ISO 27001 Implementation Timeline

ISO 27001 certification takes 6 to 18 months for most organisations. Here is a phase-by-phase breakdown and realistic timelines by organisation size.

Updated 26 March 2026

Timeline by Organisation Size

Micro (1-10 staff)

Fastest4-8 months

Scoping (1w), Gap analysis (1-2w), ISMS development (4-6w), Controls (6-10w), Internal audit (1w), Stage 1+2 (2-3w), Certificate (2-3w)

Smallest scope, fewest controls to implement. Main bottleneck is often finding time alongside day-to-day work. A dedicated 0.5 FTE resource achieves this timeline comfortably.

Small (11-50 staff)

Most Common6-10 months

Scoping (1-2w), Gap analysis (2-3w), ISMS development (6-10w), Controls (8-14w), Internal audit (2w), Stage 1+2 (3-4w), Certificate (2-4w)

The most common scenario for SaaS and service businesses. With a consultant and 0.5-1 FTE internal resource, 6 months is realistic. Without a consultant, add 2-4 months.

Medium (51-250 staff)

Standard Enterprise9-14 months

Scoping (2-3w), Gap analysis (3-5w), ISMS development (8-14w), Controls (12-20w), Internal audit (3-4w), Stage 1+2 (4-6w), Certificate (2-4w)

More departments, more systems, more evidence to gather. A full-time ISMS project manager is strongly recommended. Budget for a consultant for gap analysis and policy development.

Large (251-1,000 staff)

Complex Rollout12-18 months

Scoping (3-4w), Gap analysis (4-8w), ISMS development (10-16w), Controls (16-28w), Internal audit (4-6w), Stage 1+2 (5-8w), Certificate (3-4w)

Multiple teams, legacy systems, and procurement dependencies slow implementation. Typically requires a dedicated programme manager plus external consultancy support. Stage 2 audit takes multiple days across sites.

Enterprise (1,000+ staff)

Multi-Year Programme14-24 months

Scoping (4-8w), Gap analysis (6-12w), ISMS development (12-20w), Controls (20-40w), Internal audit (6-8w), Stage 1+2 (6-10w), Certificate (3-4w)

Often run as a formal programme with a steering committee. May certify a subset of the business first then expand scope. Multi-site global audits require careful logistics and may span several weeks.

Phase-by-Phase Breakdown

01

Initiation and Scoping

2-4 weeksCost: Low

Define the scope of the ISMS - which business units, processes, systems, and locations will be covered. Gain management commitment, appoint an ISMS owner, and brief the project team.

Key outputs

  • Scope statement
  • ISMS project charter
  • Management sign-off
  • High-level project plan

Practitioner tip

Keep scope focused. A narrower scope (e.g. the product engineering team only) is faster and cheaper to certify, and can be expanded later.

02

Gap Analysis

2-6 weeksCost: Medium

Assess your current information security controls against the ISO 27001 requirements and Annex A controls. Identify gaps between where you are and where you need to be. Typically done by an external consultant or an experienced internal resource.

Key outputs

  • Gap analysis report
  • Prioritised remediation list
  • Effort and cost estimates
  • Decision: consultant vs internal vs platform

Practitioner tip

Invest in a thorough gap analysis. Surprises during the certification audit are expensive. A good gap analysis typically costs $4,000-$20,000 but saves multiples of that later.

03

ISMS Framework Development

4-12 weeksCost: High

Build the formal ISMS documentation: information security policy, risk assessment methodology, asset inventory, risk register, Statement of Applicability (SoA), and all supporting policies and procedures required by the standard.

Key outputs

  • Information security policy
  • Risk assessment methodology
  • Asset register
  • Risk register and risk treatment plan
  • Statement of Applicability (SoA)
  • Supporting policies (access control, incident response, supplier security, etc.)

Practitioner tip

The Statement of Applicability is the most important document in your ISMS. It maps each of the 93 Annex A controls to your organisation and justifies any exclusions.

