Executive summary · TL;DR
Implementing ISO 27001 in a Spanish SME of 10-100 employees costs between 15,000 EUR and 50,000 EUR, covering external consulting, training, tools and certification body fees. A realistic timeline is 9-14 months in five phases: diagnosis (1 month), design (2 months), implementation (5 months), internal audit (1 month) and certification (1-2 months). The most expensive mistake is tackling documentation before fixing the scope: rewriting 40 procedures because the scope eventually excluded three departments delays certification by 4-6 months.
In this article
Why implement ISO 27001 in a Spanish SME in 2026
Until 2023 ISO 27001 was a standard associated with large enterprises that had their own security department. Three factors brought it onto the Spanish SME radar in two years. The first is the entry into force of the new National Security Framework reformed by Royal Decree 311/2022, which requires every supplier of the Spanish Public Administration to align with an equivalent framework. ISO 27001 offers the cleanest mapping to the ENS and, except for the HIGH category, allows the SME to reuse 80% of the work between the two.
The second factor is supply chain pressure. Banks, insurers, large technology integrators and the Public Administration itself already require in their tenders that the supplier holds ISO 27001 or is in the process of certifying. Companies that sold without problems until 2024 now find themselves with clauses that lock them out of public tenders because they lack the certificate.
The third factor is European regulatory pressure. NIS2, DORA and the AI Regulation (Regulation EU 2024/1689) incorporate information security obligations that an ISO 27001 ISMS already largely solves. Implementing it is not just about certifying: it is about building the compliance muscle that other regulations will demand over the next 24 months.
The good news: cost and timelines have become professional. A 30-person SME in Castilla y Leon can certify in 12 months with a budget of 20,000-30,000 EUR working with an experienced external consultant and applying available grants. The figures in this article come from real projects in DO Ribera del Duero wineries, professional firms and industrial SMEs I have supported since 2022.
Realistic 12-month timeline (phase by phase)
The timeline below is calibrated for an SME of 20-60 employees, single scope (one site, main cloud infrastructure in Microsoft 365 or Google Workspace and one or two business applications). Companies with multiple sites or in-house software development must add 2-4 extra months.
Month 1 · GAP diagnosis and scope definition
The first month determines project success. A GAP analysis is run against the 93 Annex A controls of ISO 27001:2022. The ISMS scope is decided: which sites, which processes, which systems, which data. Scope is the most expensive decision to revise later: changing scope in month 8 means rewriting the SoA, part of the risk analysis and at least 8-10 procedures.
The security officer is formally designated (CISO if one exists, or IT manager with authority) and the security committee is constituted with representation of management, IT, HR and operations. Without a committee that has real authority the project derails.
Months 2-3 · ISMS design and corporate policies
Corporate policies are drafted: general information security policy, access control policy, acceptable use policy, business continuity policy, supplier management policy and information classification policy. They are not six 30-page documents: the real SME needs six 4-6 page documents that people will actually read.
Each policy is formally approved by management with date, signature and version number. They are communicated to staff with acknowledgement of receipt. That acknowledgement of receipt will be one of the evidences the auditor asks for on day one.
Month 4 · risk analysis with MAGERIT methodology
The risk analysis is the heart of the ISMS. A complete inventory: information (customer databases, billing, contracts, HR), software (ERP, CRM, SaaS tools), hardware (servers, user equipment), services (cloud, internet connection, energy) and people (key responsibilities, business-critical roles).
For each asset, threats are identified (unauthorised access, ransomware, human error, power failure, supplier leakage) and vulnerabilities (weak passwords, no encryption, no offline backups). Inherent risk is rated combining probability and impact on a 5x5 matrix. Safeguards are chosen. Residual risk is calculated.
For a 30-person SME the analysis runs to 80-150 assets. Doing it properly takes 3-4 weeks of focused work. The PILAR tool from the CCN-CERT is free and sufficient for this scale.
