Mini Bundle: ISMS Startup Pack - SME

The Mini Bundle: ISMS Startup Pack - SME offers a practical, end-to-end suite of cybersecurity policies purpose-built for small and medium-sized enterprises seeking ISO/IEC 27001:2022 alignment. Recognizing that SMEs often lack dedicated in-house IT, security, or compliance teams, each policy in this bundle explicitly assigns responsibility and accountability to business roles such as the General Manager, Department Managers, and, where present, designated staff or outsourced IT providers. All policies reference simplified segregation of duties, delegation by the General Manager is supported, but auditability and oversight are preserved at all times to comply with clause 5.3 of ISO/IEC 27001. Included in this SME-focused starter pack are: the Information Security Policy, Governance Roles & Responsibilities Policy, Access Control Policy, Change Management Policy, Risk Management Policy, and Backup and Restore Policy. Each document covers essential operational and technical controls across the information lifecycle, from user access provisioning and risk assessment to change authorizations and business continuity. Common requirements span maintaining central registers (for access and risks), documenting all changes and delegations, ensuring periodic policy reviews, and enforcing compliance with clear consequences for violations or omissions. Of particular note is the consistent approach throughout: each policy mandates mandatory periodic review (annually or after major changes), documented approval of exceptions or incidents by the General Manager, and easy applicability to both internal staff and external service providers, making them enforceable regardless of company size. Activities such as system backups, risk monitoring, policy compliance, and user access management are prescribed in a manner compatible with limited in-house capacity. For instance, backup regimes and restore testing are governed by a single accountable person (GM or designee), and risk identification can be performed using simple checklists rather than advanced tools. All policies in this bundle are mapped to major global frameworks and regulations, including ISO/IEC 27001:2022, ISO/IEC 27002:2022, NIST SP 800-53 Rev.5, EU NIS2, EU DORA, COBIT 2019, and EU GDPR. Mapping includes clauses such as 5.1–5.3, 6.1, 8.1 for ISO/IEC 27001, relevant controls for ISO/IEC 27002 (e.g., controls 5.2, 5.15, 8.13), and specific articles under GDPR and DORA. These mappings, coupled with plain-language controls and role-specific processes, ensure that not only is SME compliance achievable, but that it is demonstrable to customers, auditors, and regulators alike. The policies are all cross-referenced, each links to related documents within the bundle for a joined-up ISMS implementation for smaller organizations.