ISO 27001 for SMBs: A Realistic 90-Day Roadmap

ISO 27001:2022 certification is increasingly table-stakes for SMBs selling into enterprise. Without it, you fail vendor reviews. With it, you unlock procurement processes that would otherwise stall for months.

Here’s what it actually takes to get there as a small business — and a 90-day roadmap that works if you commit to it.

Why ISO 27001 — and not SOC 2?

For SMBs serving enterprise clients globally, ISO 27001 is often the better starting point because:

• It’s internationally recognized — SOC 2 is primarily a North American standard
• It results in a certificate, not just a report — easier to share, less expensive to maintain
• It’s structured around continuous improvement, not point-in-time observation
• It maps cleanly to most other frameworks (NIST, CMMC, HIPAA), so future compliance is downhill

That said, if all your clients are US-based and demanding SOC 2 in their questionnaires, optimize for them. Both are legitimate paths.

What ISO 27001:2022 actually requires

The standard has two halves:

1. Clauses 4–10: The Information Security Management System (ISMS). This is the management discipline — context, leadership, planning, support, operation, evaluation, improvement.
2. Annex A: 93 controls grouped into 4 themes (organizational, people, physical, technological). You implement what’s applicable and document what isn’t, in a Statement of Applicability.

The certificate is awarded after a two-stage audit by an accredited certification body (CB). Stage 1 reviews your documentation; Stage 2 reviews your implementation.

The 90-day roadmap

This is aggressive. It’s achievable for an SMB with focused leadership and a competent partner, especially if you already have decent IT hygiene.

Days 1–15: Scope, context, leadership

• Define ISMS scope (which parts of the company, which services, which data)
• Identify interested parties and their requirements
• Establish ISMS roles — who owns this on the leadership side
• Conduct an initial risk assessment using a documented methodology
• Adopt a risk treatment approach

Days 16–30: Risk treatment + Statement of Applicability

• For each Annex A control: determine applicability, current status, and gap
• Draft the Statement of Applicability (SoA) — your map of what controls apply, why, and how
• Document a risk treatment plan with owners and target dates
• Start core policies: Information Security Policy, Access Control, Acceptable Use, Cryptography

Days 31–60: Implementation sprint

This is the biggest block. Typical SMB gaps and the work to close them:

• MFA on every account, especially admin accounts
• Endpoint protection with EDR-class detection
• Backup with offline/immutable copies and tested recovery
• Logging and monitoring centralized and retained per policy
• Access reviews quarterly, with documented evidence
• Vendor management — security questionnaires, DPAs, ongoing review
• Security awareness training rolled out with completion tracking
• HR onboarding/offboarding with security checklists and evidence
• Asset inventory of devices, software, and data flows
• Incident response plan with at least one tabletop exercise

Days 61–75: Internal audit + management review

• Internal audit against the standard — performed by someone independent of the controls being audited
• Capture nonconformities and corrective action plans
• Conduct the formal management review meeting with documented inputs and outputs
• Update SoA and risk register based on what the audit revealed

Days 76–90: Audit prep + Stage 1

• Select an accredited certification body and schedule Stage 1 + Stage 2
• Complete evidence pack: policies, procedures, records, risk register, SoA, training logs, vendor inventory, internal audit, management review minutes
• Stage 1 happens — typically a documentation review with light evidence sampling
• Address any Stage 1 findings before Stage 2

Stage 2 typically follows 4–8 weeks after Stage 1, depending on the CB’s schedule.

The realistic version: 90 days to Stage 1, 6 months to certificate

Honest framing: 90 days is enough to be Stage 1 ready. The certificate itself usually arrives 2–4 months later once Stage 2 is scheduled, performed, and any findings are closed.

If anyone tells you 90 days to a printed certificate without a head start, they’re either selling you something or planning to take shortcuts that will collapse at the next surveillance audit.

The biggest mistakes SMBs make

• Treating it as a documentation exercise. Auditors look for evidence of operation. A binder with no proof of running controls fails fast.
• Setting scope too narrow to be useful. A certificate that covers only one product line, while the rest of the company ignores the controls, is worthless internally.
• Choosing a CB on price. A poorly-respected certificate doesn’t open the enterprise doors you’re trying to open. Pick an accredited CB recognized by your largest clients.
• Treating Stage 2 as the finish line. ISO 27001 requires ongoing operation. The surveillance audits happen annually, and they will find anything you stop doing.

What to do this week

• Decide whether ISO 27001 is the right framework or whether SOC 2 / something else is better for your clients
• Identify your scope hypothesis — what would be in, what would be out
• Run a quick gap assessment against Annex A — even a rough one shows you the size of the work

Where JITServices fits

We take SMBs from “we think we need ISO 27001” through certificate — running the ISMS, authoring the policies, implementing the technical controls, and sitting next to you through Stage 1 and Stage 2. If a 90-day Stage-1 roadmap sounds like what you need, schedule a consultation.