Months 5-8 · control implementation
This is the longest phase because it means technically deploying controls. Typical workstreams: identity management (user catalogue, universal MFA, quarterly privilege review), endpoint hardening (EDR, full-disk encryption, USB control), incident management (logging, classification, communication, lessons learned), supplier management (security contractual clauses, SaaS inventory, annual review), training and awareness (quarterly campaigns, phishing drills, attendance evidence), tested backups (3-2-1 rule with documented restoration test) and business continuity (BIA, contingency plan, annual exercises).
Month 9 · internal audit
The internal audit is mandatory before the external one and must be executed by qualified personnel independent from the ISMS. A small SME usually contracts it externally to another consultant or to a pool of internal auditors. Findings are documented as minor or major non-conformities and closed with corrective action plans before month 11.
Month 10 · management review
Formal committee meeting with general management. The review covers: context changes, internal audit findings, ISMS indicators, incidents of the year, control effectiveness, required resources and improvement decisions. A signed minute is documented. Without this minute, no external audit is worth attempting.
Months 11-12 · external certification audit
The external audit has two phases. Phase 1 is documentary: the auditor reviews policies, scope, SoA, risk analysis, management review minute and audit programme. It typically lasts 1-2 days. Phase 2 is implementation: the auditor visits the site, interviews staff, audits specific controls by sampling. For a 30-person SME it typically lasts 2-3 days.
Closing minor non-conformities must be completed in 60-90 days. The certificate is issued after this closure and is valid for 3 years with annual surveillance audits.
Realistic budget: where the money goes
The breakdown below corresponds to a 30-person SME, single site, standard scope. The figures are 2026 market ranges verified against closed projects in Castilla y Leon and central Spain.
| Line item | Minimum | Maximum | Comment |
|---|---|---|---|
| External implementation consulting | 9,000 EUR | 18,000 EUR | 50-100 senior consultant hours. Covers ISMS design, risk analysis, SoA and internal training. |
| Internal audit (different consultant) | 1,500 EUR | 3,000 EUR | Mandatory and must be independent. 2-3 auditor days. |
| External certification audit (body) | 3,500 EUR | 6,500 EUR | AENOR, Bureau Veritas, SGS or LRQA. Includes phase 1 + phase 2 + issuance. |
| Training and awareness (annual) | 900 EUR | 2,500 EUR | Phishing and training platform + one in-person executive session. |
| Additional technical tools | 0 EUR | 8,000 EUR | Depends on whether M365 E5 is already in place. Corporate password manager, EDR if not included, optional GRC tool. |
| Internal hours (imputed cost) | 3,000 EUR | 10,000 EUR | 200-400 hours of internal staff (security officer + committee + technicians). |
| TOTAL year 1 | 17,900 EUR | 48,000 EUR | Real median in a Castilla y Leon SME: 24,000 EUR. |
From year 2 onwards recurring costs are lower: annual body surveillance audit (1,800-3,000 EUR), training (900-2,500 EUR) and internal maintenance hours (100-200 hours). At year 4, when the cycle renews, the full certification audit is paid again.
The 10 mistakes that delay or sink certification
From the projects I have supported and those colleagues in the sector have shared with me, these are the mistakes that appear time and again. Knowing them before you start saves 3-6 months of calendar.
1. Closing scope too late
Starting to draft procedures in month 3 without having decided whether the HR department or the Valladolid site is in. When in month 7 the decision excludes them, 12 procedures must be rewritten.
2. Appointing as security officer someone without authority
Naming the most willing systems technician but without capacity to say "no" to a salesperson who wants to skip a supplier onboarding. Without real authority the ISMS becomes a paper file.
3. Buying tools before having the policy
Acquiring a 12,000 EUR GRC in month 2 without having decided what is going to be measured. Result: 8 months parameterising a tool that does not fit.
4. Doing the risk analysis in a week
Solving MAGERIT with a 40-row spreadsheet and gut ratings. The auditor spots it in 15 minutes: they will ask for the justification of each rating and there will be none.
5. Supplier policy without a SaaS inventory
Drafting a wonderful policy without having inventoried the 35 SaaS the company uses. On audit day the auditor asks about the contract with Slack and nobody knows where it is.
6. Backups without a restoration test
Having backups that have never been restored. The auditor asks for documented evidence of the last real restoration. If it does not exist it is a major non-conformity.
