The 100-person problem: why ISO 27001 becomes a growth bottleneck

As businesses scale, there is often a moment that catches founders off guard. Everything appears to be working, demand is strong, and the team is growing. And yet, somewhere around the 100-person mark, sales cycles begin to slow. Procurement becomes heavier, security questionnaires get longer, and deals that once moved quickly start to stall.

To understand why this happens and how growing companies can prepare for it, we spoke with LeftBrain CEO Charlie Naughton-Rumbo about the compliance bottlenecks that emerge as organisations scale, and why ISO 27001 is so often at the centre of them.

Why scrutiny increases as organisations scale

Below a certain size, enterprise buyers tend to ask relatively simple security questions. These usually focus on tools and technical controls. What software you use, how you protect data, and who looks after security day to day.

Once a business reaches around 100 employees, the nature of those questions changes.

“As you get to around 100 people, the questions stop being about what tech you have,” Charlie explains. “They start being about your organisation’s approach to managing cyber security risk on an ongoing basis, and what processes you have in place to support that.”

At this point, buyers are no longer assessing IT capability alone. They are assessing organisational behaviour and security. They want to understand how decisions are made, how risk is prioritised, and whether security is embedded into how the business operates.

This is where the difference between governance vs IT security becomes clear. The questions being asked are not technical. They are organisational, and they require leadership involvement to answer properly.

The assumptions procurement teams make at this stage

From a procurement perspective, organisational size brings assumptions. A larger company is seen as having a broader risk surface and greater potential impact if something goes wrong. Buyers also assume that a business at this stage has already built some structure around information security governance.

“They look at a larger organisation and assume you should have your ducks in a row already,” Charlie says. “They expect good governance to be built into decision-making, particularly around risk management.”

When those assumptions are not clearly met, confidence drops. Not because something has failed, but because maturity is not yet visible. This gap between what buyers expect to see and what a supplier can evidence is a common reason sales cycles slow down.

It is also where the limitations of relying on IT or an MSP alone often become apparent. MSP ISO 27001 limitations surface because managed services can support controls, but they cannot create governance, leadership ownership, or organisational change.

Why ISO 27001 keeps coming up

This is usually the point where founders start hearing about ISO 27001 certification. Sometimes it is named explicitly. More often, buyers ask questions that effectively point towards it without using the term.

“If you took a lot of those procurement questions and ran them through an AI tool, it would basically tell you to implement ISO 27001,” Charlie notes.

That is because ISO 27001 is built around an information security management system (ISMS), not a checklist of tools. ISO 27001 implementation focuses on how an organisation governs security over time, how risk is managed, and how decisions are reviewed and improved.

This is also why ISO 27001 is not an IT project. Successful implementations require leadership involvement, a clear risk management framework, and an organisational approach that reflects how the business actually operates. Without that, ISO 27001 implementations stall or fail altogether.

ISO 27001 as organisational change, not a tick box

One of the most common reasons ISO 27001 fails is that it is treated as a compliance exercise rather than an organisational change programme. When the goal becomes “pass the audit” instead of improving how security decisions are made, progress slows and internal resistance grows.

“The standard isn’t there as a tick box,” Charlie explains. “It’s there to bring maturity in security through the organisation.”

When approached as a governance programme, ISO 27001 goes beyond technical controls. It brings structure to how risk is discussed, how trade-offs are made, and how accountability flows from leadership through the organisation. This is what buyers are really assessing during procurement. Not perfection, but clarity, ownership, and sensible decision-making.

Preparing early to avoid audit and sales bottlenecks

The mistake many businesses make is waiting until deals are already slowing or audit readiness becomes urgent before acting. In reality, the most effective approach is to put the fundamentals in place early.

“My favourite advice is to get the fundamentals in place from the beginning,” Charlie says. “It doesn’t have to be complicated. If you have basic decision-making structures and enterprise-level risk discussions happening, it’s much easier to scale that into ISO 27001 later.”

When those foundations exist, ISO 27001 certification becomes an evolution rather than a disruption. Instead of scrambling to retrofit governance, organisations are able to demonstrate maturity quickly and keep sales moving.

The takeaway for scaling businesses

The compliance bottleneck that appears around 100 employees is not a failure. It is a predictable stage of growth. As buyers place greater emphasis on information security governance, organisations are expected to show that security is managed deliberately and at a leadership level.

“It’s predictable, and it’s going to happen more and more,” Charlie says. “But it doesn’t have to be complicated or expensive. You can build something that’s right for you now, and scale it as you grow.”

Handled early, ISO 27001 implementation can remove friction from procurement, accelerate audit readiness, and support long-term growth. The companies that move fastest through this stage are not the ones with the most tools, but the ones that treat security as a business responsibility, not just an IT problem.