I've been through this. I started a B2B SaaS and the very first customer required us to get it before we could go live.
I found engaging a specialist consulting company invaluable to guide us through understanding the spec and designing processes and policies that were proportionate to our size and skillset. But be warned, there are a lot of chancers in this space - e.g. I had a few companies say they could give us a pre-written set of policies and give us the cert in a couple of weeks. Do. Not. Do. This.
This consultancy even sat in on our first external audit to help us work our way through it, which turned out to be critical as the auditor went off-beam and started faulting us for not doing things that weren't even in the spec. So this isn't something you can wing your way through - you have to become an expert and thoroughly understand the spec, and its implications, in depth.
I spent a couple of months, full time, on getting to grips with the spec, grinding down scope and coming up with the lightest-touch policies possible that would a) still be useful and b) satisfy the auditors. And yet it's still critically important that you get an auditor who understands small companies - there are still some out there that are adamant it has to be a massively cumbersome thing that takes entire teams just to run.
But, be warned, this does place an ongoing admin burden on your company that you wouldn't otherwise have. Documenting and evidencing actions that wouldn't necessarily need it before, as well as conducting your own internal audits to ensure you're still doing the things you said you'd do.
So I would not recommend getting it until you're forced to by a client.
The good news is I was able to argue all the things we were doing as a matter of course in our software dev lifecycle could be mapped directly onto 27001's requirements. Things like declaring that the documentation of our networking and infrastructure _is_ our terraform scripts. Just because an auditor doesn't know how to read them doesn't mean they're not a perfectly valid form of documentation for the team using them.
So, yes, small, agile companies can gain and maintain certification (our last external audit by the British Standards Institute was passed with no non-conformities), but it's hard work and means spending effort that doesn't directly add value to the business.
I found engaging a specialist consulting company invaluable to guide us through understanding the spec and designing processes and policies that were proportionate to our size and skillset. But be warned, there are a lot of chancers in this space - e.g. I had a few companies say they could give us a pre-written set of policies and give us the cert in a couple of weeks. Do. Not. Do. This. This consultancy even sat in on our first external audit to help us work our way through it, which turned out to be critical as the auditor went off-beam and started faulting us for not doing things that weren't even in the spec. So this isn't something you can wing your way through - you have to become an expert and thoroughly understand the spec, and its implications, in depth.
I spent a couple of months, full time, on getting to grips with the spec, grinding down scope and coming up with the lightest-touch policies possible that would a) still be useful and b) satisfy the auditors. And yet it's still critically important that you get an auditor who understands small companies - there are still some out there that are adamant it has to be a massively cumbersome thing that takes entire teams just to run.
But, be warned, this does place an ongoing admin burden on your company that you wouldn't otherwise have. Documenting and evidencing actions that wouldn't necessarily need it before, as well as conducting your own internal audits to ensure you're still doing the things you said you'd do.
So I would not recommend getting it until you're forced to by a client.
The good news is I was able to argue all the things we were doing as a matter of course in our software dev lifecycle could be mapped directly onto 27001's requirements. Things like declaring that the documentation of our networking and infrastructure _is_ our terraform scripts. Just because an auditor doesn't know how to read them doesn't mean they're not a perfectly valid form of documentation for the team using them.
So, yes, small, agile companies can gain and maintain certification (our last external audit by the British Standards Institute was passed with no non-conformities), but it's hard work and means spending effort that doesn't directly add value to the business.