Free Risk Register
Contact Us Free Risk Register

ISO 27001 in 90 Days — Is It Actually Possible?

Can you really achieve ISO 27001 certification in 90 days? The honest answer — plus what actually determines how long it takes.

It's a question that comes up constantly. A contract has been won, a client is asking, or a board has set a deadline — and suddenly ISO 27001 needs to happen fast. So is 90 days realistic, or is it wishful thinking?

The honest answer is: it depends. But more organisations achieve it in that timeframe than you might expect, and the variables that determine success are mostly within your control.

What ISO 27001 actually requires

ISO 27001 is a management system standard. It requires you to establish, implement, maintain and continually improve an Information Security Management System — an ISMS. That means documented policies, a risk assessment, a risk treatment plan, a set of controls drawn from Annex A, an internal audit, and a management review — all before your external audit.

The external audit itself has two stages. Stage 1 is a documentation review where the auditor checks your ISMS is properly designed. Stage 2 is the implementation audit where they verify it's actually working. Most certification bodies require at least a few weeks between the two stages.

The honest timeline

For most small to mid-sized organisations starting from scratch, a realistic timeline looks something like this. Weeks one to four cover scoping, gap analysis, and writing the core policies and procedures. Weeks five to eight cover implementing controls, building the risk register, and collecting initial evidence. Weeks nine to twelve cover the internal audit, management review, and Stage 1 external audit. Certification typically follows four to eight weeks after a successful Stage 2.

That puts full certification at around four to five months for most organisations. Getting to Stage 1 in 90 days is achievable. Getting the certificate in hand within 90 days is tight but not impossible if you start in a strong position.

What actually determines how fast you can go

The biggest variable is how much you already have in place. An organisation that already has some security policies, a basic risk register, and decent technical controls can move much faster than one starting from zero.

The second biggest variable is internal resource. ISO 27001 requires someone to own it. If your project lead is doing it alongside a full time job, progress will be slower than if they have dedicated time.

The third variable is tooling. Managing ISO 27001 on spreadsheets adds significant overhead — tracking 93 controls, maintaining evidence, managing the risk register, and preparing for audit all become manual exercises that eat time. Organisations that use a dedicated compliance platform consistently move faster because the administrative burden is dramatically lower.

What you can do right now

Whether your deadline is 90 days or twelve months, the first step is always the same — understand where you currently stand against the standard. A gap analysis tells you how much work is actually ahead of you, which is the only reliable way to set a realistic timeline.

If you want to get started, our free ISO 27001 Annex A controls checklist maps all 93 controls and lets you track your current status against each one. Download it, work through it honestly, and you'll have a clear picture of what 90 days would actually require for your organisation.

Tags:
SOA, ISO27001

Related Articles

Knowledge Base Image
ISO 27001 Statement of Applicability (SoA): How to Create It Efficiently

Create your ISO 27001 Statement of Applicability (SoA) efficiently.

Read More
Knowledge Base Image
Beyond the Certificate: What ISO 9001 Really Means for Your Business

Is ISO 9001 just a fancy certificate for your wall?

Read More
Knowledge Base Image
ISO 27001:2013 vs. ISO 27001:2022: Key Changes and Your Transition Guide

The international standard for information security management, ISO/IEC 27001, received a significa…

Read More

Copyright © 2025 SnapGRC