ISO 27001 Policies for UK SMEs
16 cert-ready policies drafted for your business — not generic templates you have to rewrite. Rollout in days, not months.
ISO 27001 Core Set pack
16 policies · £400 one-off
Lifetime access · no renewal · bespoke to your business
What is ISO 27001?
Quick answer. ISO 27001 is the international standard for an Information Security Management System (ISMS). The current 2022 version reorganises Annex A into 93 controls across four themes — organisational, people, physical, technological. Certification by an accredited body evidences to UK enterprise buyers, financial-services clients and public-sector procurement that information security is run as an ongoing discipline rather than a one-off exercise.
ISO 27001 is the international standard for information security management. It's the certification UK enterprise buyers, financial services clients, and public-sector procurement teams expect before they'll trust you with their data. The current version is ISO 27001:2022, which restructured the Annex A controls into four themes — organisational, people, physical, and technological.
Certification requires a documented Information Security Management System (ISMS) — a set of policies, procedures, risk assessments, and evidence records that prove you run security as an ongoing discipline, not a one-off exercise. The policy layer is the foundation: auditors read every policy and test whether your day-to-day operations match what the policy says.
Who needs ISO 27001?
Quick answer. UK SaaS and tech companies, outsourced service providers handling regulated-industry data, MSPs facing cyber-insurance demands, scale-ups raising Series A or later, and public-sector suppliers above contract thresholds. It is the default request in enterprise vendor risk questionnaires; a committed roadmap is often acceptable for early-stage firms but a certificate is expected from buyers above ~£1M ARR.
- UK SaaS and tech companies — it's the default expectation in enterprise RFPs and vendor risk questionnaires.
- Outsourced service providers handling customer data on behalf of regulated industries (financial services, healthcare, legal).
- UK managed service providers (MSPs) — increasingly required by insurers and by customers' own compliance teams.
- Scale-ups pursuing Series A or later — due diligence almost always asks for ISO 27001 or a committed roadmap to it.
- Public sector suppliers — frequently required alongside Cyber Essentials Plus for contracts above certain thresholds.
Policies you need for ISO 27001
Quick answer. ISO 27001:2022 does not prescribe a fixed list — Annex A lists 93 controls across four themes and the controller documents its own approach. Most UK SMEs maintain 16 policies covering the highest-impact controls: information-security, access-control, acceptable-use, cryptography, incident-response, supplier-security, data-classification, business-continuity, change-management, secure-development, physical-security, HR-security, asset-management, remote-working, backup and risk-management.
The 2022 standard doesn't prescribe an exact list of policies — it lists controls in Annex A and expects you to document your approach to each. In practice, most UK SMEs maintain the following 16 policies, all included in our ISO 27001 Core Set pack:
Information Security Policy
The top-level policy signed by leadership. Required by Clause 5.2.
Access Control Policy
Annex A 5.15–5.18. Joiner/mover/leaver, privileged access, MFA.
Acceptable Use Policy
Annex A 5.10. What employees can and can't do with company assets.
Cryptography Policy
Annex A 8.24. Approved algorithms, key management, TLS standards.
Incident Response Policy
Annex A 5.24–5.28. Detection, triage, containment, ICO notification.
Supplier Security Policy
Annex A 5.19–5.22. Third-party risk, contractual requirements.
Data Classification Policy
Annex A 5.12–5.14. How you label, handle, and dispose of data.
Business Continuity Policy
Annex A 5.29–5.30. Recovery objectives, test cadence.
Change Management Policy
Annex A 8.32. Approvals, rollback, separation of environments.
Secure Development Policy
Annex A 8.25–8.31. SDLC, code review, secure testing.
Physical Security Policy
Annex A 7.1–7.14. Office, clear desk, asset disposal.
HR Security Policy
Annex A 6.1–6.8. Screening, training, leaver process.
Asset Management Policy
Annex A 5.9–5.11. Inventory, ownership, acceptable use of assets.
Remote Working Policy
Annex A 6.7. Home/hybrid working controls, BYOD, network standards.
Backup Policy
Annex A 8.13. Frequency, retention, restore testing.
Risk Management Policy
Clause 6.1 + 8.2–8.3. Risk assessment methodology and treatment.
Realistic timeline to certification
Quick answer. Most UK SMEs reach Stage 2 certification in 4–6 months from day zero. The traditional bottleneck is the 6–12 weeks of policy drafting; PolicySuite compresses that to 48 hours of structured questions and bespoke output. Then 6–8 weeks for evidence collection, 4 weeks for internal audit + management review, and 2–4 weeks for Stage 1 + Stage 2 audits.
Most UK SMEs reach Stage 2 certification in 4–6 months from day zero. PolicySuite compresses the policy-drafting phase from the traditional 6–12 weeks to 48 hours.
- Week 1: Scope + risk assessment. Buy the ISO 27001 Core Set, answer the structured questions, get 16 bespoke policies out in 48 hours.
- Week 2–3: Distribute policies, collect acknowledgements (built into PolicySuite), update infrastructure to match.
- Week 4–8: Evidence collection — logs, training records, supplier reviews, incident drills.
- Week 9–12: Internal audit + management review (both required by the standard).
- Week 13–16: Stage 1 audit (documentation review).
- Week 17–24: Stage 2 audit (operational audit) → certificate issued.
