A practical 6-month implementation plan for Irish SMEs. Understand the costs, timeline, and exact steps to achieve internationally recognised information security certification.
Why ISO 27001 Matters for Irish SMEs
Win Enterprise Contracts
Many large organisations require ISO 27001 from their suppliers
Reduce Breach Risk
Systematic approach to identifying and managing security risks
Regulatory Compliance
Supports GDPR, NIS2, and industry-specific requirements
Competitive Advantage
Differentiate your business with internationally recognised certification
What Does ISO 27001 Cost?
Irish SMEs may qualify for grants covering up to 50% of these costs.
| Cost range | Business size | Notes |
|---|---|---|
| €15K - €30K | Small SME (20-50 staff) | Simpler scope, fewer controls |
| €30K - €60K | Medium SME (50-150 staff) | Multiple offices or systems |
| €60K - €100K+ | Larger SME (150-500 staff) | Complex IT, multiple locations |
6-Month Implementation Timeline
A realistic timeline for Irish SMEs. Each phase builds on the previous one.
Phase 1: Gap Analysis & Planning
Weeks 1-4. Conduct ISO 27001 gap analysis against Annex A controls. Define scope of your ISMS (Information Security Management System). Identify key stakeholders and assign roles. Create project plan with milestones and deadlines.
Phase 2: Risk Assessment
Weeks 5-8. Identify information assets and their owners. Conduct formal risk assessment (likelihood × impact). Create risk treatment plan with prioritised controls. Document risk acceptance criteria and residual risks.
Phase 3: Policy & Controls Implementation
Weeks 9-16. Develop mandatory ISMS documentation (policies, procedures). Implement technical controls (access management, encryption, monitoring). Establish supplier management and third-party risk processes. Deploy security awareness training programme.
Phase 4: Internal Audit & Management Review
Weeks 17-20. Conduct internal audit against ISO 27001 requirements. Address non-conformities and observations. Hold management review meeting. Update risk register and treatment plans.
Phase 5: Certification Audit
Weeks 21-26. Stage 1 audit: documentation review by certification body. Address any Stage 1 findings. Stage 2 audit: on-site assessment of ISMS effectiveness. Receive ISO 27001 certification.