ISO 27001 Policies for UK SMEs

16 cert-ready policies drafted for your business — not generic templates you have to rewrite. Rollout in days, not months.

ISO 27001:2022 Annex A Controls UK SME

ISO 27001 Core Set pack

16 policies · £400 one-off

Lifetime access · no renewal · bespoke to your business

Get Started — Buy Pack Free account · preview sample policies · buy pack when ready
UK registered & ICO compliant 197 frameworks · 8 jurisdictions · 990+ bespoke policies Lifetime purchase · no renewal

What is ISO 27001?

ISO 27001 is the international standard for information security management. It's the certification UK enterprise buyers, financial services clients, and public-sector procurement teams expect before they'll trust you with their data. The current version is ISO 27001:2022, which restructured the Annex A controls into four themes — organisational, people, physical, and technological.

Certification requires a documented Information Security Management System (ISMS) — a set of policies, procedures, risk assessments, and evidence records that prove you run security as an ongoing discipline, not a one-off exercise. The policy layer is the foundation: auditors read every policy and test whether your day-to-day operations match what the policy says.

Who needs ISO 27001?

  • UK SaaS and tech companies — it's the default expectation in enterprise RFPs and vendor risk questionnaires.
  • Outsourced service providers handling customer data on behalf of regulated industries (financial services, healthcare, legal).
  • UK managed service providers (MSPs) — increasingly required by insurers and by customers' own compliance teams.
  • Scale-ups pursuing Series A or later — due diligence almost always asks for ISO 27001 or a committed roadmap to it.
  • Public sector suppliers — frequently required alongside Cyber Essentials Plus for contracts above certain thresholds.

Policies you need for ISO 27001

The 2022 standard doesn't prescribe an exact list of policies — it lists controls in Annex A and expects you to document your approach to each. In practice, most UK SMEs maintain the following 16 policies, all included in our ISO 27001 Core Set pack:

Information Security Policy

The top-level policy signed by leadership. Required by Clause 5.2.

Access Control Policy

Annex A 5.15–5.18. Joiner/mover/leaver, privileged access, MFA.

Acceptable Use Policy

Annex A 5.10. What employees can and can't do with company assets.

Cryptography Policy

Annex A 8.24. Approved algorithms, key management, TLS standards.

Incident Response Policy

Annex A 5.24–5.28. Detection, triage, containment, ICO notification.

Supplier Security Policy

Annex A 5.19–5.22. Third-party risk, contractual requirements.

Data Classification Policy

Annex A 5.12–5.14. How you label, handle, and dispose of data.

Business Continuity Policy

Annex A 5.29–5.30. Recovery objectives, test cadence.

Change Management Policy

Annex A 8.32. Approvals, rollback, separation of environments.

Secure Development Policy

Annex A 8.25–8.31. SDLC, code review, secure testing.

Physical Security Policy

Annex A 7.1–7.14. Office, clear desk, asset disposal.

HR Security Policy

Annex A 6.1–6.8. Screening, training, leaver process.

Asset Management Policy

Annex A 5.9–5.11. Inventory, ownership, acceptable use of assets.

Remote Working Policy

Annex A 6.7. Home/hybrid working controls, BYOD, network standards.

Backup Policy

Annex A 8.13. Frequency, retention, restore testing.

Risk Management Policy

Clause 6.1 + 8.2–8.3. Risk assessment methodology and treatment.

Realistic timeline to certification

Most UK SMEs reach Stage 2 certification in 4–6 months from day zero. PolicySuite compresses the policy-drafting phase from the traditional 6–12 weeks to 48 hours.

  1. Week 1: Scope + risk assessment. Buy the ISO 27001 Core Set, answer the structured questions, get 16 bespoke policies out in 48 hours.
  2. Week 2–3: Distribute policies, collect acknowledgements (built into PolicySuite), update infrastructure to match.
  3. Week 4–8: Evidence collection — logs, training records, supplier reviews, incident drills.
  4. Week 9–12: Internal audit + management review (both required by the standard).
  5. Week 13–16: Stage 1 audit (documentation review).
  6. Week 17–24: Stage 2 audit (operational audit) → certificate issued.

Policy packs for ISO 27001

ISO 27001 Core Set

16 policies · £400 · Annex A 2022 aligned · cross-sector

InfoSec 38 Enterprise Pack

38 policies · £900 · deeper coverage for enterprise buyers

NIST CSF Alignment Pack

12 policies · £400 · pairs with ISO 27001 for US buyers

Startup Essentials

10 policies · £250 · entry point for pre-certification SMEs

Further reading

Frequently asked questions

What policies does ISO 27001 actually require?

ISO 27001:2022 requires a documented ISMS plus controls from Annex A. In practice auditors expect around 14–20 documented policies covering information security, access control, acceptable use, cryptography, incident response, supplier management, data classification, business continuity, change management, secure development, physical security, HR security, asset management, and risk management.

How long does ISO 27001 certification take for a UK SME?

Realistic timeline for a 10–50 person UK SME is 3–6 months from policy rollout to Stage 1 audit, plus 1–2 months between Stage 1 and Stage 2. Policy drafting is typically the slowest phase — PolicySuite compresses that to 48 hours.

Do I need ISO 27001 or is Cyber Essentials enough?

Cyber Essentials is mandatory for UK government contracts and a good baseline. ISO 27001 is expected by enterprise buyers, financial services clients, and any customer with a vendor-risk questionnaire. Many UK SMEs do Cyber Essentials first, then ISO 27001 within 6–12 months. See our Cyber Essentials framework page.

Can I use ISO 27001 policy templates instead of writing my own?

Yes — but generic templates usually fail audit because auditors spot boilerplate immediately. PolicySuite policies are generated from structured questions about your business (size, sector, data types, infrastructure) so they read as bespoke rather than boilerplate.

What does the ISO 27001 Core Set pack include?

16 professionally drafted policies covering the core Annex A 2022 control areas — full list above. Lifetime access, bespoke to your organisation, editable in your admin console.

How much does ISO 27001 certification cost in the UK?

Certification-body audit fees for a UK SME typically run £5,000–£15,000 depending on scope and headcount. Add consultant fees (£5,000–£30,000 if outsourced) or internal time. PolicySuite's ISO 27001 Core Set pack replaces the policy-drafting portion entirely — live price shown at the top of this page.

Start your ISO 27001 policy rollout today

Get 16 bespoke ISO 27001 policies ready in 48 hours — lifetime access, no renewal.

Get Started — £400