Can a small business get ISO 27001 certified in three months?

It is possible for a very small business with a tightly defined scope, some existing security practices, and dedicated internal resource to achieve certification in three months. However, this is the exception rather than the rule. Most small businesses take four to six months. Rushing the risk assessment or skipping adequate staff training to hit a short deadline creates problems at audit and undermines the value of the certification itself.

Does ISO 27001 require a minimum operating period before the audit?

Yes. Certification bodies require evidence that your ISMS has been operating before they conduct the Stage 2 audit. In practice, this means at least one completed internal audit cycle and one management review. Most auditors want to see one to three months of operational evidence. Some certification bodies are flexible for smaller scopes, but you should build at least two months of operation time into your project plan to be safe.

What is the biggest cause of ISO 27001 project delays?

The most common cause of delay is insufficient internal resource and lack of leadership commitment. The technical work of building an ISMS is manageable with the right support. What consistently slows projects down is when the internal project lead is too stretched across other responsibilities, when decisions require multiple approval layers, or when staff training and awareness activities keep getting pushed back. Assigning a dedicated internal owner and getting genuine commitment from senior leadership at the start of the project makes a measurable difference to timelines.

How long does it take to get the certificate after the Stage 2 audit?

After a successful Stage 2 audit, the certification body needs to complete an internal review of the audit findings before issuing the certificate. This administrative process typically takes two to six weeks. If the auditor identified nonconformities that need to be closed before certification can be granted, you will need to submit evidence of corrective actions, which adds additional time depending on how quickly you can address the findings.

Can we run ISO 27001 implementation without a consultant?

Yes, it is possible to implement ISO 27001 without a consultant, particularly for small businesses with technically capable staff and some existing security maturity. However, the risk assessment, Statement of Applicability, and Annex A control selection are areas where many businesses make costly mistakes without experienced guidance. A consultant does not need to run the entire project. Even engaging one for specific phases like the gap analysis, risk assessment review, and pre-audit preparation can significantly improve your chances of passing first time and reduce the overall timeline.

Does the ISO 27001 timeline change if we are also pursuing other ISO certifications?

Pursuing multiple ISO certifications simultaneously can either compress or extend your timeline depending on how you approach it. If you are implementing ISO 27001 alongside ISO 9001 or another standard, an integrated management system approach can save significant time and reduce duplication of effort in areas like document control, internal audits, and management reviews. However, if each standard is being implemented independently without coordination, the combined workload can overwhelm internal teams and extend both timelines. Planning an integrated approach from the start is worth considering if multiple certifications are on your roadmap.

How Long Does ISO 27001 Certification Take?

The Honest Answer: It Depends on Where You Start

If you have searched for how long ISO 27001 certification takes, you have probably seen answers ranging from three months to two years. Both can be accurate. The real answer depends on the current state of your information security practices, the size of your organisation, how much internal resource you can dedicate to the project, and the quality of support you get from a consultant or certification body.

On this page

ISO 27001 is the international standard for Information Security Management Systems (ISMS). It is a rigorous standard. It asks you to identify your information assets, assess the risks to those assets, implement appropriate controls, document your processes, and demonstrate that your system is actually working. That takes time to do properly. Anyone telling you otherwise is either selling you something or has not done it before.

This article gives you a realistic breakdown of the ISO 27001 certification timeline, what drives it out or compresses it, and how to plan your project so you are not caught off guard six months in.

Typical ISO 27001 Certification Timelines by Organisation Size

Before breaking down each phase, here is a rough guide to overall timelines based on organisation size. These are based on real project experience, not marketing brochures.

Small Businesses (1 to 30 staff)

A small business with a limited IT environment, a focused scope, and at least one dedicated internal person driving the project can realistically achieve certification in three to six months. If the business has some existing security practices in place, even informal ones, the lower end of that range is achievable. If you are starting from scratch with no documentation and no security awareness culture, budget for six months minimum.

Medium Businesses (30 to 200 staff)

This is the most common scenario. Medium-sized businesses typically take six to twelve months to reach certification. There are more people involved, more systems to assess, more processes to document, and more internal alignment required. Getting buy-in from department heads, IT teams, and senior leadership takes time. So does training staff and building awareness across the organisation.

