1) there are “automation tools” that does much of the work but is it manageable for me to do it? 2) there are lighter ones like the Cyber Essentials in the UK, is this recognized internationally?
Thanks
It's a bottomless pit of time and money. All those "automation tools" (e.g., Drata/Vanta) help with 10-20% of the overall workload, and for me, took as many hours to set up as they saved. For ISO27001, your final annual cost will be $20-40k and will eat up 2-4 weeks per year. Implementing and maintaining a compliance program will do nothing to help you discover/solve customer problems or improve your security posture. Doing this work is the equivalent of "I want to do a startup, so I'm learning how to do business registration, taxation, comply with employment laws, and design business cards".
Compliance will waste your already constrained resources, energy, and focus. It will slow you down and has such a negative ROI that you must have significant deals at risk to consider imposing this ongoing tax on your operations. In other words, wait until you're forced to by your customers/prospects.
I've done SOC2 and ISO implementation for a small business.
I would do Cyber Essentials, and then once you’ve done the work for that Cuber Essentials plus should be straightforward.
Most large businesses corporate IT departments realise that ISO certification is not something that small suppliers can do.
I do know of companies that have stopped at Cyber Essentials plus and had no problems.
One thing I have done previously is to create an IT security policy that is “aligned” with 27001. That can go a long way towards letting people know you take things seriously.
The standard is pretty readable and all the things it says to do are completely reasonable and things that you should be doing anyway (or at least gave a policy around).
My email is in my profile and I’m happy to share my boilerplate security policy with you.