The three phases of the timeline
Build (2 to 5 months): scope definition, risk assessment, Statement of Applicability, implementing the controls you selected, and writing the policies your operation actually needs. Operate (2 to 3 months minimum): the system must run and produce records: access reviews performed, incidents handled, changes managed, plus the mandatory internal audit and management review. Auditors need evidence of operation, not intentions. Certify (1 to 2 months): Stage 1 readiness review, gap fixes, Stage 2, closure of any findings, certification decision.
What compresses the timeline
- Cloud-native, single-product scope. Fewer assets, standardized infrastructure, controls partially inherited from cloud providers (with evidence still required for your side of the shared responsibility line).
- An empowered internal owner. One person with real authority and allocated hours beats any consultant-driven project where decisions queue.
- Compliance automation, used honestly. Platforms accelerate evidence collection and control monitoring for cloud stacks. They do not perform your risk assessment, your internal audit, or your management review, and auditors increasingly probe whether the organization understands its own ISMS or just its dashboard.
What stretches it
Broad scopes with offices and on-premise infrastructure, first-time risk assessment across many asset types, legal and customer contract reviews for security obligations, supplier due diligence gaps, and above all part-time ownership. Security programs led by whoever had spare time reliably take twice as long.
The two-week certificate question
Offers of ISO 27001 certification in days or weeks come from unaccredited mills. The buyers who require ISO 27001 (enterprise security teams, regulated industries) verify certification body accreditation as a standard step. A fast fake fails at exactly the deal it was bought to win; a real certificate in 5 months closes deals for three years.