Large Organisations (200+ staff)

Large organisations with complex IT environments, multiple locations, or regulated industries should budget twelve to eighteen months or more. The sheer volume of assets, the number of stakeholders, and the governance layers involved extend every phase. Some large enterprises take two years, particularly if they are implementing ISO 27001 alongside other frameworks or undergoing significant IT changes at the same time.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

The Five Phases of ISO 27001 Certification and How Long Each Takes

Understanding the individual phases helps you plan realistically and identify where your project is most likely to stall.

Phase 1: Gap Analysis (Two to Four Weeks)

The gap analysis is where you compare your current information security practices against what ISO 27001 requires. A good consultant will assess your existing documentation, interview key staff, review your IT environment, and produce a report showing what is in place, what is missing, and what needs to be built from scratch.

For a small business, this can take two weeks. For a larger organisation with multiple departments and systems, four to six weeks is more realistic. Do not skip this step or rush it. The gap analysis is the foundation of your project plan. If it is done poorly, you will discover gaps late in the process, which is expensive and demoralising.

Phase 2: Building and Implementing the ISMS (Two to Nine Months)

This is the longest phase and the one most businesses underestimate. Building your Information Security Management System involves creating and implementing policies, procedures, risk assessment processes, asset registers, and the 93 controls from Annex A that are applicable to your scope.

The range here is wide because it depends heavily on your starting point. A technology company that already has documented processes, access controls, and incident response procedures will move faster than a professional services firm that has been running on informal practices for years.

Key tasks in this phase include:

Defining the scope of your ISMS
Completing a thorough ISO 27001 risk assessment to identify and evaluate threats to your information assets
Selecting and implementing applicable Annex A controls
Writing your Statement of Applicability
Developing policies covering areas like access control, cryptography, supplier security, and incident management
Training staff and building awareness
Establishing processes for monitoring, measurement, and continual improvement

The biggest delay in this phase is almost always internal capacity. If the person responsible for the project has a full-time job on top of the ISO work, progress will be slow. If leadership does not treat it as a priority, tasks get deprioritised and timelines blow out.

Phase 3: ISMS Operation Period (One to Three Months Minimum)

ISO 27001 requires evidence that your management system is actually operating, not just documented. Before you can go to audit, you need to demonstrate a period of operation. This typically means at least one internal audit cycle, at least one management review, and evidence that your security controls are functioning as intended.

Most certification bodies want to see at least one to three months of operational evidence before the Stage 2 audit. Some will accept less for smaller scopes, but do not count on it. Build this time into your project plan from the start.

This is also the phase where many businesses discover that their documented procedures do not match what people are actually doing. That is normal. It is exactly what the operation period is designed to surface. The key is addressing those gaps before the auditor finds them.

If you want to know how to make your internal audits genuinely useful during this phase, read this guide on how to run ISO internal audits that actually find problems.

Phase 4: Stage 1 Audit (One to Two Days)

The Stage 1 audit, sometimes called a documentation review or readiness audit, is where the certification body reviews your ISMS documentation and confirms you are ready for the full certification audit. The auditor will check that your scope is clearly defined, your risk assessment is documented, your Statement of Applicability is complete, and your key policies are in place.

The Stage 1 audit itself takes one to two days depending on your scope. However, scheduling it can add two to four weeks to your timeline depending on auditor availability. If the auditor identifies significant gaps, you may need additional time to address them before Stage 2.

To make sure you are prepared, review the eight things to do before an ISO Stage 1 readiness audit before you book your date.

Phase 5: Stage 2 Certification Audit (Two to Five Days)

The Stage 2 audit is the full certification audit. The auditor will spend time on-site or remotely reviewing your ISMS in depth, interviewing staff, testing controls, and verifying that your system is operating as documented. The duration depends on the size and complexity of your scope. A small business might have a two-day Stage 2. A large organisation could have five days or more.

After the audit, the certification body reviews the findings and, assuming no major nonconformities, issues your ISO 27001 certificate. This administrative process can take two to six weeks. If there are nonconformities to close out, add more time.

For a detailed breakdown of what to expect in the lead-up to this audit, the guide on 10 things to do before an ISO Stage 2 certification audit is worth reading before you schedule your date.

What Slows ISO 27001 Projects Down

In my experience, the technical work of building an ISMS is rarely what causes delays. The real bottlenecks are almost always organisational. Here are the most common ones.

Lack of Internal Ownership

ISO 27001 requires someone to own the project internally. Not just a consultant driving it from outside, but a person inside the business who is accountable for progress, has access to leadership, and can make decisions. Without that person, projects stall. Decisions get deferred, documentation reviews take weeks instead of days, and staff training never gets scheduled.

