CloudSoul

SMEs are pouring budgets into certification before building the foundations that actually reduce risk. Here's why the math rarely works — and what to do instead.

Every few months, a CTO or IT head asks some version of the same question: "We're being pushed toward ISO27001 — our enterprise client wants it, our insurer is asking for it, our board saw it in a board deck. Should we just do it?"

My answer is almost always the same: it depends entirely on whether you're buying security or buying a certificate.

Those are not the same thing. And at €50K–€80K for a mid-market SME going through a full ISO27001 implementation with a consulting firm you'd better be crystal clear on which one you need, and why.

The €50K Question Nobody Asks Out Loud

Let's be direct about what that budget actually buys you in a typical SME ISO engagement:

A gap assessment. A risk register you'll populate once and mostly forget. A set of policies your staff won't read. A Statement of Applicability your auditor will scrutinize. Six to twelve months of consultant hours translating framework language into internal procedures. An audit. A certificate.

Then: renewal cycles. Surveillance audits. Ongoing consultant retainers to keep the ISMS "alive."

None of that is inherently bad and can lead to some improvements, but not targeted and not specific to your business or business needs. But here's the uncomfortable question: did any of those activities meaningfully reduce the likelihood or impact of a breach?

For many SMEs, the honest answer is: not really or not proportionally to the spend.

The IBM Cost of a Data Breach report reveals that the global average cost of a data breach in 2025 is $4.44 million. Let's also put it in to a question, how long can your business survive offline? Meanwhile, the most common entry points — misconfigured cloud storage, unpatched endpoints, phishing, overprivileged identities — are not ISO27001 problems. They are operational hygiene problems. And €50K in ISO consulting doesn't fix your S3 bucket permissions.

The Compliance Trap

Here's the real trap: compliance is a snapshot. Security is a posture.

ISO27001 is designed to prove, at a point in time, that you have a management system for information security. It doesn't prove your controls work. It doesn't prove your cloud environment isn't misconfigured right now. It proves you have documentation and a process for reviewing documentation.

That's not cynicism, that's the architecture of the standard. Clause 6 is about planning and risk assessment. Annex A maps 93 controls. But there's no requirement that those controls are actually effective. There's no continuous verification. The auditor will check your policies; they won't run your cloud scanner.

The moment you leave the audit room, the clock starts ticking on drift.

For an enterprise client demanding ISO27001 from their SME supplier, the certificate provides contractual comfort. For the SME itself, the question is whether that comfort is earned or performed.

When €50K Does Make Sense

I'm not saying don't pursue ISO27001. I'm saying be honest and sure about what you're buying.

The investment makes clear business sense when:

You're selling into regulated sectors. If your primary clients are in financial services, healthcare, or public sector in the EU, ISO27001 is often a procurement gate, not a preference. In that case, the certification cost is a cost of revenue, not a security investment. Model it that way.

You're preparing for DORA, NIS2, or an acquisition. ISO27001 shares significant overlap with many frameworks. Done right, it becomes your evidence base. Done wrong, it's parallel documentation that maps to nothing real.

You already have baseline controls in place. This is the one most SMEs miss. ISO27001 is a management layer on top of technical controls — not a replacement for them. If you don't already have MFA enforced, cloud posture managed, endpoints under policy, and a patching cadence — the ISMS you're building is a governance facade on top of an insecure foundation.

The Alternative Math

What does €50K actually buy in direct security controls?

- A cloud security posture management (CSPM) platform covering your AWS, Azure, or GCP environment: €8K–€15K/year
- Endpoint detection and response (EDR) for 50–100 seats: €10K–€18K/year
- A vCISO engagement with quarterly reviews, roadmap ownership, and incident readiness: €18K–€30K/year
- Phishing simulation and security awareness training: €3K–€6K/year

That's roughly the same budget. Those controls actively reduce your attack surface every day. And increasingly, platforms that combine cloud scanning with automated framework mapping — ISO27001, CIS, NIS2 — let you build toward compliance as a by-product of improving security posture, not the other way around.

The certificate follows the work. Not the other way around.

What CloudSoul Is Seeing in the Market

At CloudSoul, we work with SMEs who are exactly at this crossroads. The conversation we hear most often is: "We got a questionnaire from a new enterprise client asking about our ISO status, and now we're being pushed to spend."

That's the wrong starting point. Our approach is to start with your real environment, scan your cloud posture, benchmark against your industry, build a prioritized roadmap of what actually needs fixing and in what order and then map that work to framework controls automatically. You don't need to choose between security and compliance. You need to sequence them correctly.

The €50K question transforms when you ask it differently: "How do I build security that happens to make compliance easier?" vs. "How do I buy compliance and hope security follows?"

One of those questions has a clear ROI. The other has a renewal invoice.

The Honest Bottom Line

ISO27001 is a legitimate, well-designed standard. The problem isn't the standard — it's the market dynamic that turns it into a checkbox purchase for SMEs with no security foundation and a client deadline breathing down their neck.

Before you sign a consulting engagement for ISO, pressure-test three things:

1. What's your actual threat surface? Do you know what your cloud environment looks like right now, today? Not what the policy says — what the scanner sees.
2. What's driving the timeline? If it's a internal or client requirement, can you satisfy it with a roadmap showing active security improvement rather than just a certificate?
3. What happens on day 366? Who maintains the ISMS after the consultants leave? If the answer is "nobody," you've bought a frame without a painting.

Security that matters doesn't start with a certificate. It starts with knowing what you're actually protecting, where your gaps are, and what to fix first.

The certificate can come later. And when it does, it'll mean something.

Is €50K for ISO27001 Worth It? Probably Not the Way You're Spending It.