Yes, sir.
Some of this documentation exists already, from the NISC in the U.S., which I can say has been projected internationally and is a good way for any business to start. That documentation has been formatted for very large enterprises as well as for SMBs.
Definitely, if an SMB is serious about protecting its data, it will go through that. However, my coming from that background of SMBs, I know that they don't have time to do that. What will be needed is really something that is a one-click-stop shop. They would just have to pay for the bare minimum and have a list of whatever mandatory verification that would be done and could be satisfactory to them. But what would that satisfaction be? Would it be for the payment card industry? Would it be satisfactory for privacy issues, and so on? There's no clear guidance by which the owner of whatever coffee shop can verify, is my business satisfactorily safe in itself and for customers, and so on, and do I offer Internet access to the customers? If so, how do I do it?
I go so many times on the road, and a bad habit of mine is to verify the security in these coffee shops. Most of the time, you find you have access to the cash register as well as the operation in the back hard drive that has all the backups in it, and access to the Internet. That's the kind of purview. These SMB owners just want to make it work, because they have so little room, and cash, to get resources.