Can a 20-Person Company Really Get ISO 27001 Certified? A Direct Answer.

Yes. That is the short answer. The longer answer is that ISO 27001 was designed to scale to organisations of any size, the certification body assesses based on your scope and your risk profile rather than your headcount, and small companies routinely achieve and maintain certification successfully. We have certified companies as small as 8 employees. But the question gets asked for a reason. Founders of 20-person companies hear about ISO 27001 in the context of large enterprise programmes and quietly assume it is not for them, that the cost will be disproportionate, that the audit will find them lacking, or that the standard is overkill for the size of business they run. All three assumptions are wrong, in specific ways.

ISO/IEC 27001:2022 is a scope-driven standard. The auditor assesses your Information Security Management System against the scope you define, not against an external benchmark. If your scope is "the development, deployment and operation of your product for UK customers, supported by 20 employees, hosted on AWS, with no on-premise infrastructure," the auditor evaluates whether your ISMS adequately addresses that scope. They do not compare you to a 2,000-employee bank. This is the structural reason small companies can certify. The standard does not assume any particular size. It assumes a defined scope and a proportionate response to the risks within that scope.

Counterintuitively, ISO 27001 is often easier to implement at 20 employees than at 200. First, scope is smaller: a 20-person company typically has one product, one cloud provider, one identity provider, one office or none, and one or two sub-processors. The asset inventory is short, the data flow diagram fits on a page, and the risk register has 80 to 120 entries rather than 500. Second, decision-making is faster: ISO 27001 requires policies to be approved at management level, controls to be implemented across the organisation, and behaviours to change. At 20 employees, the founder makes the decision in the morning and it is implemented by the afternoon. Third, evidence is more centralised: a 20-person company typically has a single Slack workspace, a single GitHub organisation, a single AWS account, and a single HR system.

The one thing that is genuinely harder at smaller scale is internal capacity. ISO 27001 requires named accountability for the ISMS, regular internal audits, management review, and ongoing maintenance. At 20 employees, there is no dedicated Information Security Manager, no compliance team, no internal audit function. The work falls on the founder, the CTO, or the operations lead, in addition to their day jobs. This is the real constraint for small companies. Not the cost of certification. Not the complexity of the standard. The opportunity cost of senior time during an intense growth period. The solutions are efficient consultancy that minimises the internal time required, typically 40 to 60 internal hours across a 10-week engagement, and post-certification vCISO or managed advisory support that operates the ISMS on your behalf.

For a 20-person UK technology company, ISO 27001:2022 implementation typically costs: implementation at 8,500 to 12,000 pounds fixed fee, UKAS-accredited audit body fees at 3,000 to 5,000 pounds for Stage 1 and Stage 2 combined, internal time of 40 to 60 hours of senior time across the 10-week engagement, and optional vCISO or managed advisory subscription post-certification at roughly 800 to 1,500 pounds per month. Total first-year visible cost: 12,000 to 18,000 pounds. Annualised across the three-year certification cycle, the cost is roughly 6,000 to 10,000 pounds per year. For a 20-person company with even one enterprise contract worth 80,000 pounds or more in year-one ARR, the calculation is uncontroversial.

Three scenarios where a 20-person company should defer certification. First, the company has no enterprise customers, no enterprise pipeline, and no plan to enter the enterprise market. Second, the company is pre-product-market-fit and senior time should be focused on customer discovery and product iteration. Third, runway is under three months and capital is more valuable than certification. Outside those three scenarios, the answer is yes.

UKAS-accredited certification bodies routinely audit organisations of every size. The auditor walking into your 20-person company has audited a hundred similar businesses in the last year. They are not surprised by your size. They are not looking for enterprise-scale processes. They are looking for evidence that the controls you claim to operate are actually operating, that the policies are followed, that the management system is real and not theatrical. A 20-person company that genuinely operates a small but real ISMS will pass first time. A 2,000-person company with elaborate processes that no one follows will fail. Size is not the variable. Authenticity is.