticketing tools, version control platforms, device management systems, or cloud logs may help simplify record-keeping.
3. Operational Control Owner (Operations / HR)
Typically responsible for people, process, and supplier-related activities.
Responsibilities may include:
- Managing onboarding and security awareness activities
- Overseeing suppliers and third-party relationships
- Maintaining asset records and operational documentation
Automation tip: Shared checklists or lightweight tracking tools may help capture evidence consistently.
4. Internal Audit Responsibility (Independence Considerations)
In SMEs, individuals generally should avoid auditing their own work. Teams may rotate responsibilities, use peer review, or engage light external review to help maintain independence and reduce potential audit concerns.
Practical Options for Small Teams
- Peer review: CTO reviews Ops / HR; Ops reviews technical controls
- Reciprocal auditing: Swap audit responsibilities internally
- Light external assist: Engage a one-off internal audit review if needed
These approaches may help demonstrate separation of duties, even in very small teams.
Common Pitfalls vs Practical Approaches
|
Common Pitfall |
More Sustainable Approach |
|
Turning on controls just before audit |
Running controls consistently over time to demonstrate ongoing activity; auditors typically look for patterns rather than last-minute setup |
|
One person responsible for everything |
Clear, shared ownership across team members; reduces errors and demonstrates accountability |
|
A large volume of generic policies created by a consultant |
A smaller set of policies aligned to actual workflows and processes; easier to maintain and apply consistently |
|
Expecting a GRC tool to “do compliance” for you |
Simple registers or spreadsheets that the team actively maintains; keeps evidence practical and verifiable |
Activities Frequently Managed In-House
For lean teams without dedicated compliance staff, the following activities may be able to be handled internally:
- Risk assessment: Apply simple, consistent scoring to key information security risks. Small teams can manage this because it requires judgment and documentation rather than large teams or complex tooling.
- Statement of Applicability: Maintain and update your SoA based on selected controls. Updating a list of controls is manageable in-house as long as the scope is clear and the team tracks changes over time.
- Policy ownership: Assign responsibility for policies to specific team members. Even a part-time owner can keep policies relevant if responsibilities are clearly assigned.
- Evidence collection: Gather and retain records that demonstrate control operation over time. Structured templates and automated logs make this feasible without dedicated staff.
- Internal audit: Teams may consider conducting internal audits with independence in mind, for example through peer review or reciprocal arrangements. Small teams can rotate responsibilities or engage light external review to maintain audit separation without hiring additional staff.
Templates may help reduce drafting effort, but do not replace ongoing operation and monitoring.
Implementation vs Maintenance
Certification may feel like the main goal, but ongoing operation and monitoring often require regular attention.
What Maintenance May Looks Like
A practical post-certification routine for lean teams may include:
- Quarterly check-in: Small teams can review access and permissions, update risk assessments, and account for supplier or process changes efficiently.
- Annual internal audit: May be conducted through peer review or light external support to maintain independence.
- Annual management review: A short meeting can confirm that the ISMS remains aligned with business needs.
These activities may support the ongoing operation of the ISMS without over-engineering the system.
When External Help May Be Useful
Small teams may find targeted external support helpful for:
- Annex A interpretation: A consultant may quickly highlight which of the 93 controls are most relevant for a specific business, saving time and reducing guesswork.
- Maintaining internal audit independence: A brief external review may validate that peer review arrangements are functioning as intended.
- Pre-audit sanity checks: A short engagement before formal assessment may identify gaps in evidence or scope, without requiring full-service consulting.
These scenarios illustrate that external help can be limited and focused, rather than a full-time engagement, making it suitable for SMEs and startups with lean resources.
What Auditors Typically Focus On
Auditors often pay attention to:
- Ownership of responsibilities
- Evidence over time showing controls in operation
- Independence in audits and reviews
- Traceability between policies, controls, and records
Though expectations may differ, auditors generally place less emphasis on:
- Fancy tools or platforms
- Lengthy policies
- Job titles
- Perfect answers
Their focus tends to be on practical systems rather than formalities or promises.
Final Reality Check for Small Teams
For teams without dedicated compliance staff, ISO 27001 may be more approachable if they consider:
- Clear hats – Well-defined responsibilities even in small teams.
- Starting early – To accumulate evidence over time.
- Practical scope – Focusing on relevant processes and risks.
- Structured templates – To reduce unnecessary drafting effort.
Time, evidence, and ownership remain important factors in how ISO 27001 implementation may work in lean teams but outcomes may vary depending on auditor expectations and implementation quality.
Closing Thought
Focusing on practical processes, consistent evidence, and shared responsibilities can help small teams approach ISO 27001, though certification is not guaranteed. By taking incremental, structured steps, SMEs and startups can work towards effective information security without overcomplicating their ISMS.
Next Step: Explore our ISO 27001 templates to support organisation of key policies, risk registers, and essential records in a practical, manageable way for your lean team.
Next Article: In ISO 27001 for Small Teams: What to DIY and What to Outsource (The Hybrid Guide), we explore which ISMS tasks are practical for small teams to manage in-house and which are best supported by external expertise.
Related Guides
Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:
Start Here: Complete Guide
- ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.
Practical Checklists and Essential Documents – Detailed Guides by Topic
- ISO 27001 for Small Teams: What to DIY and What to Outsource (The Hybrid Guide) – Practical guidance for SMEs on dividing ISO 27001 tasks between internal teams and external support to maintain oversight and efficiency.
- ISO 27001 Incident Management Workflow: A Practical Template for SMEs – Step-by-step guidance for small teams to handle security events, preserve records, and maintain a structured approach.
- Exploring Evidence Collection: A Perspective on ISO 27001 Annex A.5 for SMEs – Practical guidance for SMEs to capture digital, traceable evidence linking policies, roles, and operations for ISMS oversight.
- Common ISO 27001 Audit Artefacts: Observations on SME Preparations – Practical guidance for SMEs to organise ISO 27001 audit artefacts and support traceable ISMS evidence.
Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.
This article also mentions examples of commonly used tools. Chill Compliance does not endorse any vendor and has no commercial or affiliate relationship with the providers listed. These examples are for general information only, and readers may wish to evaluate each tool independently, as features and pricing can vary.