Red Bridge CyberRed Bridge Cyber
Customer Login
What We CheckHow It WorksPricingResearchAboutBlogCustomer Login

Does my small business need ISO 27001?

Almost certainly not. ISO 27001 is the international standard for an information security management system: a documented, externally audited program covering policies, risk assessments, supplier management and continual review, with surveillance audits every year after certification:

  • The cost — getting certified typically costs tens of thousands of dollars and a sustained internal effort, which is why it is a deliberate commercial decision rather than a hygiene measure.
  • The honest trigger is contractual — a small business needs ISO 27001 when a customer — usually an enterprise or government buyer — makes it a condition of doing business, and the revenue justifies the overhead.
  • Without that trigger — certification buys a small business very little that the basics do not: correct website and email configuration, working backups, multi-factor authentication and staff who can spot a phishing email.

Get the basics verifiably right first; pursue the certificate when a contract pays for it.