Most companies want ISO 27001 fast, but few know how long certification actually takes. Some consultants promise “quick” certifications, but in reality, the timeline depends on your scope, maturity, and resources.

This page gives you a practical timeline based on how long it takes real companies to implement ISO 27001.

Most small and mid-sized companies complete the process in 3–9 months, depending on:

• How much documentation you already have
• Whether you have established security practices
• The complexity of your systems
• How much internal time you can dedicate
• Whether you work with a consultant
   

Some mature companies can finish faster. Some immature environments take longer. But the range above is realistic for 90% of organizations.

Below is the actual timeline breakdown based on the typical ISO 27001 lifecycle.

This phase defines what’s included in the ISMS and identifies what’s missing.

Deliverables include:

• Defined scope
• Gap assessment
• Prioritized remediation plan
• High-level timeline
   

The better this step is done, the smoother the entire project becomes.

This is where most of the work happens.

You’ll build or refine:

• Policies
• Procedures
• Asset inventory
• Risk methodology
• Risk register
• SoA (initial version)
• Security objectives
• Logging, access control, backups, onboarding/offboarding, incident handling, etc.
   

Mature companies finish this in weeks.
Companies building from scratch need a few months.

This covers:

• Identifying risks
• Evaluating impact/likelihood
• Choosing treatments
• Implementing controls
• Updating SoA
   

This step is mandatory before any internal audit.

Required before certification.

The internal auditor checks:

• Policy alignment
• Control implementation
• Evidence
• ISMS maturity
   

Findings → corrective actions → updates.

This is a formal review by leadership.
Required and must be documented.

Topics include:

• Audit results
• Objectives
• Risk landscape
• Incidents
• KPIs/metrics
• Improvement needs
   

This is where you tighten loose ends:

• Implement missing controls
• Update procedures
• Close audit findings
• Verify evidence is ready
   

The better your prep, the easier the certification audit will be.

The auditor checks your readiness.
Duration: 1–3 days, but typically booked 2–4 weeks out.

The auditor verifies everything in practice.
Duration: 2–5 days, usually 2–6 weeks after Stage 1.

1–3 weeks after Stage 2.

 Mature, security-focused: 2–4 months 

 Mid-level maturity: 4–7 months 

 Low maturity / no policies: 6–12 months 

Companies slow down when they:

• Underestimate documentation requirements
• Don’t assign a project owner
• Have weak asset management
• Delay risk assessments
• Lack technical controls for access, logging, or backups
• Fail to collect evidence early
• Try to “overdo” ISO instead of keeping it simple
   

With the right guidance, these delays are avoidable.

Most companies can achieve ISO 27001 certification in 3–9 months with a clear project plan and the proper focus.

If you want help getting through the process faster and without wasted effort, I specialize in guiding organizations to certification with practical, efficient ISO support.

If you’re new to ISO 27001, start with:  ISO 27001 Explained.

For a step-by-step implementation plan: ISO 27001 Certification Roadmap: Step-by-Step for Beginners 

Learn about the changes in the ISO 27001 standard here:  ISO 27001:2013 vs 2022 — What Changed?

Understand how long certification may take:  How long does ISO 27001 Certification Take?