7. Mandatory training without attendance evidence
Emailing a PDF and assuming staff have read it. Without formal acknowledgement (signature or platform record) there is no evidence. Almost automatic minor non-conformity.
8. A security committee that does not meet
Constituting the committee in month 2 and not convening it until month 10. The auditor asks for the minutes of intermediate meetings. There are none. Major non-conformity.
9. Management review as a mere formality
A half-page management review minute signed the day before the external audit. The auditor asks the CEO about two decisions in the minute and the CEO does not remember them.
10. Not testing the continuity plans
Having a beautiful 30-page contingency plan that has never been executed, not even as a drill. The auditor asks for the report of the last exercise. If it does not exist, major finding.
Three typical Spanish SME cases
Case A · DO Ribera del Duero winery, 18 employees
Scope limited to administrative processes, wine ERP and e-commerce platform. Driver: a clause from a Belgian importer client requiring the certificate. Real duration: 11 months. Total cost: 19,800 EUR. Grant applied: Kit Consulting segment II (5,400 EUR). Net cost: 14,400 EUR. Audit with LRQA. Certificate obtained on the first attempt with three minor non-conformities closed in 45 days.
Case B · law firm, 42 employees, 2 sites
Full scope: firm with two sites (Burgos and Valladolid), cloud document management, confidential case files. Driver: tenders with the Junta de Castilla y Leon where the ENS required an equivalent framework. Real duration: 14 months (4 extra months due to integration with ENS MEDIUM category). Total cost: 38,500 EUR. Audit with AENOR. Simultaneous ISO 27001 certification and ENS MEDIUM declaration of conformity.
Case C · automotive auxiliary components industrial SME, 78 employees
Scope: Aranda de Duero plant, workshop, technical offices, sales department. Driver: pressure from Renault and Stellantis that are starting to require ISO 27001 in tier-2 suppliers. Real duration: 13 months. Total cost: 46,200 EUR (including deployment of Sentinel One EDR that was not in place). Audit with Bureau Veritas. Certificate obtained with five minor non-conformities.
Public funding and grants that apply in 2026
Four sources of co-financing are available for an SME starting ISO 27001 in 2026.
Kit Consulting 2026 (segment II · Cybersecurity). Up to 6,000 EUR in specialised consulting hours. It is the easiest one to apply to ISO 27001. Requested via the Red.es electronic site and the company must be registered as a digital adviser or work with an accredited one.
Kit Consulting 2026 (segment V · Digital Transformation). Up to 9,000 EUR more if the project fits within a broader digital transformation. Both segments can be combined in the same company if the scope justifies it.
CDTI aids for digital transformation of industry. Recurring call with non-refundable funding of 35% for technology investments associated with industrial digitalisation plans. ISO 27001 counts as eligible spend.
CCN-CERT free support programme. Free official tools: PILAR for risk analysis, CLARA for hardening verification, ANA for advanced incident analysis, microCLOUD for secure management of small infrastructures. Their use is fully valid as evidence before an ISO 27001 accredited auditor.
Metrics the auditor will look at on day one
An SME that reaches the external audit with these seven documented and up-to-date indicators halves the probability of non-conformities.
- Percentage of staff with security training completed in the last 12 months (target: 100%).
- Number of security incidents logged, classified and closed.
- Mean time to respond (MTTR) to incidents from detection to closure.
- Percentage of privileged accounts reviewed in the last quarter.
- Result of the last backup restoration drill (date + observed RPO/RTO).
- Number of critical suppliers reviewed against the total inventory.
- Signed minute of the last management review with commitments and deadlines.
Key differences between ISO 27001:2013 and the 2022 version for your implementation
If a consultancy still pitches you in 2013 mindset, run. The 2022 revision reorganised Annex A into four categories (organisational, people, physical, technological) and reduced the total number of controls from 114 to 93 by merging duplicates. Eleven relevant new controls appear: threat intelligence, security in the use of cloud services, ICT readiness for continuity, monitored physical security, configuration management, information deletion, data masking, data leakage prevention, activity monitoring, web filtering and secure coding.