04

Controls Implementation

8-20 weeksCost: High

Implement the technical and organisational controls required by the standard and identified in your risk treatment plan. This is often the longest phase and the most variable in cost, depending on maturity.

Key outputs

  • Access control and IAM improvements
  • Vulnerability management process
  • Asset classification and labelling
  • Supplier security agreements
  • Physical security improvements (if in scope)
  • Business continuity and disaster recovery plans
  • Security awareness training programme
  • Incident management process

Practitioner tip

Prioritise controls that address your highest-rated risks first. Not every Annex A control is mandatory - only those relevant to your risk environment and in scope.

05

Internal Audit

2-4 weeksCost: Medium

Conduct a full internal audit of the ISMS against the ISO 27001 requirements before the certification body audit. Internal auditors must be independent of the areas they audit. Many organisations use an external firm for this to ensure objectivity.

Key outputs

  • Internal audit plan
  • Internal audit findings report
  • Non-conformance log
  • Corrective action plan

Practitioner tip

An independent internal audit is not just a box-tick. Auditors who find non-conformances before Stage 2 save you from potentially failing the certification audit.

06

Management Review

1-2 weeksCost: Low

Senior management formally reviews the ISMS performance, including audit findings, risk posture, incidents, and objectives. This meeting must be documented and demonstrates top management commitment to the auditor.

Key outputs

  • Management review meeting minutes
  • Updated objectives for the coming year
  • Resource allocation decisions
  • Continual improvement commitments

Practitioner tip

The certification body will review management review records. Ensure the meeting covers all required inputs (audit results, risk register status, incidents, supplier performance, etc.).

07

Stage 1 Audit (Documentation Review)

1-2 weeksCost: Medium

The first stage of the certification body audit. The auditor reviews your ISMS documentation to assess whether it meets the standard requirements and whether you are ready for the Stage 2 on-site audit. Typically conducted remotely.

Key outputs

  • Stage 1 audit report
  • List of issues to address before Stage 2
  • Stage 2 audit date confirmed

Practitioner tip

Stage 1 will almost always surface some minor issues or observations. Address them before Stage 2. A major non-conformance at Stage 1 delays the whole process by weeks.

08

Stage 2 Audit (Certification Audit)

2-5 days on-siteCost: High

The full on-site certification audit by the accredited certification body. Auditors interview staff, review records and evidence, observe processes, and test controls. Duration depends on organisation size and scope.

Key outputs

  • Stage 2 audit report
  • Non-conformances (if any)
  • Recommendation for certification

Practitioner tip

Prepare your team for interviews. Auditors will speak to technical staff, HR, management, and operations. Everyone should know what the ISMS is and their role in it.

09

Certificate Awarded

2-4 weeks post-auditCost: Low

After resolving any non-conformances and the certification body completing its internal review, your ISO 27001 certificate is issued. The certificate is valid for 3 years with annual surveillance audits.

Key outputs

  • ISO 27001 certificate
  • Certificate scope statement
  • Registration in the CB online register

Practitioner tip

Add your certificate to your website, sales materials, and supplier questionnaires immediately. Update your procurement responses to reference the certificate number and expiry date.

What Accelerates or Delays Implementation?

Accelerators

  • Dedicated internal ISMS project owner (0.5-1 FTE)
  • Experienced ISO 27001 consultant engaged from day one
  • ISMS automation platform (Vanta, Drata, Sprinto) for evidence collection
  • Strong existing security hygiene (SOC 2, Cyber Essentials, ISO 9001 already in place)
  • Narrow, well-defined scope
  • Board and CEO actively championing the project

Common Delays

  • No dedicated internal resource - project owner changes mid-way
  • Scope creep - expanding the scope after gap analysis
  • Supplier security review backlog (third-party risk management)
  • Legacy systems with no patch management or asset tracking
  • Internal resistance to new security policies
  • Certification body availability - popular CBs book out months in advance
  • Non-conformances found in Stage 1 audit requiring rework before Stage 2

Ready to start your ISO 27001 journey?

Use the calculator to estimate your total investment, or book a free call to build a realistic implementation plan.

Calculate Your CostFree Implementation Call →