L Lumina Risk Advisory

[ Blog ] ISO 27001 · Planning

How long does
ISO 27001 certification
actually take?

April 2026  ·  7 min read  ·  Lumina Risk Advisory

The standard answer you'll find online is "4–12 months." That range is so wide it's almost useless for planning. Here's the honest breakdown of what actually determines your timeline — and what you can do to move faster.

The five variables that determine your timeline

01

Your starting point

An organization with documented security policies, an existing asset inventory, and some prior audit experience can move through implementation in 10–16 weeks. An organization with nothing documented and no prior audit exposure typically needs 20–28 weeks. The gap assessment in week one will tell you exactly where you sit.

02

How many Annex A controls apply

ISO 27001:2022 has 93 controls across 4 themes. Most organizations have 75–88 applicable controls after exclusions. The more controls that apply (especially physical controls, cryptography, and supplier security), the more implementation work exists. Exclusions must be defensible — "we don't have physical premises" works; "we decided not to do access reviews" doesn't.

03

Internal team bandwidth

Implementation requires time from your IT, engineering, HR, and management teams — not just the advisor. Evidence gathering for access controls requires IT. Policy approvals require management. Asset inventory requires engineering. If your team is heads-down in a product sprint, implementation slows. The fastest implementations have a dedicated internal owner spending 5–10 hours per week.

04

Certification body scheduling

Stage 1 (documentation review) and Stage 2 (implementation audit) require scheduled time with your chosen certification body. Lead times for Stage 1 bookings are typically 4–8 weeks. For Stage 2, 6–12 weeks. Factor this into your planning — you cannot rush a certification body's calendar.

05

Whether you're on ISO 27001:2022

If you're upgrading from ISO 27001:2013, the transition to 2022 involves mapping the 14-domain Annex A structure to the new 4-theme structure, implementing the 11 new controls, and updating your SoA. This adds 4–8 weeks compared to a fresh implementation. The 2013 standard is no longer valid after October 2025.

Realistic timeline scenarios

Fast track (strong starting point, dedicated bandwidth)

4–5 months

Existing security program, dedicated internal owner, straightforward scope, fast CB scheduling.

Typical (moderate starting point, shared bandwidth)

5–7 months

Some policies in place, IT team splits attention, ~80 applicable controls. Most of our clients.

Standard (minimal starting point)

7–9 months

Little existing documentation, significant policy writing required, larger scope.

2013→2022 transition

Add 4–8 weeks

On top of any of the above, depending on how well your 2013 SoA was maintained.

What actually slows implementations down

In our experience, the most common causes of timeline slippage are:

  • Asset inventory taking 3–4x longer than expected — especially in cloud-heavy environments with sprawling SaaS tooling
  • Management approval cycles for policies — getting VP and C-suite sign-off on 30+ policies requires planning lead time
  • Supplier security questionnaire backlog — ISO 27001 requires assessing your key suppliers' security posture
  • Stage 2 scheduling gaps with the certification body — book early, don't wait until implementation is complete
  • Scope creep — adding systems or Annex A controls after the gap assessment because "we should probably include that"

How to move faster

  • Start the gap assessment immediately — this defines your actual scope and eliminates guesswork from planning
  • Book your certification body Stage 1 appointment in the first two weeks of implementation, not after implementation is done
  • Assign a dedicated internal owner with real hours allocated — not a "plus one" added to someone's existing full-time role
  • Decide your exclusions early — Annex A exclusions that slip into implementation late create SoA rework
  • Use a policy template library rather than authoring from scratch — policies written from scratch take 3–4x longer to draft and approve

Want a specific timeline for your situation? The gap assessment is always the first step — and it tells you exactly where you are and how long it'll take to get to Stage 2. Book a scoping call to start.

Book the scoping call

Continue reading

SOC 2 Type I vs Type II: What's the Difference and Which Do You Need?

The SOX ITGC Checklist Every Pre-IPO Company Needs in Year 1