How Long Does ISO 27001 Certification Actually Take? (Real-world timelines)

Vendors love to say "ISO 27001 in 90 days!" The reality is messier. Here are honest timelines based on hundreds of real implementations across small, medium, and large organisations.

The two clocks

There are two timelines to keep separate: implementation (building the ISMS) and certification (the external audit cycle). The audit itself is split into Stage 1 (documentation review) and Stage 2 (operational audit), usually 4–8 weeks apart.

Small organisation (1–50 people)

Realistic timeline: 4–6 months end-to-end. The bottleneck is usually not the controls — it's getting management to make scoping decisions and getting evidence collected from people who already have day jobs.

Medium organisation (50–250 people)

Realistic timeline: 6–9 months. More stakeholders to align, more legacy systems to document, often a separate IT and security team to coordinate.

Large organisation (250+ people)

Realistic timeline: 9–18 months. Scoping alone can take 6–8 weeks. Multiple sites, group structures, and supplier landscapes all add complexity. Budget for a dedicated programme manager.

What actually causes delays

1. Scoping indecision. "Should we include the subsidiary?" — debated for 6 weeks.
2. Risk assessment drift. Re-doing it three times because the methodology keeps changing.
3. Evidence collection. Asking 40 system owners for screenshots and policy approvals.
4. Auditor availability. Top certification bodies are booked 3–4 months out.
5. Stage 2 non-conformities. Major non-conformities can push certification back by months.

Cost side of the equation

For pricing benchmarks, see watkostiso27001.nl — a Dutch-language pricing reference that pairs well with this timeline guide.

Related posts

• The SoA — your most-audited document
• What changed in ISO 27001:2022

Related: external

RGI bv — ISO 27001 certification