If you’re considering becoming ISO 27001 certified, one of the first questions to pop into your mind is, “How long will the process take?”
You’ve come to the right place because we’ll answer that question in detail in this blog. First, we get you set up at the starting line and set expectations for certification. Then we look at the timelines for each stage of the process, including the estimated manpower allocated to each step. We even incorporate potential speed bumps that can impact the overall timeframe and what you can do to get certified sooner.
Average Timeline to Complete ISO 27001
Embarking on ISO 27001 is a big commitment, mainly if you have never applied a security framework to your company before. With 114 security controls to account for, you’ll need to set aside adequate time for extensive scoping, preparation and documentation. As an example of the heavier lift that ISO 27001 requires, it takes about 50% to 60% more time to complete than SOC 2.
In the next section, we look at some factors that can accelerate or disrupt your ISO 27001 timeline. But first, let’s lay give you the lay of the land.
InfoSec frameworks are like fingerprints and they’re unique to your business. ISO 27001 is no exception to this rule. The timelines we’ve created best reflect companies with one physical location that have not implemented a security framework before and do not intend to invest in a consultant or compliance platform.
So, how long does ISO 27001 take? As you can see, the timeline for ISO 27001 implementation ranges from six to 18 months. But what exactly does the audit cycle look?
ISO 27001 Timeline Breakdown
The ISO 27001 certification process includes several stages and each one involves a time commitment. Remember, each step varies widely, as does the time commitment your company’s internal teams need to make.
Let’s break down the timeline for an average startup with one location and 50 employees. In this scenario, the company plans to manage the process independently, without a consultant or a compliance platform.
Readiness Stage – 6 to 10 Months
The readiness stage is the longest and most labor-intensive for a company’s internal teams.
During this stage of the certification process, you will need to appoint an implementation team, establish the scope and objectives of the information security management system (ISMS), and develop an implementation plan. You’ll also need to establish a risk assessment framework and identify, evaluate and prioritize security risks. Finally, you will need to implement a plan to address those risks and set up a process for measuring and monitoring the risk landscape over time.
Even just reading that—it’s a mouthful!
But, once this stage is complete, your teams should be ready to invite the auditor to review the documentation that supports your ISMS.
Stage 1 Documentation Audit – 1 Day
The documentation audit itself is typically quick and completed in a day. This step doesn’t require any heavy lifting by your teams but they should be available if the auditor has any questions. Having groups easily accessible to the auditor prevents any delays!
Stage 2 Certification Audit – 6-10 Days
During stage two of the audit, your auditor pays a visit. They hang out at your physical location to evaluate your operations and talk to the team. As part of the on-site audit, auditors examine your ISMS, the requirements for clauses four through 10, Annex A controls and the technical evidence associated with these controls.
This part of the process requires a lot of face time between your internal team and the auditor. The auditor’s goal is to gain clarity and confirm the security processes in place for the company’s physical security, access controls, vendors, etc.
However, due to the pandemic, this process is completed virtually. Please speak with your auditor to better understand their approach and expectations.
The auditor will be ready to issue certification at the end of this on-site visit or the virtual tour. If any non-conformities are cited, you’re required to remediate them. The auditor will evaluate their initial finding before making a certification decision.
Non-conformity Remediation – Up to 6 Months
If your auditor decides that your company has fulfilled all ISO 27001 requirements, you’ll move to stage two of the certification audit.
However, if your auditor discovers any non-conformities, you’ll have to fix them. Non-conformities are areas where your company missed a requirement. Auditors require you to address them before moving forward to the next stage of the audit. The discovery of nonconformities is not unusual! According to one cyber-risk consultant, minor nonconformities come up 50% to 75% of the time, so don’t panic.
Once in a blue moon, the audit can uncover major nonconformities, delaying the certification even further. In these cases, your company will need to develop a correction for the non-conformity and design a plan to monitor the issue regularly before the auditor moves to stage two.
Putting It All Together
The table below summarizes the timeframe for the ISO 27001 process from start to finish, based on the requirements of a smaller startup with just one physical location. As you can see, it can take as little as ten months to go from start to finish. But in the next section, we’ll look at ways to reduce that timeframe by as much as 50%.
*Additional time may be required for remediation if non-conformities are found during the audit.
Accelerating the ISO 27001 Audit Timeline
Many factors can impact the timelines for ISO 27001 certification. For example, the larger your organization and the more physical locations you have, the longer the process will take. So while our example of a small, one-location startup has an estimated timeline of about ten months, that number will change to reflect your individual needs.
But it’s also possible to reduce the time and accelerate the process to get you certified sooner, with a few best practices. Here are some of the top time-savers and timeline crunchers for ISO 27001.
Compliance initiatives that are driven primarily by employees at lower levels can take twice as long to complete. To get the executive team on board, brief them on the objectives of certification and the benefits it delivers to the organization. Be clear about the expectations of their team. Their involvement is needed at various points in the process.
A Project Champion
An ISO 27001 initiative delegated to multiple employees on an ad hoc basis can take twice as long as one that a single, experienced employee leads strategically. To accelerate the certification process, appoint a project lead with experience in project management. Set them up for success by ensuring they block time to dedicate to coordinating and managing the process.
Maybe we’re a little biased but compliance software is an ISO 27001 game changer! Automation shortens timeframes by providing preloaded, best-practice policy language, domain policies and other compliance content. Using tools saves your internal team from starting from scratch and tackling a DIY project. A platform also automates labor-intensive evidence collection tasks and keeps teams on track by issuing automated reminders for unaddressed risk. Compliance software also decreases your margin of error and reduces the chances of non-conformities.
In fact, data shows that using the Tugboat Logic reduces the compliance timeline by as much as 50%.
Set Your Initiative Up for Victory
ISO 27001 is time-intensive but certification enhances your company’s prestige globally. In addition, it helps you attract a new tier of high-profile customers and builds trust. By understanding the timelines involved for each stage and knowing how to accelerate the process, you can minimize delays and enjoy the benefits of certification sooner.
For more insights into ISO 27001 timelines, talk to one of the compliance experts at Tugboat Logic. We’ve helped hundreds of organizations across all sectors and in all stages of maturity to achieve compliance efficiently and cost-effectively.