Scrutineer.ai
All posts
Guides

How Long Does ISO 27001 Certification Take?

ISO 27001 certification takes 3 to 12 months. A phase-by-phase timeline covering scoping, the ISMS operating period, Stage 1 and Stage 2 audits, surveillance, and the 3-year recertification cycle.

By the Scrutineer team

July 2026 · 9 min read

How long does ISO 27001 certification take?

Most organizations reach ISO 27001 certification in 3 to 12 months. A small company with a narrow scope and existing security controls can finish in 3 to 6 months. Mid-market and enterprise scopes usually run 9 to 18 months. The drivers are scope size, how much of your ISMS already exists, evidence history, and certification body scheduling.

Last updated July 2026.

That range frustrates people, because "3 to 12 months" is not something you can put in a sales email when an enterprise buyer or an EU customer wants a certificate before they sign. So this guide breaks the timeline into phases you can schedule against, shows where teams lose months, and explains what the auditor looks for at each gate.

The ISO 27001 certification process, phase by phase

ISO/IEC 27001:2022 certifies a management system, not a product. You build an Information Security Management System (ISMS) against Clauses 4 to 10, select controls from Annex A, run it long enough to produce records, then an accredited certification body audits it in two stages. Here is how that maps to a calendar.

Phase What happens Typical duration
1. Scoping and gap analysis Define the ISMS boundary (which entities, systems, locations, products). Compare current practice against Clauses 4 to 10 and the 93 Annex A controls. 2 to 6 weeks
2. Risk assessment and treatment Build the risk register, agree the methodology, decide treatments, and produce the Statement of Applicability (SoA) justifying every included and excluded control. 3 to 6 weeks
3. Control implementation Write and approve policies, deploy technical controls, run security awareness training, tighten access reviews, fix supplier and asset gaps. 2 to 5 months
4. ISMS operating period Controls run and generate records. Certification bodies generally want to see roughly three months of live evidence before Stage 2, so this overlaps with phase 3. 3 months minimum
5. Internal audit and management review Both are mandatory clauses, not optional. You audit yourself, log findings, and hold a documented leadership review of the ISMS. 2 to 4 weeks
6. Certification body selection and booking Choose an accredited body, agree scope and audit days, get on their calendar. Their lead times, not yours, often set the date. 2 to 8 weeks (book in advance)
7. Stage 1 audit Documentation review. The auditor checks scope, SoA, risk method, policies, internal audit and management review records. 1 to 2 days
8. Gap between the two stages You close whatever Stage 1 surfaced. This gap must not stretch past six months or Stage 1 has to be repeated. 4 to 8 weeks
9. Stage 2 audit The certification audit. The auditor tests whether controls actually operate, through interviews, sampling, and observation. 2 to 7 days, depending on scope and headcount
10. Nonconformity closure and certificate issue Corrective actions for anything raised, then technical review by the certification body and issue of the certificate. 2 to 8 weeks

Add those up and the honest floor is about three months for a lean startup. The realistic middle for a funded B2B SaaS company is six to nine months.

What is the difference between a Stage 1 and Stage 2 ISO 27001 audit?

Stage 1 is a documentation review: the auditor confirms your ISMS exists on paper, that scope, risk methodology, Statement of Applicability, internal audit, and management review are all present and coherent. Stage 2 is the certification audit: the auditor tests whether those documented controls actually operate, using interviews, sampling, and direct observation of evidence.

Think of Stage 1 as a readiness check with consequences. It is usually short (often one or two days, frequently remote) and it produces a report of findings. If Stage 1 shows your ISMS has not been running long enough or your SoA does not line up with your risk treatment plan, the auditor will tell you to fix it before Stage 2 rather than let you fail the expensive audit.

Stage 2 is where the real scrutiny happens. The auditor samples access reviews, change records, incident tickets, supplier assessments, and training logs across the period the ISMS has been running. Empty months show up immediately. This is why the operating period matters more than the documentation sprint: you cannot backfill a quarter of access reviews the week before the audit.

How long is the gap between Stage 1 and Stage 2?

The gap is typically 4 to 8 weeks. That window exists so you can close whatever Stage 1 found and so the certification body can schedule the larger Stage 2 engagement. The gap cannot run indefinitely: if it stretches beyond about six months, most certification bodies require Stage 1 to be repeated before Stage 2 can proceed.

Can you get ISO 27001 certified in 3 months?

Yes, but only in a narrow case: a small company (roughly under 50 people), a tightly scoped ISMS, a security baseline that already exists, a dedicated internal owner, and a certification body booked before implementation finishes. Three months is a compressed timeline, not a typical one. Most companies that aim for three months land closer to six.

The reason is structural. Certain clauses cannot be compressed at all. You need an internal audit and a management review before Stage 2, and both need something to look at. You need enough operating history for the auditor to sample. And you need slots on an accredited auditor's calendar, which is the constraint most teams forget until it costs them two months.

