“How long does ISO 27001 take and how much” is often the first email I get from someone enquiring about ISO 27001. I can understand that, but asking how long ISO 27001 takes is a bit like asking how long it takes to refit a bathroom. The answer will depend on all sorts of things.
I can only give you a typical rough order-of-magnitude range, because the honest answer is: it depends. But “it depends” isn’t very helpful when you’re trying to plan a project or give a board a realistic date. So here’s a proper breakdown.
The Short Answer
Ok, so you twist my arm and want a quick answer. Well, for most small and medium-sized organisations implementing ISO 27001 for the first time, the realistic timeline from kick-off to certification is three to six months.
Three months is achievable if you have strong existing security controls, a dedicated resource, and can compress audit scheduling. Six months is common for organisations starting from scratch with limited internal bandwidth.
The majority of organisations I work with reach certification in the four-to-six month range.
It should be noted that it also depends a lot on whether you go for a UKAS-certified or non-accredited certification.
The Four Phases of an ISO 27001 Project
Understanding the timeline means understanding how an ISO 27001 project is structured. It breaks into four phases:
Phase 1: Initiation (2–4 weeks)
This is where you scope the project, get leadership buy-in, assign responsibilities, and understand where you’re starting from.
The key activity here is a gap analysis — a structured review of your current security practices compared to what ISO 27001 requires. This tells you how much work you have to do and where the biggest gaps are.
Read the full guide to the initiation phase.
Phase 2: Planning and Documentation (6–12 weeks)
This is usually the longest phase for organisations starting from scratch. You’re building:
- Your risk assessment and risk treatment plan
- Your Statement of Applicability
- Your core policies (information security policy, acceptable use, password policy, and so on)
- Your asset register
- Your supplier management documentation
If you’re using a toolkit with pre-built templates, you can compress this phase significantly — the documents exist, you just need to adapt them for your organisation. Without templates, this phase can take considerably longer.
Read the full guide to the planning phase.
Phase 3: Implementation and Operation (4–8 weeks)
Once the documentation is in place, you need to implement your controls and operate your ISMS long enough to generate evidence. Auditors need to see that your system is actually running, not just written down.
This means:
- Delivering staff awareness training (and recording it)
- Running supplier reviews
- Logging and reviewing security incidents and near-misses
- Holding a management review meeting
- Running an internal audit
Most certification bodies want to see at least one full management review cycle and one internal audit before Stage 2. This is the practical floor that stops you from rushing certification.
Read the full guide to the implementation phase.
Phase 4: Certification (4–8 weeks)
Certification happens in two stages:
Stage 1 (documentary review): The auditor reviews your documentation — mainly your ISMS policies, your risk assessment, and your Statement of Applicability — to check that the framework is sound before they visit.
Stage 2 (evidence review): The auditor looks at evidence that your controls are actually operating. They’ll interview staff, review records, and test your processes.
There’s typically a gap of two to four weeks (maybe even longer) between Stage 1 and Stage 2. If the auditor raises observations in Stage 1 (and they often do), you’ll want time to address them before Stage 2.
After Stage 2, assuming no major nonconformities, you’re certified. The certificate typically arrives within a few weeks of the final audit report.
What Makes It Faster?
Several factors can compress the timeline significantly:
Strong existing security practices. If you already have documented policies, a mature access control approach, regular patching, and staff training in place, the gap between where you are and where ISO 27001 needs you to be is smaller. Your gap analysis will show this clearly.
A dedicated resource. ISO 27001 projects stall when they’re everyone’s second job. Having one person who owns the project — even 25% of their time — makes a material difference.
Using a toolkit. Pre-built document templates eliminate the blank-page problem. Instead of writing an information security policy from scratch, you adapt an existing one. This can save weeks on the documentation phase.
Early engagement with a certification body. Audit scheduling is often the hidden bottleneck. If you wait until your documentation is ready to contact a certification body, you could be waiting months for a Stage 1 slot. Start conversations early.
External support. A consultant (like me!) who has done this many times before can run a gap analysis, help prioritise actions, and guide your team through the audit process. Experienced support can often halve the implementation timeline. Think of it like this: you *could* climb a mountain on your own, but it’s going to be a lot easier with a sherpa who has done it many times and knows the best shortcuts, right equipment to take, where the camps are, etc..
What Slows It Down?
Starting from scratch with no existing security controls. If you don’t have any documented policies, no formal risk assessment process, and no history of security incidents, you’re building everything from the ground up. That takes longer.
Limited internal bandwidth. If the ISO 27001 project is one of fifteen things on someone’s plate, it will keep being deprioritised. Be realistic about capacity before committing to a deadline.
Organisational complexity. The more sites, systems, suppliers, and people in scope, the more there is to document and evidence.
Audit scheduling delays. Some certification bodies have long waiting lists, particularly at certain times of year. Factor this in — it’s often the thing that surprises people most.
Major nonconformities. If Stage 1 reveals significant gaps, or if Stage 2 raises major nonconformities, you’ll need time to address them before the audit can be completed. This can add weeks or months if you are sloppy in stage 1.
Over-complicating things. Some people and organisations just love to take the hard route. I can’t explain why, but they potentially overthink or overdesign solutions. If you ‘keep it simple’ and make sure you are targeting what I call ‘minimal viable compliance’ (MVC), which is about ensuring you do just enough to get certified but no more, you can always build out from that point later.
