ISO 27001 Certification Timeline: How Long to Your UKAS Certificate?
Get a phase-by-phase schedule with milestone dates based on your size, security maturity, prior certifications, and implementation approach.
How This ISO 27001 Timeline Estimator Works
The estimator splits your ISO 27001 program into six phases: gap analysis, ISMS design and Statement of Applicability, implementation and remediation, internal audit and management review, Stage 1 documentation review, and Stage 2 plus certificate issuance. Phase length adjusts based on company size, current security maturity, prior certifications, and whether you run manually, with a consultant, or on a compliance platform. The output is a Gantt-style view with milestone dates, total weeks figure, and a clear picture of where the work concentrates.
The Six Phases in Detail
| Phase | Week range | What happens |
|---|---|---|
| Gap analysis | 2 – 4 | Map current state vs Clauses 4-10 and Annex A 2022 |
| ISMS design | 3 – 6 | Scope, RoPA, risk methodology, policies, SoA |
| Implementation | 6 – 16 | Controls, evidence, training, biggest variance phase |
| Internal audit + mgmt review | 2 – 3 | Required by Clauses 9.2 and 9.3 |
| Stage 1 audit | 1 | Documentation review by certification body |
| Gap to Stage 2 | 4 – 6 | Remediate Stage 1 findings |
| Stage 2 audit | 1 – 2 | Evidence and on-site review |
End to end, first-time programs run 3 to 12 months. SMEs with prior framework experience and a platform reach Stage 2 in around 90 days. First-time enterprises starting cold usually need 9 to 12 months because ISMS design, control implementation, internal audit, and management review all sit on the critical path.
What Drives the Timeline Up or Down
- Starting maturity
- Companies with documented policies, MFA, and centralized logging can compress gap analysis and implementation by 4 to 8 weeks. Cold starts spend the full implementation window.
- Prior certification
- SOC 2 evidence directly satisfies many Annex A controls. Other ISO standards share Annex SL Clauses 4 to 10. Either typically compresses ISO 27001 by 30 to 50 percent.
- Implementation approach
- Manual spreadsheets are slowest. Consultants move faster but introduce handoffs. Platforms automate evidence collection and policy templates and are typically the fastest path.
- Certification body availability
- Auditor scarcity is real in 2026. Booking Stage 1 with brand-name CBs (BSI, LRQA, DNV) often adds 4 to 8 weeks of calendar time.
Realistic Timelines by Company Profile
The same 6-phase template plays out differently depending on starting profile. SMEs under 50 staff with prior SOC 2 and a platform typically run 3 to 4 months. Mid-market 50 to 250 staff with no prior framework and manual evidence work usually run 6 to 9 months. First-time enterprises above 250 staff with complex multi-region operations regularly land at 9 to 12 months because internal audit, management review, and risk treatment all scale with headcount and entity count. Booking Stage 1 with a tight calendar often pulls the whole timeline forward, so locking the audit slot early is one of the highest-impact moves in any program.
The Critical Path Most Teams Miss
Companies plan their timeline backward from the Stage 2 audit and skip the unglamorous middle. Two phases consistently slip and pull the whole program with them. First, internal audit and management review under Clauses 9.2 and 9.3. These are required, they cannot be skipped, and they typically add 2 to 3 weeks even when everything else is in place. Second, the gap between Stage 1 and Stage 2. Certification bodies typically allow 4 to 6 weeks for you to remediate Stage 1 findings. The gap can extend if findings are major. Hicomply compresses this with continuous control monitoring across 75+ integrations, so most findings are caught long before the auditor flags them. The six-step certification path walks through how the phases connect.
Compressing Your Timeline
Three legitimate ways exist to move faster. First, reuse evidence from a prior framework. Companies with a prior SOC 2 program typically see a 30 to 50 percent compression on ISO 27001 because risk methodology, supplier management, and incident response are already in place. Second, automate evidence collection. Manual evidence pulls during implementation can add 4 to 8 weeks; continuous monitoring removes that drag entirely. Third, run internal audit early. Most teams schedule internal audit just before Stage 1, which leaves no buffer to remediate findings. Running it 6 to 8 weeks earlier shifts the safety margin where it actually matters.
Hicomply plans start from £6,995 per year with unlimited users. The platform covers SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, CCPA/CPRA, NIST CSF, SOX IT controls, Cyber Essentials, and TX-RAMP. Organizations using the platform are typically audit-ready in 8 to 12 weeks. Pair this estimator with the cost calculator and the readiness assessment to size your full program. Book a demo when you are ready to lock in a target Stage 2 date.
Frequently Asked Questions
How long does ISO 27001 certification take?
Most programs run 3 to 12 months end to end. SMEs with a compliance platform and an existing security baseline typically reach certification in around 90 days. First-time enterprises starting from scratch usually need 9 to 12 months because ISMS design, control implementation, internal audit, and management review must complete before Stage 1 begins.
What are the phases of ISO 27001 certification?
The six phases are gap analysis, ISMS design and Statement of Applicability, implementation and remediation, internal audit and management review, Stage 1 documentation review, and Stage 2 with certificate issuance. Most teams underestimate the time required for internal audit and management review under Clauses 9.2 and 9.3, which usually adds 2 to 3 weeks.
Can prior SOC 2 or ISO 9001 speed up ISO 27001?
Yes. Prior framework experience typically compresses ISO 27001 by 30 to 50 percent because risk methodology, supplier management, and incident response are already in place. SOC 2 evidence directly reuses for ISO 27001 in many cases, and other ISO standards share the Annex SL management system clauses, which means most of Clauses 4 to 10 transfer.
How long is the gap between Stage 1 and Stage 2?
Certification bodies typically allow 4 to 6 weeks between the two audits to remediate Stage 1 findings. The gap can extend if findings are major, which is why most teams aim to enter Stage 1 with documentation already polished. A platform with continuous monitoring usually surfaces issues before the auditor does.
Does Hicomply guarantee a 90-day ISO 27001 timeline?
Hicomply does not guarantee any specific timeline because outcomes depend on your starting maturity, scope, and certification body availability. That said, organizations using Hicomply are typically audit-ready in 8 to 12 weeks. Plans start from £6,995 per year with unlimited users, with automated evidence and policy templates that compress the longest phases of the program.
Unlock Your Path to SOC 2 Success
Download our Ultimate SOC 2 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.
Explore more free tools
Keep planning your SOC 2 journey with our other interactive tools.