What actually makes ISO 27001 take longer

Timelines slip for a small number of predictable reasons:

  • Scope creep. "Certify the whole company" turns a 6 month project into an 18 month one. Scope to the product, environment, and teams your customer actually cares about, and expand later.
  • Late certification body engagement. Auditor lead times are real. Teams routinely finish their ISMS and then wait weeks or months for an audit slot.
  • Evidence collected by hand. If proving a control means someone screenshotting a console every quarter, evidence rots. Auditors sample the whole period and find the holes.
  • Annex A controls with no owner. The supplier controls (A.5.19 through A.5.22) are a classic example. They require evidence that you assess and monitor suppliers on an ongoing basis, and they need real artifacts, the same discipline you would apply to tracking a supplier's certificate of insurance rather than trusting that it is still valid.
  • Major nonconformities at Stage 2. A major finding puts certification on hold until it is closed, typically within 30 to 60 days. Minor findings usually allow certification to proceed with corrective actions due in 30 to 90 days.

The pattern is the same every time: the standard is not what slows you down. Coordination and evidence gaps are. This is where ISO 27001 compliance software pays for itself, by mapping each Annex A control to the system that proves it and flagging the ones with no evidence behind them.

What changed in ISO 27001:2022?

The 2022 revision restructured Annex A from 114 controls in 14 domains down to 93 controls in four themes: Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8). Eleven controls were new, including threat intelligence, cloud services security, and secure coding. The 2013 version stopped being recognized by certification bodies on 31 October 2025.

If you are starting today, this is mostly good news: there is no transition to manage and only one live version to certify against. Two details still matter. The four themes are a relabeling rather than a content change, so a control mapping built for the 2013 layout stays broadly valid but needs renumbering. And Amendment 1:2024, published in February 2024, added a requirement to consider whether climate change is a relevant issue for your ISMS under Clause 4.1. Small addition, but auditors do ask.

How long is an ISO 27001 certificate valid?

An ISO 27001 certificate is valid for three years from issue. It is not a one-and-done event. You undergo surveillance audits at roughly 12 and 24 months, each reviewing a subset of your Annex A controls, and then a full recertification audit at the end of the three-year cycle that is close in depth to your original Stage 2.

This is the part teams underestimate. Certification is a subscription to a way of working, not a certificate you frame. The ISMS has to keep producing records between audits, because the surveillance auditor samples the intervening period. Teams that treat certification as a one-off project discover the cost at their first surveillance audit, when a year of missing evidence is far more expensive to explain than a quarter of it. Building continuous compliance into the way controls run is what keeps the three-year cycle boring.

Who issues the ISO 27001 certificate?

Only an accredited certification body can issue an ISO 27001 certificate. That body is itself accredited by a national accreditation authority such as ANAB in the United States or UKAS in the UK, both members of the IAF Multilateral Recognition Arrangement. No software platform, consultant, or internal team can certify you, and a certificate from an unaccredited body will not satisfy a serious enterprise buyer.

Check accreditation before you sign with an auditor. Ask which accreditation body issued their scope, and confirm ISO/IEC 27001 is on it. Enterprise procurement and EU customers do check, and an unaccredited certificate leaves you paying twice.

Shortening the timeline without cutting corners

The levers that genuinely move the date are unglamorous. Scope tightly. Book your certification body months before you think you need to. Start the operating clock early, so evidence accumulates while you are still writing policies. Run a real internal audit rather than a rubber stamp: a finding you catch yourself costs days, one the auditor catches costs weeks.

Automating evidence is the other lever. When control status is pulled continuously from your cloud, identity, and ticketing systems, the operating period generates its own audit trail and Stage 2 becomes a review rather than an excavation. If you are already pursuing SOC 2, the overlap is substantial, and our breakdown of ISO 27001 vs SOC 2 explains how to reuse one body of evidence for both.

Scrutineer maps your controls to ISO 27001, SOC 2, HIPAA, GDPR, and PCI, collects the supporting evidence automatically, flags the controls with nothing behind them, and scores vendor risk so the supplier clauses in Annex A are covered too. It gets you to a defensible state of audit readiness and keeps you there. What it does not do, and what nothing except an accredited certification body can do, is issue the certificate. The goal is simply that when the auditor arrives, there is nothing left to find. For the shortest honest path to a certificate, pair disciplined scoping with ISO 27001 compliance software and get on an auditor's calendar sooner than feels comfortable.

See Scrutineer scrutinize your posture

Connect your stack, and Scrutineer maps your controls to SOC 2, ISO 27001, HIPAA, GDPR and PCI, collects evidence automatically and returns a readiness report with per-control statuses, linked evidence and a prioritized gap list. AI scrutinizes, you decide.

Scrutinize on real evidence, not stale spreadsheets

Scrutineer maps your controls to SOC 2, ISO 27001, HIPAA, GDPR and PCI, collects evidence automatically and scores vendor risk continuously, and returns a readiness report with a prioritized gap list. AI scrutinizes, you decide.

Automated evidence · Per-control statuses · Prioritized gap list

Mapped controls · evidence-linked rationale for every status · an accredited auditor issues the attestation.