New SME Guide based on ISO/IEC 27002 standard: Essential controls for SMEs to protect user’s privacy and data and ensure GDPR compliance

  • Cyber-attacks continue to rise with ever more data breaches and crippling cybersecurity failures. Yet, measures to safeguard one’s digital assets are becoming more complex and expensive for SMEs to enforce.

  • To address the situation, DIGITAL SME has developed the SBS SME Guide on Information Security Controls to help SMEs reach the essential level of protection via the implementation of cybersecurity standards.

  • Out of the 114 controls presented in the ISO/ICE 27002 standard, the guide presents 16 essential controls that SMEs need to implement to provide adequate protection for their digital assets.

With cyber-attacks becoming more prevalent, there is an increasing need to protect SMES’ existence and strengthen their resilience. As cyber-attacks become more sophisticated, requirements for protecting an enterprise’s assets, including personal information, are getting more complex. SMEs suffer the most damage after a cyber-attack, and their chances of recovery and business continuity are smaller than big companies. SMEs are also asked to implement similar protection measures which are costly. Their inability to be compliant with costly requirements puts them in jeopardy and decreases their chances of recovery. This “one-size-fits-all” approach does not help SMEs!

To raise awareness and help SMEs be better protected, a group of Small Business Standards (SBS) and DIGITAL SME experts have developed an SBS guide on implementing security controls, which is based on the ISO/IEC 27002 standard, while also addressing other standards. The experts have selected 16 out 114 controls that shall provide essential protection for an SME and ensure GDPR compliance[1]. The controls cover four main categories:

  • Personal
  • Organisational
  • Partially Organisational/Technical
  • Technical (ICT related)

In addition to raising awareness of cybersecurity, this implementation guide aims to contribute to the ongoing efforts to upgrade the digital intensity of SMEs. Cybersecurity SMEs can use this guide to tailor solutions for non-ICT SMEs and strengthen their security requirements, while upgrading their level of digital capabilities. SBS has also published an SME Guide in Information Security Management, based on ISO/IEC 27001 standard. Together, the two guides can help SMEs to implement comprehensive cybersecurity requirements.


Download the SBS SME Guide on Information Security Controls here.


[1] It is advisable to always check the text of GDPR to ensure full compliance