ISO 27001 isn’t just for big business. Brolly discovered that firsthand. 

As more government and regulated industries came on board as customers, questions about information security became more frequent, and ISO 27001 was often mentioned. 

“We always knew security was a priority for our customers,” says Brolly’s CTO, Ali. “ISO 27001 gave us a way to formalise what we were already doing and build even more trust with them.” 

So, we decided to pursue ISO 27001 certification. Not because we had to, but because it made business sense to strengthen our processes and remove barriers for our customers.  

Is it worth it for smaller tech companies? For us, the answer is a resounding ‘yes’. 

Why Brolly chose ISO 27001 

“ISO is about continuous improvement,” Ali explains, “and how you respond to risks and incidents.” 

Our team already had a strong culture of security – ISO gave us more structure.  

“A lot of what ISO requires, we were already doing,” Ali says. “We just had to formalise it.” 

As a globally recognised standard, ISO 27001 was the logical next step in our commitment to information security.  [Link to other Brolly ISO article] 

ISO certification for small businesses 

Ali admits he initially thought ISO 27001 was for large enterprises with deep pockets and big teams.  

“But the certification process showed us that smaller teams, like ours, can absolutely benefit. Around 80 – 85% of what we needed was already in place”. 

The remaining 15–20% involved small but meaningful improvements, like endpoint protection on devices and better documentation of meeting decisions. 

Some steps may be more challenging for cloud-based teams, or those without many of the required processes.  

While some aspects of ISO lean toward larger organisations, smaller teams like Brolly have an advantage: “We move fast, communicate well, and don’t heavily rely on tools to stay aligned. That made the process simpler.”  

Easier than expected 

The hardest part? Knowing where to begin.  

“It took us a few months to determine where to start,” says Ali. “But once we locked in a date with the auditor, it all came together.” 

From there, we worked backwards to identify any gaps, leaned on internal knowledge, and used an online pack – no expensive consultants or automation tools. 

“Once we started, it went smoothly. The auditors even complimented the quality of our processes and documentation which confirmed we were on the right track, and now we’ve got the certification to prove it.” 

All up, it took less than two months for Brolly to get certified. 

Benefits of ISO 27001 certification 

ISO 27001 had an immediate impact by: 

• Reducing friction  

• Streamlining procurement 

• Giving customers extra confidence in our ability to manage risk. 

“Now, instead of answering dozens of security questions, we can just say ‘yes, we’re ISO certified’.
It builds trust straight away.” 

It’s also shifted how we work internally.   

“As a tech company, we already live and breathe this stuff,” Ali explains. “ISO gave us a framework to prove it and improve it.” 

4 tips for ISO 27001 certification 

Ali’s advice for other businesses: 

1. Set an audit date: it’s a deadline to work towards.
2. Use online resources: templates and guides will help you understand what’s required.
3. Don’t overcomplicate it: most of it will feel familiar.
4. Be prepared to document: small changes go a long way. 

“It was easier than we expected. We kept thinking, ‘Is that it? Did we miss something?’” 

What’s next? 

Certification lasts for three years, with annual audits to ensure standards are maintained.  

For Brolly’s CEO, Nathan, the payoff is clear: 

“Really, ISO is an investment in trust. It gives our customers more confidence in what we deliver now that we have the official ‘stamp of approval’. It’s a box-ticking exercise in many ways, but it’s a meaningful one.”