The most common mistake organisations make when planning ISO 27001 is underestimating the calendar time required — not the work effort, but the elapsed time. Even when the actual work is modest, you need time for management reviews, internal audits, certification body scheduling, and the standard's own requirements for ISMS operation before Stage 2.
The standard does not specify a minimum implementation period, but in practice certification bodies want to see evidence of ISMS operation over a meaningful period — typically at least three months — before conducting a Stage 2 audit. That sets a practical floor regardless of how fast you move.
Typical ISO 27001 Timelines
SaaS startup (10–30 staff)
Lean scope, fast decisions, pre-built templates
SMB (30–100 staff)
Broader scope, more stakeholders, multiple teams
Mid-market (100–500 staff)
Complex systems, formal change management needed
Enterprise (500+ staff)
Multiple sites, subsidiaries, regulatory overlaps
Phase 1: Scoping and Gap Assessment (2–4 weeks)
Everything starts with scope. You need to define which parts of the organisation, which systems, and which locations fall within your ISMS boundary. Get this wrong and either the audit becomes unmanageable (too broad) or customers reject the certificate (too narrow).
A gap assessment then maps your current state against ISO 27001's requirements — clause by clause and control by control. This tells you how much documentation, how much implementation, and how much evidence you need to produce. Without this baseline you cannot plan accurately.
Phase 1 can be compressed to 1–2 weeks for small organisations with clearly defined scope. For organisations with multiple products, customer data environments, or cloud/on-premise hybrid infrastructure, scoping alone can take 4–6 weeks.
Phase 2: Documentation (4–12 weeks)
This is usually the biggest time sink for first-time implementers. You need to produce 12+ mandatory policies and procedures, a completed risk assessment, a Statement of Applicability, a Risk Treatment Plan, and numerous supporting documents. Writing these from scratch for a 30-person company typically takes one person 6–10 weeks working part-time on ISO.
Using pre-built templates reduces this significantly — the policy frameworks, risk register structures, and SoA templates already exist; you customise them to your context rather than building from a blank page. This can compress Phase 2 from 10 weeks to 3–4 weeks.
Documentation also requires approval — management must sign off on policies, and the information security objectives must be formally adopted. Factor in scheduling delays for senior sign-off.
Phase 3: Implementation and Evidence Collection (4–8 weeks)
This phase often surprises organisations because it is distinct from documentation. Having a policy is not enough — you need to actually implement the controls and collect evidence that they are operating effectively.
For a SaaS company this might mean: configuring MFA across all systems, running a vulnerability scan, completing a backup restoration test, conducting security awareness training with sign-off sheets, and formalising the access review process. Each of these takes time — not because the work is complex, but because they involve multiple people and calendar scheduling.
Controls that require vendor involvement — penetration testing, supplier assessments, legal review — have their own lead times. A penetration test typically requires 2–4 weeks of scheduling plus reporting time. Build this into your plan.
Phase 4: Internal Audit and Management Review (2–4 weeks)
Before Stage 2, you must complete at least one full internal audit cycle and one management review. These are not optional — auditors verify them in Stage 1 and check the evidence in Stage 2.
The internal audit must be conducted by someone who is not responsible for the area being audited (objectivity requirement). For small organisations this usually means the implementation lead audits operational processes and a technical person audits the documentation. The management review requires the ISMS performance to be formally presented to top management with minutes recording the discussion and decisions.
🚀 What speeds it up
- ✓Narrow, well-defined scope
- ✓Pre-built templates (not blank-page authoring)
- ✓Dedicated internal owner (0.5+ FTE)
- ✓Management support and fast sign-off
- ✓Cloud-first infrastructure (easier evidence)
- ✓Prior security maturity (SOC 2, Cyber Essentials)
🐌 What slows it down
- ✗Scope creep and undecided boundaries
- ✗Building all documents from scratch
- ✗ISO assigned to someone part-time (less than 20%)
- ✗Slow management availability for review/approval
- ✗Waiting for penetration test scheduling
- ✗Supplier security questionnaire response lag
Phase 5: Stage 1 and Stage 2 Audits (4–8 weeks)
Certification body scheduling adds its own timeline. Stage 1 (document review) typically takes place 2–4 weeks after you submit your documentation to the auditor. Stage 2 follows Stage 1 by a minimum of 4–6 weeks — the time needed to address any Stage 1 observations and allow the auditor to plan the on-site programme.
Stage 2 lasts 1–3 days depending on company size and scope. After Stage 2, assuming no major non-conformities, the certification body issues the certificate within 2–4 weeks following their internal review and sign-off process.
The practical takeaway: even if your implementation is complete, the auditing process itself adds 2–4 months of elapsed calendar time. Book your certification body early — they often have 6–8 week lead times for initial Stage 1 dates.
The Most Realistic Timeline for a Small Organisation
For a SaaS company with 15–40 employees, a cloud-first infrastructure, and a dedicated part-time implementation lead using pre-built templates:
Realistic 5-Month Plan