Policy packs for ISO 27001
ISO 27001 Core Set
16 policies · £400 · Annex A 2022 aligned · cross-sector
InfoSec 38 Enterprise Pack
38 policies · £900 · deeper coverage for enterprise buyers
NIST CSF Alignment Pack
12 policies · £400 · pairs with ISO 27001 for US buyers
Startup Essentials
10 policies · £250 · entry point for pre-certification SMEs
PolicySuite vs GRC platforms vs consultant vs DIY
Quick answer. GRC platforms (Vanta, Drata, SecureFrame) automate evidence collection but expect you to bring your own policies — typically £10k–£40k/year. Consultants write bespoke policies but charge £5k–£30k for a single ISO 27001 set with 6–12 weeks turnaround. DIY templates are cheap but generic and fail audit. PolicySuite produces bespoke, audit-ready ISO 27001 policies in 48 hours from £400.
UK SMEs typically compare four routes when sourcing compliance policies. Here's how they stack up on the decisions that matter.
| PolicySuite | GRC platforms (Vanta, Drata, SecureFrame) |
Compliance consultant | DIY templates | |
|---|---|---|---|---|
| Typical cost | £250–£1,500 one-off | £10k–£40k per year | £5k–£30k one-off | £0 + your time |
| Pricing model | Lifetime purchase | Annual seat-based | Project fee | Free (indefinite effort) |
| Time to policies ready | 48 hours | 4–8 weeks setup | 8–16 weeks | Months — rarely finished |
| UK-specific content | ✓ Built for UK SMEs | Partial — US-originated | ✓ If UK consultant | Partial — ICO templates only |
| Bespoke to your business | ✓ LLM-tailored from your answers | Partial — fill-in-the-blank | ✓ Yes — manual | ✗ Generic template |
| Framework coverage | 197 frameworks · 8 jurisdictions | 20–50 frameworks | Whatever the consultant knows | Up to you to find |
| Audit-ready evidence | ✓ Acknowledgements, distributions, version history | ✓ Strong — but seat-priced | ✗ You track it yourself | ✗ You track it yourself |
| Suits <50-person SMEs | ✓ Designed for UK SMEs | ✗ Price-prohibitive at SME scale | Sometimes — depends on scope | ✓ If you have the time |
| Cost to switch away | ✓ You own the docs — export anytime | ✗ Lose access on cancellation | ✓ You own the docs | ✓ You own the docs |
Further reading
Frequently asked questions
What policies does ISO 27001 actually require?
ISO 27001:2022 requires a documented ISMS plus controls from Annex A. In practice auditors expect around 14–20 documented policies covering information security, access control, acceptable use, cryptography, incident response, supplier management, data classification, business continuity, change management, secure development, physical security, HR security, asset management, and risk management.
How long does ISO 27001 certification take for a UK SME?
Realistic timeline for a 10–50 person UK SME is 3–6 months from policy rollout to Stage 1 audit, plus 1–2 months between Stage 1 and Stage 2. Policy drafting is typically the slowest phase — PolicySuite compresses that to 48 hours.
Do I need ISO 27001 or is Cyber Essentials enough?
Cyber Essentials is mandatory for UK government contracts and a good baseline. ISO 27001 is expected by enterprise buyers, financial services clients, and any customer with a vendor-risk questionnaire. Many UK SMEs do Cyber Essentials first, then ISO 27001 within 6–12 months. See our Cyber Essentials framework page.
Can I use ISO 27001 policy templates instead of writing my own?
Yes — but generic templates usually fail audit because auditors spot boilerplate immediately. PolicySuite policies are generated from structured questions about your business (size, sector, data types, infrastructure) so they read as bespoke rather than boilerplate.
What does the ISO 27001 Core Set pack include?
16 professionally drafted policies covering the core Annex A 2022 control areas — full list above. Lifetime access, bespoke to your organisation, editable in your admin console.
How much does ISO 27001 certification cost in the UK?
Certification-body audit fees for a UK SME typically run £5,000–£15,000 depending on scope and headcount. Add consultant fees (£5,000–£30,000 if outsourced) or internal time. PolicySuite's ISO 27001 Core Set pack replaces the policy-drafting portion entirely — live price shown at the top of this page.
Start your ISO 27001 policy rollout today
Get 16 bespoke ISO 27001 policies ready in 48 hours — lifetime access, no renewal.
Get Started — £400References and primary sources
Quick answer. The framework guidance on this page is reviewed against the primary-source documents below. Each link resolves to an official regulator or standards-body publication so an auditor, procurement reviewer or DPO can verify the alignment without taking the page on trust.
- ISO/IEC 27001:2022 (ISO) — the international standard text and Annex A control set.
- NCSC product assurance scheme — the UK National Cyber Security Centre route to certification recognition.
- ICO security outcomes — the UK regulator’s expectations on security controls aligned to ISO 27001.
- NIST CSF (mapping) — the cross-walk most enterprise vendor questionnaires reference alongside ISO.
In our experience working with UK SMEs and similar organisations across the EU and US, the framework pages that survive enterprise vendor reviews are the ones that cite primary sources rather than secondary blog posts. Many UK SMEs typically discover this only after their first failed vendor questionnaire — the reviewer asked for a clause-to-source map and the standard reply pointed at a marketing page rather than the relevant regulator. The references above are the standing set we cite from inside the policies themselves so the chain stays intact end-to-end.