Scope Creep

Defining your ISMS scope too broadly is one of the most common mistakes first-time implementers make. If you try to include every system, every location, and every business function in scope, your project becomes enormous. A focused, well-defined scope that covers the most critical information assets is almost always the better starting point. You can always expand scope at recertification.

Underestimating the Risk Assessment

The risk assessment is the heart of ISO 27001. Many businesses treat it as a box-ticking exercise and produce a risk register that looks complete but has no real depth. Auditors can tell the difference. A shallow risk assessment will generate nonconformities and send you back to redo the work. Doing it properly the first time saves weeks of rework.

Poor Consultant or Certification Body Selection

Choosing the wrong support partner can add months to your project. A consultant who does not understand your industry, provides generic templates that do not fit your context, or is difficult to reach will slow everything down. Similarly, a certification body with poor scheduling availability or inconsistent auditors creates unnecessary delays and stress.

If you are comparing consultants for your ISO 27001 project, this guide on how to compare ISO 27001 consultants will help you ask the right questions before you commit.

What Can Speed the Process Up

While there are no shortcuts worth taking, there are genuine ways to run a more efficient ISO 27001 project.

Start with a Proper Gap Analysis

Knowing exactly where you stand before you start saves significant time. A thorough gap analysis means you are not discovering missing controls three weeks before your Stage 2 audit.

Dedicate Real Internal Resource

Businesses that assign a dedicated internal project lead, even part-time, move significantly faster than those that treat ISO 27001 as a side project. That person does not need to be a security expert. They need to be organised, have access to the right people, and be empowered to make decisions.

Get Leadership Commitment Early

ISO 27001 requires visible leadership commitment. That is not just a standard requirement. It is a practical necessity. When the CEO or senior leadership team actively supports the project, staff take it seriously, resources get allocated, and decisions get made faster. When leadership is indifferent, everything takes longer.

Choose an Experienced Consultant

An experienced ISO 27001 consultant who has done this many times before will know which controls are commonly misunderstood, where auditors focus their attention, and how to structure your documentation efficiently. That knowledge compresses timelines significantly compared to trying to figure it out yourself or working with a generalist consultant.

Understanding the ISO 27001 standard requirements and Certification Costs

Timeline and cost are closely linked. A faster timeline often means more consultant hours in a shorter period, which costs more upfront. A longer timeline spread over twelve months might feel more manageable but carries the risk of momentum loss and staff disengagement.

For a detailed breakdown of what ISO 27001 certification actually costs in Australia, including consultant fees, certification body fees, and internal costs, the article on ISO 27001 certification cost in Australia for 2026 covers it in depth.

The key point is that investing in quality support upfront almost always works out cheaper than cutting corners and dealing with failed audits, rework, and extended timelines later.

Planning Your ISO 27001 Project: A Realistic Timeline Summary

To bring this together, here is a practical summary of what a realistic ISO 27001 project looks like for a medium-sized business aiming for certification within nine to twelve months.

Months 1 to 2: Gap analysis, scope definition, project planning, assign internal ownership
Months 2 to 6: Risk assessment, Annex A control implementation, policy and procedure development, staff training
Months 6 to 8: ISMS operation period, internal audits, management review, close out gaps identified
Month 8 to 9: Stage 1 audit, address any findings
Month 9 to 11: Stage 2 certification audit, close nonconformities if any
Month 11 to 12: Certificate issued

This is a realistic schedule for a business that is serious about it and has appropriate support. Compress any phase without the work being done properly and you will pay for it later.

After Certification: The Ongoing Commitment

ISO 27001 certification is not a one-time achievement. Your certificate is valid for three years, but you are required to have annual surveillance audits in years one and two, and a full recertification audit in year three. Your ISMS needs to keep operating, internal audits need to happen, management reviews need to be conducted, and your risk register needs to stay current.

Businesses that treat certification as the finish line tend to struggle at their first surveillance audit. The ones that treat it as the beginning of a genuine security management program find the ongoing commitment much more manageable.

How CertBetter Can Help You Get Started

If you are planning your ISO 27001 certification and want to understand your timeline and costs before committing to anything, CertBetter makes it straightforward. You submit one form and receive up to three competing quotes from verified ISO 27001 consultants and accredited certification bodies. There is no cost to use the platform, and you are under no obligation to proceed with any quote.

Having multiple quotes in front of you also lets you ask the right questions about timelines, what is included, and how each provider approaches the project. That comparison is genuinely useful before you commit to a twelve-month engagement.