ISO 27001 has become a practical business requirement for many Irish SMEs. It is showing up in procurement questionnaires, supplier onboarding forms, and tender mandatory criteria with increasing frequency. If you sell to enterprise clients, public sector bodies, or multinational companies operating from Ireland, the question is probably no longer whether to pursue certification — it is how and when.
This article gives you an honest account of what ISO 27001 involves, what it costs, and what you should expect from the process.
What ISO 27001 Actually Is
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). An ISMS is a systematic approach to managing sensitive company and customer information — covering people, processes, and technology — using a defined set of policies, controls, and risk management procedures.
The current version is ISO 27001:2022, which updated the 2013 edition. The 2022 revision restructured Annex A (the control reference catalogue) and added controls for threat intelligence, cloud security, data masking, and secure coding. Organisations certified under the 2013 version were required to transition to 2022 by October 2025.
Certification means an accredited third-party auditor has assessed your ISMS against the standard and issued a certificate confirming conformance. The certificate is valid for three years, subject to annual surveillance audits.
Why Irish SMEs Are Pursuing It
Three reasons dominate the conversations I have with Irish business owners:
Client demand. Enterprise procurement teams — especially in financial services, pharma, and tech — have standardised on ISO 27001 as a supplier security baseline. Being able to point to a current certificate removes friction from sales cycles and stops security questionnaires from becoming a bottleneck.
NIS2 alignment. ISO 27001 is not NIS2 compliance, but it covers substantial overlap. If you are subject to NIS2 as a significant or important entity, an ISO 27001 ISMS gives you a documented, audited framework that satisfies the majority of NIS2's risk management requirements. It also gives you evidence to show to a regulator.
Public sector tenders. Irish government procurement increasingly asks for demonstrated information security capability. ISO 27001 certification is the clearest way to evidence that capability without writing lengthy custom responses to each tender.
The Three Stages
Stage 1: Gap Assessment
Before you can build anything, you need to know where you stand. A gap assessment maps your current security controls, policies, and practices against ISO 27001 requirements and produces a prioritised list of what needs to be done.
For most Irish SMEs, this takes two to four weeks. The output is a report and a remediation roadmap. It is the most important investment in the project — a poorly scoped or superficial gap assessment leads to wasted effort and surprises during the audit.
Stage 2: Implementation
This is where most of the work happens. You build or update:
- An information security policy suite (acceptable use, access control, incident response, business continuity, and others)
- A risk register and formal risk treatment plan
- A Statement of Applicability (SoA) — a document declaring which of the 93 Annex A controls apply to your organisation and how
- Operational procedures for identified controls
- Asset inventories, supplier registers, and internal audit processes
- Records and evidence that the ISMS is operating — not just documented
The implementation phase typically runs three to six months, depending on starting maturity, team capacity, and how complex your scope is.
Stage 3: Certification Audit
The certification audit is conducted by an accredited certification body — organisations such as NSAI (the National Standards Authority of Ireland), BSI, Bureau Veritas, or similar. It happens in two parts:
- Stage 1 (Documentation Review): The auditor reviews your ISMS documentation to confirm it meets the standard's requirements and that you are ready for Stage 2.
- Stage 2 (Implementation Audit): The auditor assesses whether your controls are actually operating as documented. They will interview staff, examine records, and test whether the ISMS is real rather than a paper exercise.
Nonconformities raised during the audit must be closed before the certificate is issued. Minor nonconformities (gaps in documentation or isolated control failures) are typically closeable within a few weeks. Major nonconformities (systemic failures) require a re-audit.
Realistic Timeline
Plan for six to twelve months from decision to certificate. Faster is possible if your organisation already has mature security practices and a dedicated internal resource driving the project. Slower is common if security has historically been informal, if you have complex technical infrastructure, or if key people have limited capacity to prioritise the work.
Do not believe anyone who promises ISO 27001 certification in eight weeks. That timeline is technically possible only in the narrowest possible scope with a heavily pre-built template ISMS — and auditors are experienced at identifying template-generated documentation that lacks operational substance.
What It Costs
For an Irish SME, the total investment typically falls between €8,000 and €25,000 across the certification cycle. The variables are scope, organisation size, and how much external support you use.
Breakdown:
- Certification body fees: €3,000–€8,000 for the Stage 1 and Stage 2 audit, depending on organisation size and scope. Annual surveillance audits thereafter at €1,500–€3,000 per year.
- Consultancy or vCISO support: €5,000–€15,000 for gap assessment, policy development, and audit preparation. This is optional but significantly reduces internal time burden and increases first-attempt pass rate.
- Internal resource cost: The hidden cost. Someone internally must own the project. Budget for a meaningful portion of at least one person's time over the implementation phase.
- Tooling: ISMS platforms (Vanta, Drata, and similar) can reduce documentation overhead. Costs range from €3,000 to €10,000+ per year depending on the platform and your size.
How a vCISO Accelerates the Process
The gap assessment is where an external security advisor adds the most value — bringing a structured methodology rather than an internal team trying to assess themselves. Beyond that, a vCISO can own the policy development workload (which is substantial), prepare staff for auditor interviews, and manage the relationship with the certification body. For an SME without an internal security function, this is usually more cost-effective than the alternative of learning by trial and error through a failed first audit.
What Happens After Certification
The certificate does not close the project. The ISMS must operate continuously. Annual surveillance audits confirm the ISMS remains effective. Internal audits must be conducted at planned intervals. Management reviews must be documented. Incidents, nonconformities, and corrective actions must be recorded.
The organisations that get the most value from ISO 27001 are those that treat the ISMS as a management tool rather than a compliance artefact. The ones that struggle are those who certified and then filed the policies in a drawer.
If you are considering ISO 27001 certification and want an honest scoping conversation before committing, that is a reasonable first step. Know what you are getting into before you start.
James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.