Action in the taxi: Check out this awesome landing page!

Implementation

How long does an ISO 27001 implementation take? A realistic timeline for your organization

Information Security
ISO 27001
Duur
Tijd

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

"6 to 18 months." That's the answer you usually find online. But as a business owner or IT manager, that gives you nothing to plan with. Whether your project ultimately takes 6 or 18 months simply depends on two things: how large and complex your organization is, and how much you already have in order. In this blog, we'll clearly outline the planning for you.

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

This article was last updated on
07.07.2026
Written by
Henry
Dwars
Account Executive

The four phases of an ISO 27001 process

Every process follows a set of steps. However, the focus and time required for each phase shift as your organization becomes larger or more complex.

 

Phase 1: The Analysis

You assess your current situation. At Fendix, we use a GAP analysis to determine if the Harmonized Structure is already sufficient, which of the 93 controls (the so-called Annex A controls) you already use, and what is still missing. You also define the exact scope of your certification, conduct an initial risk analysis, and assemble the project team.

 

  • Duration: 4 to 10 weeks.

Phase 2: The Design

Now you start writing the policy. You draw up the Statement of Applicability (SoA), describe the necessary procedures, and determine how you will concretely implement the measures in practice.

 

  • Duration: 4 to 12 weeks.

Phase 3: The Implementation

This is the phase where the real work happens and which requires the most effort. You implement the technical and organizational measures, train your colleagues (security awareness), and set up monitoring. You are also required to conduct at least one internal audit and a management review. Without these two steps, an external auditor will never issue a certificate.

 

  • Duration: 8 to 24 weeks.

Phase 4: The Certification Audit

The external auditor will audit your organization. This happens in two parts: phase 1 and phase 2. Phase 1 is a review of your documentation, and phase 2 is the actual practical assessment of your ISMS (Information Security Management System). There is usually a 4 to 8 week period between these two audits to resolve any outstanding issues.

Tip: Certification bodies often have full schedules and plan 3 to 6 months in advance. Therefore, book your audit days right at the start of the process.

 

  • Lead time: 4 to 8 weeks (from phase 1 to the final issuance of your certificate).

What is the total lead time for your organization?

If we add up the phases, you'll arrive at a total lead time of 5 to 13 months. This overview shows where you fit in:

The complexity of an organization is related to various factors, such as:

  • The number of different processes and rules.
  • The number of diverse stakeholders.
  • The number of different functions.

Consider organizations in healthcare, government, and educational institutions.

A too-tight schedule leads to stress, rushed work, and errors during the audit, while a too-loose schedule causes the project to stall and lose focus. Therefore, be realistic about your starting point from the beginning.

How much time will this cost your own team?

A project also requires internal hours from your organization:

  • SME / Small organization: Expect 4 to 8 hours per week for the project leader and 2 to 4 hours per month for management. During the implementation phase, this may temporarily increase.
  • Large / Complex organization: The project leader will easily dedicate 16 to 24 hours per week to this. Additionally, we recommend establishing a permanent steering committee with management.

Two case studies from Fendix clients

Nedscaper: Achieving ISO 9001 and ISO 27001 certification in 12 weeks

Nedscaper is a cloud organization with a compact scope. Their GDPR matters were already well-managed, and the team was highly motivated. By working on policy and implementation simultaneously, and by engaging smart assistance for the internal audit, they were ready for the final audit within 12 weeks. However, this is an exception. Without this specific, strong starting position and focus, this pace is not achievable for most organizations.

Heras: Certified within one year

Heras is an industrial company with multiple branches and a complex IT environment (partly managed in-house, partly outsourced). A one-year project here was a tight but realistic plan. The implementation phase, in particular, took the most time, which is logical for an organization with multiple locations.

 

The common denominator? Both organizations were successful because they had chosen a clear scope beforehand, appointed a single clear project owner, and had management closely involved.

Three ways to accelerate your project

  1. Avoid an unnecessarily broad scope: start with your most important core processes and expand later. A compact scope can accelerate your project by 30% to 40%. Please note: check in advance whether your clients or certain tenders do not directly require a broad scope.
  2. Work in parallel, not sequentially: you don't have to wait until your policy is fully documented before you start implementing measures. These steps can easily run simultaneously.
  3. Leverage expertise for the heavy lifting: an external partner immediately provides the right structure and handles the documentation. This saves your own team weeks of research.

Frequently asked questions

What about the NIS2 deadline?

The Dutch Cybersecurity Act (Cbw), which stems from the NIS2 directive, is expected to come into effect on July 1, 2026. An ISO 27001 certificate is not legally mandatory, but it is a recognized way to demonstrate compliance with your duty of care. If you need to comply with this, a 9 to 12-month trajectory is achievable, provided you start now.

Can it really not be done in 3 months?

Only if you already have a fully functional management system in place, choose a narrow scope, and have an experienced team ready (as in the Nedscaper case). For most organizations, this is not realistic, but it is possible.

How long does the final audit itself take?

For SMEs, the audit (Phase 1 and Phase 2 combined) usually takes 2 to 4 days. For larger organizations with multiple locations, it can easily take a week or longer.

Want to determine your own timeline?

A thorough GAP analysis is the best first step. Within half a day, we map out exactly where you stand in relation to the standard. This provides you with a concrete step-by-step plan with clear deadlines tailored to your situation.

Want to know more or get an accurate estimate?

Heading 1

Heading 2

Heading 3

Heading 4

Heading 5
Heading 6

Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.

Block quote

Ordered list

  1. Item 1
  2. Item 2
  3. Item 3

Unordered list

  • Item A
  • Item B
  • Item C

Text link

Bold text

Emphasis

Superscript

Subscript

How many people participate?

Request now

Thanks!
Oops! The form could not be submitted. Please try again.

More resources

Information Security

NIS2 Executive training

thru
Wouter
Training
News

Good news: Fendix is now allowed to perform NIS2 Supply Chain audits!

thru
Kilian
Blog
Partners

New collaboration due to NIS2: Fendix x Together Digitally Safe

thru
Gijs
Blog