What Is the Typical ISO 27001 Certification Timeline?
The honest answer is that it depends, but the data from certification bodies and consultancies paints a clear picture. Most organisations achieve ISO 27001 certification within 3 to 14 months of starting their implementation project.
Where you fall within that range comes down to three things: the size of your organisation, your existing security maturity, and the approach you choose.
| Organisation Profile | Typical Timeline | Key Driver |
|---|---|---|
| Startup (fewer than 50 employees) | 3–6 months | Smaller scope, fewer controls to implement |
| SME (50–250 employees) | 6–9 months | More departments, broader risk landscape |
| Mid-market (250–1,000 employees) | 9–12 months | Complex processes, multiple locations possible |
| Enterprise (1,000+ employees) | 12–18 months | Multi-site scope, regulatory overlaps, larger supply chain |
These are averages. Organisations with existing security frameworks in place, such as SOC 2 or Cyber Essentials, often move significantly faster because many controls and much of the documentation already exist.
How Long Does Each Phase Take?
ISO 27001 implementation follows a structured sequence. Understanding what each phase involves helps you plan realistic milestones and allocate resources where they matter most.
Phase 1: Gap Analysis (1–4 weeks)
This is your starting point. A gap analysis compares your current security posture against the requirements of ISO 27001 and identifies what needs to change. For a small organisation with some controls already in place, this can take as little as a week. Larger organisations with complex IT environments typically need 3–4 weeks.
Phase 2: Scoping and Planning (1–2 weeks)
You define the boundaries of your Information Security Management System (ISMS): which departments, systems, locations and data are in scope. Getting the scope right is critical because an overly broad scope extends every subsequent phase, while a scope that is too narrow can leave gaps that auditors will flag.
Phase 3: Risk Assessment (2–4 weeks)
A formal risk assessment is a mandatory requirement under Clause 6.1.2. You identify information assets, assess threats and vulnerabilities, evaluate the likelihood and impact of each risk, and determine how to treat them. This feeds directly into your Statement of Applicability (SoA).
Phase 4: Control Implementation and Documentation (2–6 months)
This is where the majority of time is spent. You write policies, implement the applicable Annex A controls, build evidence collection processes and train your staff. The 2022 revision of the standard requires you to address 93 controls across four categories: organisational, people, physical and technological.
A compliance platform like ISMS.online can cut this phase dramatically by providing pre-built policy templates, automated evidence collection and a structured framework that guides you through each control.
Phase 5: Internal Audit (1–3 weeks)
Before you face an external auditor, Clause 9.2 requires you to conduct an internal audit. This tests whether your ISMS is working as documented and identifies nonconformities you can fix before the certification audit. You can run this in-house or outsource it.
Phase 6: Management Review (1 week)
Clause 9.3 requires a formal management review where senior leadership evaluates the performance of the ISMS, reviews audit results and makes decisions on improvements. This is typically a single documented meeting.
Phase 7: Stage 1 Audit (1–2 days)
Your certification body conducts a documentation review. The auditor checks that your ISMS documentation, scope, risk assessment and SoA are complete and meet the requirements. This is often conducted remotely and typically takes one to two days.
Phase 8: Stage 1 to Stage 2 Gap (4–8 weeks)
You address any observations or minor issues raised during Stage 1 and allow your ISMS to run operationally, building up the evidence trail that auditors will examine during Stage 2. This gap must not exceed six months or Stage 1 will need to be repeated.
Phase 9: Stage 2 Audit (2–10 days)
The full certification audit. Your auditor tests controls in practice, interviews staff, reviews evidence and verifies that your ISMS is operating effectively. The duration depends on your organisation’s size: ISO 27006 specifies approximately 5 audit days for organisations with fewer than 10 employees, rising to 14+ days for organisations with around 200 staff. Learn more about how to prepare for your audit.
Phase 10: Certificate Issuance (2–4 weeks)
Assuming no major nonconformities, your certification body issues the certificate within a few weeks of a successful Stage 2 audit. Minor nonconformities must typically be resolved within 90 days. Once certified, your certificate is valid for three years, subject to annual surveillance audits.
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
What Factors Affect How Long ISO 27001 Certification Takes?
Every organisation’s timeline is different. These are the factors that have the biggest impact on how quickly you move from decision to certified.
Factors That Speed Things Up
- Existing security maturity: If you already hold SOC 2, Cyber Essentials Plus or have documented security policies, you can leverage existing controls and evidence rather than starting from scratch.
- Dedicated project owner: Organisations that assign a named dedicated project manager with ring-fenced time consistently certify faster than those treating it as a side project.
- Executive buy-in: When leadership actively supports the project with budget, resources and fast decision-making, blockers get resolved quickly.
- Narrow, well-defined scope: Starting with a single product, service or business unit keeps the implementation focused and manageable.
- A compliance platform: Automated evidence collection, pre-built templates and guided workflows eliminate weeks of manual work. Organisations using ISMS.online benefit from a structured approach that keeps the project on track.
Factors That Slow Things Down
- Lack of management commitment: Delayed budget approvals, competing priorities and treating certification as a checkbox exercise are the number one cause of stalled implementations.
- Scope creep: Trying to include every department, third-party vendor and office location in year one extends every phase.
- Poor documentation habits: If your organisation has good security practices but nothing written down, the documentation phase takes significantly longer.
- Cross-functional gaps: ISO 27001 is not an IT project. It requires input from HR, Legal, Operations and senior management. Organisations that treat it as IT-only hit bottlenecks when other departments need to be involved.
- Remediation delays: Underestimating the effort to fix gaps identified during internal audits or Stage 1 can push back your Stage 2 date by months.
