How Long Does ISO 27001 Certification Take?

ISO 27001 certification typically takes 6-18 months. Here's what affects the timeline and how to move faster without cutting corners.

How Long Does ISO 27001 Take? | Realistic Timeline

Quick Answer

6-18 months from decision to certification. Smaller organisations with good foundations can move faster. Larger or less mature organisations take longer. Rushing creates problems.

Quick answer: 6-18 months from decision to certification. Smaller organisations with good foundations can move faster. Larger or less mature organisations take longer. Rushing creates problems.

Typical Timeline

Months 1-2: Gap Analysis and Planning

Assess current state against ISO 27001
Identify gaps
Define scope
Get management commitment
Create project plan

Months 3-6: ISMS Development

Risk assessment
Policy and procedure development
Control implementation
Documentation creation
Staff awareness and training

Months 7-9: Operation and Improvement

Run the ISMS
Collect evidence
Internal audit
Management review
Address findings

Months 10-12: Certification

Stage 1 audit (document review)
Address any issues
Stage 2 audit (full assessment)
Certification decision

What Affects the Timeline

Organisation size

More people = more complexity = more time. A 20-person company moves faster than a 200-person company.

Starting point

Already have good security practices? You're documenting and formalising, not building from scratch. Less mature? More work required.

Scope complexity

Single site with straightforward IT? Simpler. Multiple sites, complex systems, third-party dependencies? More complicated.

Resource availability

Dedicated project resource? Faster. Fitting it in around day jobs? Slower.

Management commitment

Leadership engaged and removing blockers? Progress. Leadership distracted? Delays.

Consultant support

Experienced guidance accelerates and avoids wrong turns. Going it alone is possible but typically slower.

Can You Go Faster?

Yes, with:

Full-time or significant dedicated resource
Experienced consultant support
Strong existing security foundation
Clear scope, well-defined
Engaged leadership

Fastest realistic timeline: 4-6 months for a small, well-organised company with good foundations and dedicated effort.

Warning: Rushing creates weak ISMS that struggles at audit and is painful to maintain. Better to take 9 months and do it properly than 4 months and suffer for years.

Can You Go Slower?

Yes, and many do. Common causes:

Competing priorities
Key person leaves
Scope creep
Underestimated effort
Poor project management

We've seen certification projects take 2+ years. Usually because they stopped being a priority, not because the work required it.

The Ongoing Commitment

Certification isn't the end:

Surveillance audits annually
Recertification every 3 years
Continuous ISMS operation
Internal audits
Management reviews

ISO 27001 is a management system, not a one-time project. Factor ongoing effort into your planning.

Our Approach

We've been through ISO 27001 ourselves—we're certified.

For clients:

Realistic assessment of your timeline based on your situation
Gap analysis before commitment
Structured approach that doesn't waste time
Practical documentation that works, not bureaucratic overhead
Ongoing ISMS management if you want to hand it off

---

for a realistic assessment of your timeline.

---