A Realistic Project Timeline
Here’s what a typical ‘pedal-to-the-metal’ ISO 27001 project can look like:
This assumes adequate resources, use of a document toolkit, and an accessible certification body. Your timeline may be shorter or longer.
How Long After Certification?
Certification isn’t a one-time event. Once certified, you’ll need to:
- Maintain your ISMS and keep operating your controls
- Have a surveillance audit in year 1 and year 2
- Go through a full recertification audit in year 3
This is a programme, not a project. Budget time each year for internal audits, management reviews, training updates, and surveillance audit preparation.
Read more about surveillance audits and what to expect.
The Bottom Line
If you’re planning an ISO 27001 project, my honest recommendation is to:
- Do a gap analysis first to understand your real starting point (unless of course, you are sure you have absolutely no baseline to speak of)
- Assign a dedicated resource — don’t make it everyone’s third priority
- Use a template toolkit to compress the documentation phase, and don’t be tempted to use AI.
- Contact your certification body early to understand scheduling and their approach.
- Build in contingency — projects always take longer than expected, ask my wife.
If you’d like to understand exactly where you stand and what’s needed, the ISO 27001 toolkit includes a gap analysis template that lets you assess your current position in a few hours.
Or if you’d like hands-on support and a fixed completion date, learn more about the consultancy programme.
FAQs
How long does ISO 27001 certification take for a small business?
Most small businesses (under 50 people) achieve certification in three to six months, assuming reasonable internal resource and the use of a document toolkit. The main variables are how mature your existing security practices are and how quickly your chosen certification body can schedule the audits.
Can you get ISO 27001 certified in 3 months?
Yes, but it requires the right conditions: strong existing security controls, a dedicated person driving the project, a toolkit to compress documentation, and a certification body with audit slots available. Three months is the realistic floor, not the typical experience. Most organisations need four to six months.
What’s the quickest you’ve got someone certified?
Non-UKAS was 21 days – but I don’t recommend it.
UKAS – 2.5 months.
What is the fastest way to get ISO 27001 certified?
Non-accredited (Non-UKAS) certification. They will check all the mandatory components are in place, but won’t expect a ton of data to have gone through the system on day one. The auditing is faster and lighter, but for the same standard.
The biggest time savers in terms of project approach are doing a gap analysis immediately so you know exactly what needs to be done, using a document toolkit to avoid starting from scratch, and contacting your certification body early — audit scheduling is often the hidden bottleneck that catches people out.
How long does the ISO 27001 Stage 1 audit take?
For most SMEs, Stage 1 is a documentary review that typically takes one to two days. The auditor reviews your ISMS documentation rather than visiting in person, though some bodies do conduct Stage 1 remotely via video call. You usually get the Stage 1 report within a week or two.
How long does the ISO 27001 Stage 2 audit take?
Stage 2 duration depends on your organisation’s size and scope, but for small businesses it typically runs one to two days on-site (or remotely). Larger or more complex organisations may need three to five days. Your certification body will advise on the specific duration when you schedule.
How long between Stage 1 and Stage 2?
Most organisations leave two to four weeks (maybe longer) between Stage 1 and Stage 2. This gives you time to address any observations the auditor raises at Stage 1 before they examine your live controls at Stage 2. Compressing this gap too tightly can be a mistake.
How long does it take to get the ISO 27001 certificate after passing the audit?
Once Stage 2 is complete and any minor nonconformities are closed, the certificate is typically issued within two to four weeks. Your certification body issues it once their internal review/quality control check is complete.
Does ISO 27001 certification expire?
ISO 27001 certificates are typically valid for three years. During that period you’ll have surveillance audits in years one and two, and a full recertification audit in year three. If you don’t maintain your ISMS and keep up with audits, the certificate can be withdrawn.
What happens if you fail ISO 27001?
A “fail” at Stage 2 usually means the auditor raised one or more major nonconformities — significant gaps where the standard’s requirements aren’t being met. You’re typically given a period (often 90 days) to address these and provide evidence before the auditor makes a final decision. Minor nonconformities are more common and don’t prevent certification as long as you have a corrective action plan in place.
How long does ISO 27001 take if we already have Cyber Essentials?
Having Cyber Essentials in place is a really good place to start from — it means you’ve already addressed some foundational technical controls. However, Cyber Essentials covers a narrower set of technical requirements and doesn’t address the governance, risk management, supplier management, or documentation requirements that ISO 27001 demands. Realistically it may shave four to six weeks off your implementation, but it won’t halve the timeline.
ISO 27001 Consultancy
Get ISO 27001 certified in 90 days.
I’ll coach you through every step.
Fully remote. Fixed fee. Working with SMEs across the UK, EU and USA.
✔ Audit-ready plan with structured checkpoints
✔ Full toolkit + templates included
✔ Expert support throughout
Cancel any time
Pro-rata refund on unused sessions
✔ Defined scope, SoA and risk treatment
✔ Plain-English — no jargon
✔ Trusted auditor recommendations
First-pass guarantee
If you don’t pass, I fix it for free
“..no-nonsense help in achieving our UKAS-accredited ISO 27001 certification…”
– Periculum Security Group (UK)