For a deeper look at common pitfalls, see our guide to issues, risks and roadblocks during implementation.
How Does Your Approach Change the Timeline?
The route you choose has a significant impact on both the timeline and the total cost. Here is how the three main approaches compare.
| Approach | Time to Audit-Ready | Total to Certified | Best For |
|---|---|---|---|
| DIY (in-house, no tools) | 6–9 months | 9–18 months | Organisations with deep internal expertise and no budget for external support |
| With a consultant | 3–6 months | 6–12 months | Organisations that need expert guidance but can manage day-to-day tasks |
| With a compliance platform | 6–8 weeks | 3–6 months | Organisations wanting structure, automation and a faster path |
| Platform + consultant | 4–8 weeks | 3–5 months | Organisations that want the fastest, most supported route to certification |
The difference between DIY and platform-supported implementation is stark. Manual approaches spend the bulk of their time on documentation, evidence collection and building frameworks that a platform like ISMS.online provides out of the box. See how we compare to the traditional consultant-led approach.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
How Can You Speed Up ISO 27001 Certification?
If you are working to a deadline, whether it is a customer requirement, a tender condition or a board mandate, there are practical steps you can take to compress your timeline without cutting corners.
- Start with a gap analysis: Before doing anything else, understand where you stand. A structured gap analysis tells you exactly what work needs to be done and lets you prioritise high-impact items.
- Define a tight scope: Certify a specific product, service or department first. You can always expand the scope in subsequent audit cycles.
- Assign a dedicated owner: Someone whose primary responsibility is driving the ISMS implementation forward, not managing it as an afterthought alongside their day job.
- Use a platform with pre-built templates: ISMS.online provides policy templates, risk assessment frameworks, a project structure guide and automated evidence collection that eliminates weeks of manual work.
- Run your internal audit early: Do not wait until everything is perfect. An early internal audit reveals issues you can fix before Stage 1, preventing surprises that delay Stage 2.
- Choose your certification body early: Auditor availability can be a bottleneck. Book your Stage 1 and Stage 2 dates as early as possible, then work backwards from those dates to set internal milestones.
- Keep the ISMS running: Your ISMS needs to be operational for at least three months before Stage 2 so that auditors have sufficient evidence to review. Start the clock as early as you can.
Why Choose ISMS.online to Accelerate Your ISO 27001 Certification?
ISMS.online is purpose-built to help organisations achieve ISO 27001 certification faster and maintain compliance with less effort. Here is what sets the platform apart.
- Pre-built policy templates and control frameworks: Start with documentation that already maps to the 93 Annex A controls, cutting months off the implementation phase.
- Guided implementation workflow: A structured, step-by-step approach that keeps your project on track from gap analysis through to Stage 2 audit, so you always know what to do next.
- Automated evidence collection: Continuously gather and organise the evidence your auditor needs, eliminating the manual scramble before audit day.
- Risk management built in: An integrated risk assessment framework with a risk bank, treatment plans and dynamic risk registers that satisfy Clause 6.1.2 out of the box.
- Collaboration across teams: Assign tasks and controls to owners across departments, keeping HR, Legal, IT and Operations aligned without endless email chains.
- Continuous compliance: Once certified, the platform keeps your ISMS running year-round with automated monitoring, audit scheduling and management review tracking, so surveillance audits are straightforward.
- Multi-framework support: Already working towards SOC 2, GDPR, NIS 2 or ISO 42001? Map overlapping controls once and reuse evidence across frameworks.
Organisations using ISMS.online typically move from kickoff to audit-ready in weeks rather than months. Book a demo to see how the platform can compress your certification timeline.
FAQs
Can you get ISO 27001 certified in 3 months?
Yes, but only in specific circumstances. Small organisations with fewer than 50 employees, a narrow scope and an existing security baseline can achieve certification in as little as 3 months when using a compliance platform and dedicating focused resources to the project. For most organisations, 6 to 9 months is a more realistic target.
How long does the ISO 27001 audit itself take?
The Stage 1 audit typically takes 1–2 days and focuses on documentation review. The Stage 2 audit takes 2–10 days depending on your organisation’s size, as specified by ISO 27006. There is usually a 4–8 week gap between Stage 1 and Stage 2. The cost of the audit also scales with its duration.
What takes the longest in the ISO 27001 process?
Control implementation and documentation is consistently the longest phase, typically accounting for 2–6 months of the total timeline. This involves writing policies, implementing the 93 Annex A controls, setting up evidence collection processes and training staff. A compliance platform significantly reduces this phase by providing pre-built frameworks and automated workflows.
How long is an ISO 27001 certificate valid for?
An ISO 27001 certificate is valid for 3 years. During that period, you will undergo annual surveillance audits (typically reviewing around 50% of your Annex A controls each year) to confirm your ISMS continues to operate effectively. At the end of the 3-year cycle, you go through a recertification audit to renew your certificate. Learn more about the full audit cycle.
Does having SOC 2 speed up ISO 27001 certification?
Significantly. SOC 2 and ISO 27001 share approximately 90% control overlap. Organisations that already hold SOC 2 typically have documented policies, access controls, monitoring and incident response processes that map directly to ISO 27001 requirements. This can reduce the implementation phase by several months.
Do I need a consultant to get ISO 27001 certified?
No. Many organisations achieve certification without a consultant by using a compliance platform that provides the structure, templates and guidance needed to implement the standard. A platform like ISMS.online gives you the same guided approach a consultant would, with the added benefit of automated evidence collection and continuous compliance monitoring. See our comparison of consultants vs ISMS.online.
