Is your startup too small for ISO 27001? Three triggers to start now

ISO 27001 has no minimum size requirement, and even a sole trader can get certified. The real question is not whether you are large enough, but whether you need to do it now or can still wait. And nine out of ten founders ask that question too late.

A traditional ISO 27001 project takes six to twelve months. The moment a founder thinks "we need to sort this out" usually coincides with the moment an enterprise client asks for it in a contract. Work backwards: that means you are risking a five-figure deal or more because the timing does not work out. That is why this article exists: no vague "it depends", but three concrete triggers that tell you to start now, and three scenarios where waiting genuinely makes sense.

Three triggers that say: start now

Trigger 1: A customer has it in a questionnaire

Not "a prospect mentioned it". Not "someone wrote about it on LinkedIn". But: a lead you want to win has ISO 27001 listed in a security questionnaire or RFP. This is the signal that the market around you is shifting.

In practice, we often see founders wanting to answer the first questionnaire themselves. It is a tedious and time-consuming task, but also a manageable process. Most questions are answered to the best of their knowledge, others are cleverly sidestepped or interpreted differently than intended, and some are answered in whatever way avoids losing the deal on the spot. Sometimes this is enough, but increasingly a critical follow-up conversation with the lead follows later, a request for evidence, or even an audit. Then you fall into the gap between "we do our best" and "we can prove it".

Trigger 2: You have enterprise or international ambitions within 12 months

Enterprise procurement departments work with approved supplier lists. ISO 27001 is almost always on there as a requirement or as a strong plus. If you want to land large logos in year 2 or 3, your certificate needs to be in place in year 1.

The same applies to international expansion. ISO 27001 is recognised worldwide. If you open a commercial channel in Germany this year, for example, the certificate prevents you from having to write a standardised explanation of your security for every new market.

Trigger 3: You process sensitive data or work in a regulated sector

Here you do not need to wait for customer requests. If you process medical data, financial data or personal data at scale, or if you serve customers in banking, healthcare, defence or government, it is not a question of "if" but "when". Legal and contractual requirements arrive sooner or later. NIS2 suppliers will face contractual security requirements from 2026, and DORA requires financial institutions to contractually assess their ICT suppliers.

In these sectors, a data breach is not just a PR problem but a business-threatening incident. Not having ISO certification before entering conversations is a direct disqualification.

Three scenarios where waiting is fine

Scenario 1: You have not yet reached product-market fit

If your product changes fundamentally every month and your target customer is not yet established, a management system is premature. ISO 27001 requires repeatable processes that you document and demonstrably follow. When your way of working is reinvented every week, that is impossible. Invest in product and growth first. Reconsider once you see repeating patterns in how you work and which customers you sell to.

Scenario 2: You barely process sensitive data and your market does not ask for it

A B2C recipe app, an internal tool for your own team, a marketing service that stores no customer data. In these situations the risk profile is low and the market is not demanding the certification. Basic security measures are sufficient: MFA, encryption, a password manager, regular backups. No ISMS, no audit, no certificate.

Scenario 3: Your team is smaller than four and you have no spare capacity

For teams of two or three people, the time investment weighs relatively heavier. The same steps as for a team of twenty must be completed, but there is nobody to assign it to alongside their primary work. If you prefer to work according to ISO 27001 principles (policies, access management, incident logging) without the formal certification process at this stage, that is a valid option. It gives you structure and a head start for when the timing is right. Even if you work solo, certification is achievable. You take on more responsibility, but we guide you through it.

The numbers you need to know

For a Dutch startup of up to around 50 employees, the total ISO 27001 costs in the first year are usually between €10,000 and €30,000. The external audit accounts for €3,500 to €7,000 of that, with the rest going to tooling, guidance and internal time. The annual surveillance audit costs roughly a third of the initial one. After three years, the recertification audit follows, which is comparable in cost to the initial audit.

Project timeline: traditional approach, six to twelve months. With Tidal: 90 days. The more that is already implicitly in place (MFA, policies, access management), the faster you move.

The mistake founders almost always make

Waiting until the first customer asks and then starting in a panic. It happens more often than you think. A founder I spoke to recently summed it up: "We thought we only needed it when they asked for it. By the time they asked, the deal was already half gone."

The solution is not to build an ISMS at the moment you incorporate. It is to take action at the first signs of Trigger 1 or 2, even if the customer request is not yet firm. At that point you still have room for a pragmatic project rather than a rushed one. The difference between "we are working on it" and "we have it sorted" is partly determined by how much pressure exists when you start.

How Tidal Control supports startups

Tidal Control offers pre-built controls and policy templates for ISO 27001, with mapping to SOC 2, NIS2 and GDPR. The platform automatically collects evidence via integrations with Microsoft Azure, AWS, Google Cloud, GitHub, GitLab, Jira and many more tools. For a startup of up to around 50 employees, that means a timeline of 90 days instead of 6 to 12 months, and an internal time investment limited to a few hours per week.

Choosing a platform is a trade-off between direct costs and time saved. A concrete example: an ISO 27001 project for a startup of up to 25 FTE can be done using our platform yourself in 10 to 15 working days, or with one of our consultants in less than half the time. On top of that, Tidal offers a certification guarantee with this combination.

Want to know whether ISO 27001 makes sense for your startup?

Before you decide, you want to know where you stand. Which controls do you already have implicitly in place? Which are missing? How far are you from a first audit, and on what timeline is that realistic?

Take the free Quickscan and get a first picture of your position and the logical next steps in five minutes. No sales call, no obligations.

Take the free Quickscan →

Frequently asked questions

Is there a minimum team size for ISO 27001?

No. The standard is scalable and has no minimum size requirement. Even a sole trader can get certified. For teams of fewer than four people, the relative time investment is heavier because the same steps still need to be completed. In that situation you are better off working according to ISO 27001 principles and postponing formal certification until you are slightly larger.

What does ISO 27001 cost for a Dutch startup?

For a startup of up to 50 employees, total costs in year 1 are usually between €8,000 and €15,000: €3,500 to €7,000 for the external audit, plus tooling, any guidance and internal time. Surveillance audits in years 2 and 3 cost roughly a third of the initial audit. Working with a platform instead of spreadsheets saves 150 to 300 hours of internal time.

How long does the process take?

90 days with our platform and a pragmatic scope. Six to twelve months if you approach it as a traditional project with consultancy and manual work. The lower bound depends on what is already in place: the more implicit foundation you have (MFA, policies, access management), the faster you move. We have clients who have done it in 6 weeks.

What if a large customer asks for it tomorrow and we have nothing?

Be honest about what you do have: policy documents, MFA, encryption, a Trust Center, an incident response plan. Add a timeline showing that certification is planned within X months. In roughly a third of cases, clients accept this as a bridging solution. An honest answer with a concrete plan lands well; a vague answer does not.

Can ISO 27001 also cover SOC 2 or NIS2?

To a large extent. ISO 27001 covers around 80 percent of SOC 2 controls and the vast majority of NIS2 measure categories. A platform that maintains the mapping prevents duplicate work. If you lay ISO 27001 as a foundation, you can add SOC 2 or NIS2 certification relatively quickly afterwards.