
How long does an ISO 27001 implementation take? A realistic timeline for your organization
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript

The four phases of an ISO 27001 process
Every process follows a set of steps. However, the focus and time required for each phase shift as your organization becomes larger or more complex.
Phase 1: The Analysis
You assess your current situation. At Fendix, we use a GAP analysis to determine if the Harmonized Structure is already sufficient, which of the 93 controls (the so-called Annex A controls) you already use, and what is still missing. You also define the exact scope of your certification, conduct an initial risk analysis, and assemble the project team.
- Duration: 4 to 10 weeks.
Phase 2: The Design
Now you start writing the policy. You draw up the Statement of Applicability (SoA), describe the necessary procedures, and determine how you will concretely implement the measures in practice.
- Duration: 4 to 12 weeks.
Phase 3: The Implementation
This is the phase where the real work happens and which requires the most effort. You implement the technical and organizational measures, train your colleagues (security awareness), and set up monitoring. You are also required to conduct at least one internal audit and a management review. Without these two steps, an external auditor will never issue a certificate.
- Duration: 8 to 24 weeks.
Phase 4: The Certification Audit
The external auditor will audit your organization. This happens in two parts: phase 1 and phase 2. Phase 1 is a review of your documentation, and phase 2 is the actual practical assessment of your ISMS (Information Security Management System). There is usually a 4 to 8 week period between these two audits to resolve any outstanding issues.
Tip: Certification bodies often have full schedules and plan 3 to 6 months in advance. Therefore, book your audit days right at the start of the process.
- Lead time: 4 to 8 weeks (from phase 1 to the final issuance of your certificate).
What is the total lead time for your organization?
If we add up the phases, you'll arrive at a total lead time of 5 to 13 months. This overview shows where you fit in:

The complexity of an organization is related to various factors, such as:
- The number of different processes and rules.
- The number of diverse stakeholders.
- The number of different functions.
Consider organizations in healthcare, government, and educational institutions.
A too-tight schedule leads to stress, rushed work, and errors during the audit, while a too-loose schedule causes the project to stall and lose focus. Therefore, be realistic about your starting point from the beginning.
How much time will this cost your own team?
A project also requires internal hours from your organization:
- SME / Small organization: Expect 4 to 8 hours per week for the project leader and 2 to 4 hours per month for management. During the implementation phase, this may temporarily increase.
- Large / Complex organization: The project leader will easily dedicate 16 to 24 hours per week to this. Additionally, we recommend establishing a permanent steering committee with management.
Two case studies from Fendix clients
Nedscaper: Achieving ISO 9001 and ISO 27001 certification in 12 weeks
Nedscaper is a cloud organization with a compact scope. Their GDPR matters were already well-managed, and the team was highly motivated. By working on policy and implementation simultaneously, and by engaging smart assistance for the internal audit, they were ready for the final audit within 12 weeks. However, this is an exception. Without this specific, strong starting position and focus, this pace is not achievable for most organizations.
Heras: Certified within one year
Heras is an industrial company with multiple branches and a complex IT environment (partly managed in-house, partly outsourced). A one-year project here was a tight but realistic plan. The implementation phase, in particular, took the most time, which is logical for an organization with multiple locations.
The common denominator? Both organizations were successful because they had chosen a clear scope beforehand, appointed a single clear project owner, and had management closely involved.
Three ways to accelerate your project
- Avoid an unnecessarily broad scope: start with your most important core processes and expand later. A compact scope can accelerate your project by 30% to 40%. Please note: check in advance whether your clients or certain tenders do not directly require a broad scope.
- Work in parallel, not sequentially: you don't have to wait until your policy is fully documented before you start implementing measures. These steps can easily run simultaneously.
- Leverage expertise for the heavy lifting: an external partner immediately provides the right structure and handles the documentation. This saves your own team weeks of research.
Frequently asked questions
What about the NIS2 deadline?
The Dutch Cybersecurity Act (Cbw), which stems from the NIS2 directive, is expected to come into effect on July 1, 2026. An ISO 27001 certificate is not legally mandatory, but it is a recognized way to demonstrate compliance with your duty of care. If you need to comply with this, a 9 to 12-month trajectory is achievable, provided you start now.
Can it really not be done in 3 months?
Only if you already have a fully functional management system in place, choose a narrow scope, and have an experienced team ready (as in the Nedscaper case). For most organizations, this is not realistic, but it is possible.
How long does the final audit itself take?
For SMEs, the audit (Phase 1 and Phase 2 combined) usually takes 2 to 4 days. For larger organizations with multiple locations, it can easily take a week or longer.
Want to determine your own timeline?
A thorough GAP analysis is the best first step. Within half a day, we map out exactly where you stand in relation to the standard. This provides you with a concrete step-by-step plan with clear deadlines tailored to your situation.
Want to know more or get an accurate estimate?
- Read more about ISO 27001 in our guide
- Schedule a free, no-obligation consultation in






















