Independent cost guide. Not affiliated with any certification body or compliance platform. Estimates based on published rates and practitioner experience. Always obtain a formal quote.

ISO 27001 Implementation Timeline - Phase by Phase

Nine phases from initial scoping to certificate in hand. Here is how long each phase takes, what it costs, and realistic timelines by company size.

Updated May 2026

Timeline by Company Size

Micro (1-10)

Fastest3-6 months

Smallest scope, fewest controls. Main bottleneck: finding time alongside day-to-day work. A 0.5 FTE dedicated resource achieves this comfortably.

Total cost: $10K-$25K. See cost by size for full breakdown.

Small (11-50)

Most Common6-9 months

The sweet spot for SaaS and service businesses. With a consultant and 0.5-1 FTE internal resource, 6 months is realistic. Without a consultant, add 2-4 months.

Total cost: $15K-$50K. See cost by size for full breakdown.

Medium (51-250)

Standard9-14 months

More departments, more systems, more evidence. A full-time ISMS project manager is strongly recommended. Budget for a consultant for gap analysis and policy development.

Total cost: $50K-$150K. See cost by size for full breakdown.

Large (251-1,000)

Complex12-18 months

Multiple teams, legacy systems, and procurement dependencies slow implementation. Typically requires a dedicated programme manager plus external consultancy.

Total cost: $150K-$350K. See cost by size for full breakdown.

Enterprise (1,000+)

Programme14-24 months

Often run as a formal programme with a steering committee. May certify a subset first then expand scope. Multi-site global audits span several weeks.

Total cost: $250K-$500K+. See cost by size for full breakdown.

Phase-by-Phase Breakdown

1. Scoping and Planning

1-4 weeks$2K-$10K

2. Gap Analysis

2-6 weeks$5K-$20K

3. ISMS Development

4-12 weeks$8K-$30K

4. Controls Implementation

8-20 weeks$15K-$100K

5. Internal Audit

2-4 weeks$5K-$15K

6. Management Review

1-2 weeks$1K-$3K

7. Stage 1 Audit

1-3 days$3K-$15K

8. Stage 2 Audit

3-15+ days$5K-$60K

9. Certificate Awarded

2-4 weeksIncluded

Phase 4 (Controls Implementation) is the longest and most variable phase. See implementation cost breakdown for detailed per-phase costs.

Fast-Track Certification (4-6 Months)

Fast-track is possible under these conditions:

Requirements

  • Narrow scope (one product, one location)
  • Experienced consultant or internal ISMS lead
  • Compliance platform for evidence automation
  • Dedicated resource (minimum 0.5 FTE)
  • Existing security controls and policies
  • CEO/board actively sponsoring the project

Trade-offs

  • 20-30% higher cost (compressed consultant engagement)
  • Higher internal resource demand per week
  • Less time for organisational culture change
  • Risk of minor non-conformances (fixable post-audit)
  • Certification body availability may constrain dates

What Accelerates vs Delays Certification

Accelerators

  • Dedicated internal ISMS project owner (0.5-1 FTE)
  • Experienced consultant from day one
  • Compliance platform for automated evidence
  • Existing SOC 2, Cyber Essentials, or ISO 9001
  • Narrow, well-defined scope
  • Board and CEO actively championing the project

Common Delays

  • No dedicated resource - project owner changes mid-way
  • Scope creep after gap analysis
  • Supplier security review backlog
  • Legacy systems with no patch management
  • Internal resistance to security policies
  • CB availability - popular bodies book months ahead
  • Non-conformances in Stage 1 requiring rework

Month-by-Month Checklist (Small Organisation, 9-Month Plan)

MonthActivitiesKey Milestone
1Scope definition, management commitment, appoint ISMS owner, select consultantProject kickoff
2Gap analysis, remediation plan, budget validation, platform selectionGap report delivered
3-4ISMS documentation: policies, risk methodology, risk register, SoASoA approved
5-6Controls implementation: technical controls, training, supplier reviewsAll critical controls live
7Internal audit, management review, corrective actionsInternal audit complete
8Stage 1 audit, address findings, prepare for Stage 2Stage 1 passed
9Stage 2 audit, resolve non-conformances, certificate issuedCertificate awarded

Implementation Cost

Costs at each timeline phase

Cost by Company Size

How size affects timeline and budget

Gap Analysis

The decision point that sets your timeline

Frequently Asked Questions

How long does ISO 27001 take?
Most organisations achieve certification in 6 to 18 months. Small companies (under 50 employees) with a dedicated resource and consultant can certify in 6-9 months. Medium companies (51-250) typically need 9-14 months. Large enterprises (250+) need 12-18 months. Fast-track certification in 4-6 months is possible with a narrow scope and experienced consultant.
Can you fast-track ISO 27001 certification?
Yes, under specific conditions. You need: (1) a narrow, well-defined scope (e.g. one product, one location), (2) an experienced consultant or strong internal ISMS expertise, (3) a compliance platform for automated evidence collection, (4) a dedicated internal resource (minimum 0.5 FTE), and (5) existing security controls and policies. Fast-track typically costs 20-30% more due to compressed consultant engagement.
What delays ISO 27001 the most?
The most common delays are: no dedicated internal resource (project changes hands mid-way), scope creep (expanding scope after gap analysis), supplier security review backlogs, legacy systems with no asset tracking or patch management, internal resistance to new policies, and certification body availability (popular CBs book months in advance). Each delay typically adds 4-8 weeks.
How long is the Stage 2 audit?
Stage 2 audit duration depends on company size. 1-10 employees: 3-4 days. 11-50: 4-6 days. 51-250: 6-12 days. 251-1000: 12-20 days. The audit is conducted over consecutive days, usually on-site, with some portions potentially remote. Multi-site organisations may have the audit split across locations.

Updated May 2026