The journey
How long ISO 27001 really takes, month by month
Three to four months for smaller UK organisations, five to eight at mid-size, and almost never the six weeks the optimistic quotes promise. Here is the realistic month-by-month shape, and where projects genuinely lose time.
Month 1
Scope, gap analysis, plan
The scoping call fixes your band and certification body options; the gap analysis scores you against every clause and control; the plan sequences everything that follows. Certification body engaged early so audit dates exist.
Months 1 to 2
ISMS design and documentation
Scope statement, risk methodology, the risk assessment itself, the Statement of Applicability and the mandatory document set, built around how you actually operate.
Months 2 to 3
Controls implemented and evidence flowing
The selected Annex A controls put to work: access reviews running, suppliers assessed, logging in place, awareness delivered. Evidence starts accruing as a by-product, which is what Stage 2 will sample.
Month 3 to 4
Internal audit, management review, Stage 1
The independent clause 9.2 audit, findings closed, management review minuted, then the certification body's Stage 1 documentation review. Findings from Stage 1 get a planned gap before Stage 2.
Month 4 onwards
Stage 2 and certificate
The implementation audit: interviews, sampling, evidence. With the readiness work done, Stage 2 confirms rather than discovers. Certificate issued by your UKAS-accredited body, valid on a three year cycle.
Where the time really goes
The three things that stall ISO 27001 projects
Not the documentation, which a practitioner drafts quickly. What stalls projects is unowned decisions (scope, risk appetite, budget for fixes), evidence that cannot be backdated, and certification bodies booked later than month one. All three are process failures, and all three are avoidable with a plan that treats them as the critical path.
Typical shapes
- Three to four months: under 50 staff, cloud-first, decisions made in days. The common case for our band-one and band-two clients.
- Five to eight months: 150 to 500 staff, multiple departments in scope, evidence across more teams. Still routine; just longer.
- A year or more: usually a signal the project has no owner or the scope was drawn too wide. Fixable, and cheaper to fix early.
Quick answers
Timeline questions, answered
How long does ISO 27001 certification take?
Typical UK projects run three to four months for organisations under about 50 staff, and five to eight months at 150 to 500. The audit stages themselves are days; the calendar is consumed by building the ISMS, letting evidence accrue and the certification body's diary. Anyone promising certification in weeks is selling a certificate, not a management system.
What drives the timeline most?
Three things: how much of an ISMS already exists, how quickly your organisation makes decisions, and evidence accrual, because auditors want to see controls that have been running, not controls installed last Tuesday. Certification body lead times matter too, which is why we engage yours in month one.
Can we speed it up for a contract deadline?
Sometimes. The compressible parts are documentation and decision-making, and we compress them by doing the drafting and forcing the decisions into workshops. The less compressible part is evidence: some controls need weeks of operation to be auditable. Tell us the deadline on the scoping call and you will get a straight feasible-or-not answer.
What happens after certification?
Annual surveillance audits in years two and three, then recertification. The ISMS needs an owner, a working internal audit rhythm and a management review cadence. We support all of it, from a light annual package to running the clause 9.2 audit each year.
Deadline in the diary?
Get a feasible date, not a hopeful one
Tell us your target on a free 45 minute scoping call and we will map the timeline backwards from it, and tell you plainly if it cannot be done.