Three of these new controls have the greatest operational impact on an SME. Threat intelligence (A.5.7) requires at least subscription to a free feed (INCIBE-CERT, CCN-CERT) and a procedure to incorporate intelligence into security decisions. Cloud service security (A.5.23) requires a SaaS inventory, supplier risk assessment and contract with specific clauses. Data leakage prevention (A.8.12) requires technical measures (DLP, USB restrictions, bulk-send control) or documented compensating measures.
The good news for an SME starting now: the 2022 version is designed to fit cloud, MFA and remote work better, which are already the operational reality. Consultancy that only knows the 2013 version will generate procedures anchored in a pre-cloud era and you will have to rewrite them before the next recertification.
How to define scope correctly from month 1
ISMS scope is the most expensive technical decision to revise. Three guided questions help fix it well from day one.
First question: which information asset do you want to protect formally with a certificate? Scope is built backwards from this. If the critical asset is the management ERP, the scope includes the infrastructure that supports that ERP, the people who administer it and the business processes that use it. It does not have to include the marketing team if they do not touch the ERP.
Second question: what boundaries does your company have that the auditor will need to recognise? Physical sites, remote teams, perimeter suppliers, externally hosted cloud platforms. The scope must name them explicitly or they are out. A scope that says "IT services" with no more detail is a scope the auditor will make you rewrite in phase 1.
Third question: what information will NOT be inside? Knowing what you exclude is as important as knowing what you include. An explicit declaration of exclusions (with justification) prevents the auditor from assuming that something is in when it should not be.
The typical format of the scope in the public declaration is 3-6 lines. Example of a DO Ribera del Duero winery: "The ISMS covers the administrative management, digital winemaking and e-commerce processes of Bodega X SL at its Aranda de Duero site, including the sector ERP Vitivin Pro, the Shopify e-commerce platform and corporate Microsoft 365 services. Out of scope are non-digitalised vineyard processes and wine tourism services, managed under separate manuals".
Starter kit: 12 documents you already need by the end of month 3
If you reach the end of the quarter with these 12 documents signed and filed, you are on good rhythm to certify in month 12.
- General information security policy (4-6 pages).
- Access control policy (3-4 pages).
- Acceptable use of IT policy (2-3 pages, aimed at end users).
- Information classification policy (3-4 pages).
- Supplier management policy (3-4 pages).
- Business continuity policy (4-5 pages).
- Incident management procedure (5-6 pages + log template).
- User onboarding and offboarding procedure (3-4 pages + template).
- Change management procedure (3-4 pages + RFC template).
- Backup and restoration procedure (4-5 pages + test log).
- Security officer designation minute signed by management.
- Constituent minute of the security committee with composition and frequency.
No need to invent templates: the CCN-CERT publishes its 800 guides with reusable examples and INCIBE has templates tailored for SMEs. Customising a good template is 4-6 times faster than writing from scratch.
Final balance: ISO 27001 in 2026 as competitive advantage
Twelve months ago an SME could compete in many public and private tenders without ISO 27001. In twelve months it will be very rare. The combined pressure of the new ENS, NIS2, DORA and supply chain demands has compressed the timeframe in which the certificate becomes a normal cost of doing business in Spain. Companies that anticipate close 2026 with a certificate in hand and price it as part of their commercial offer; those who delay it discover in the second half of the year that they have lost three tenders for not having it.
The figures of this article confirm that the project is reachable: between 18,000 and 30,000 EUR net cost for an SME of 20-50 employees, 12 months of calendar with disciplined execution, and a result that converts directly into commercial differentiation. The economic logic is favourable: a single won tender worth 60,000-150,000 EUR usually amortises the certification investment in the first year of contract.
The recommendation is not to start without a clear roadmap: the lost months come from improvisation, not from the standard itself. Three weeks of planning with a senior consultant before signing the first invoice prevents the most expensive mistakes. From there, the project is methodical: scope, policy, risks, controls, internal audit, management review, external audit. Twelve months. Reasonable budget. Tangible advantage.
Author: Ángel Ortega Castro · independent consultant in strategy, compliance and digitalisation for Spanish SMEs and public administrations. Aranda de Duero (Burgos) · Castilla y León.