SME Security Best Practice


Prepared by a working group of the ISSA (UK), this document sets out recommendations on information security controls for small and medium enterprises (SMEs).

There are already several sources of educational advice for SMEs, but none currently aims to set a standard for information security. This document is intended to serve primarily as a reference document for helping to determine an appropriate level of security for SMEs.

By building on this document SME can ensure that good security best practices are in place for their specific sectors or circumstances including appropriate educational material for its staff and associates.

ISO/IEC 27001

International security standards, such as ISO/IEC 27001, have been widely adopted by large public and private organisations across the world.

The ISO standard sets out more than 130 individual security controls grouped into 11 key areas. Not all controls have to be implemented, as they can be selected on the basis of a professional risk assessment.

A small or medium sized enterprise will find that such a standard contains many controls that are not relevant or appropriate to their circumstances, but might occasionally be required by a large customer or business partner to demonstrate their level of compliance. The controls set in the ISSA-5173 document provide a good start to meeting the key requirements of ISO/IEC 27001, but enterprises will need to carry out a formal risk assessment and 'gap analysis' to establish their level of compliance.

Why should SMEs implement information security?

Many SMEs rely on information systems, both electronic and paper based, for essential business activities such as advertising services, capturing orders, processing payments and maintaining accounts.


Good information security ensures accurate, reliable and uninterrupted operations:

  • It prevents damaging losses from theft of equipment or data
  • It reduces time wasted in dealing with incidents, such as computer viruses.
  • It helps speed up the recovery time from equipment failures

With large customers and regulators increasingly demanding better security in supply chains, a good approach to security can help win and retain business. It is already a mandatory requirement for companies that handle sensitive data (concerning customers, employees or citizens) and for retailers that process credit cards.
In the longer time, it is likely to become a key part of a company's 'license to operate' in all sectors that place a value on good information security.

What types of security measures are appropriate?

SMEs cannot be expected to embrace protective measures that are expensive, bureaucratic or demand specialist skills. Security recommendations need to be quick, simple and cheap to apply and maintain. Otherwise they will be ignored or fall into disuse. Small enterprises operate with a higher degree of improvisation. They do not employ committees for decision making or consult written policies for guidance.

A good understanding of information security principles and a commitment to apply them are preferable than a hefty tome of documented policies. Physical, technical or administrative safeguards must be easy to operate and require no specialist skills or knowledge, though a small amount of outside expertise can often be beneficial to help select and install the most appropriate controls.

Larger SMEs require a degree of formal organization, but this will certainly not be as extensive as the comprehensive management systems found in large organizations. As the number of employees grows and activities become more structured, there is a greater need for defined security roles, responsibilities and oversight. Similarly, as the supporting infrastructure becomes more extensive and complex, there will be a need for better planning and stricter standards. The need for formal policies, procedures, committees, controls and audits grows with the size of the organization. Such controls, however, will be regarded as a distractive overhead in small to medium sized organizations.

Finding the right balance between smart improvisation and strict adherence to formal processes is a difficult balance for any SME, especially one that aspires to grow. Priorities and controls will therefore need to change with enterprise size. Control objectives might remain largely the same, but their urgency and affordability will vary. Information security advice, standards and solutions should therefore be tiered to take account of such differences.


The ISSA-5173 standard sets out a typical hierarchy of security controls that are considered to be both appropriate and affordable. In practice, some SMEs will require a higher level of security, depending on security risks, compliance requirements and customer expectations. Where possible, such additional considerations are pointed to in the descriptions. The precise requirements can, however, only be established through a professional assessment of risks, requirements and feasible solutions.

The ideal solution is for SMEs to obtain external, specialist advice in order to help then strike the right balance. It is recognised, however, that few SMEs are willing and able to invest in such support, and that there is a general shortage of skilled practitioners who are able to deliver such support.  The ISSA-5173 best practise therefore, provides useful advice to those SMEs who do not wish to employ external advisers, as well as indicating those areas where specialist support will be most beneficial. The standard and its related guidance does not propose to replace or replicate existing resources of use to SMEs. Instead, as few resources exist that are both accessible and understandable, it seeks to provide direction to existing informational resources where appropriate.

This standard is organised into three business SME categories,

  • Micro
  • Small
  • Medium

Each organisation is then compossed of four principles of information security that are relevant for SMEs.

The categories are roughly analogous to the size of the SME, either in terms of staff size or revenue.


The standard was designed with the understanding that SMEs are highly unique entities. The context and scope of each business is the final determining factor for how much effort needs to be placed into information security measures, and organisation size is only one measure by which this can be assessed. Other factors need to be taken into account, such as the industry the SME is in, the level of proprietary or personal information that needs to be protected, regulatory exposure, and contractual requirements. While specialist advice can be sought, this is a business decision, and as such the decision to decide which principles apply to each individual SME, and how to apply them, lies squarely with the owner and/or managing director.

While the decision of what level of control is the prerogative of the business owner, it is also the case that the business owner is responsible for the security of their business operations. SMEs have a responsibility to their business partners and customers to operate in a safe, secure manner. This is a legal responsibility in many countries, due to various measures such as the Data Protection Act, and due to regulations such as PCI. This standard aims to provide accessible guidance that can be tuned to ensure SMEs meet their responsibility and, therefore, sustain their business.


1. Basic Security Measures

Owner/Director commitment

Understanding obligations

Responding to security risks

Essential security countermeasures

2. Defined Security Regime

Security rules

Security responsibilities

Disaster survival plan

3. Managed Security System

Policies & procedures

Management system

Security technology

Security education


The ISSA-5173 information contained on this web page i slicensed under a Creative Commons Attribution ShareAlike 3.0 licence2. The copyright holder is ISSA UK.

The draft standard can be access from the following link:

Any Questions?
Click Here
Contact us at inCloudOne

Please use this form for any enquires,
alternatively please call 0800 0546 111

CallBack Details

Your Details