Every ISO 27001 consultancy will sell you the same diagram. Seven nice rectangles, arrows pointing right, certification at the end. The diagram is correct. What it leaves out is everything that determines whether the project ships in nine months or nineteen. This piece is what the diagram does not tell you - what each stage actually demands, what it produces, and where teams routinely lose entire quarters to rework.
Why Most Projects Run Long
I have watched enough first-time ISO 27001 implementations to spot the pattern within the first month. The teams that ship on time are not faster - they are sequenced. They do the gap assessment before they write any policies. They map their actual data and systems before they pick controls. They get leadership signed up before they spend a single hour on documentation.
The teams that double their timeline almost always make the same mistakes. They start with policy templates downloaded from the internet, they skip the gap assessment because it "feels obvious what we need," and they discover at internal audit that half the controls need engineering changes nobody scoped. The standard is not the problem. The order of operations is.
Auditors check whether your ISMS works, not whether your policies are beautifully formatted. A team that spends six months perfecting policy wording and three weeks on actual control implementation will fail a Stage 2 audit. A team that spends three weeks on competent policy drafting and six months on real control implementation will pass it.
The Seven Stages, In Order
Gap Assessment - Measure the Distance
Before you write a single document, find out where you stand. A gap assessment compares your current state - controls in place, processes that exist, evidence already produced - against every requirement in Clauses 4 to 10 and the 93 Annex A controls. The output is not a pass/fail. It is a register of every gap, sized by effort, with an owner attached.
The temptation is to skip this stage because "we know what we're missing." You do not. In every gap assessment I have run, the team flagged five or six things they expected to find - and the assessment surfaced fifteen or twenty more. Network segmentation evidence that does not exist. Vendor due-diligence records that were never collected. A backup process that runs but has never been tested. The gaps you do not know about are the ones that cost you time at Stage 5.
Scope & ISMS Foundation
The scope statement is the single most consequential document in the entire programme. Get it wrong and the rest of the work either explodes (you scoped too broadly) or fails the audit (you scoped narrowly enough that the auditor questions whether the certificate means anything). Clause 4.3 requires you to define the boundaries of the ISMS - products, services, locations, technology, organisational units. The boundaries should match the business reality, not the consultant's preference.
This stage is also where you appoint the Information Security Manager (or equivalent), establish the security governance forum, and write the top-level Information Security Policy under Clause 5.2. The policy is short - usually under two pages - and it must be signed by leadership. Every other policy and procedure flows from it. If you have not understood what an ISMS actually is, the foundation in what is an ISMS sets up everything that follows.
Risk Assessment & Treatment
Clauses 6.1.2 and 6.1.3 are the engine of the entire ISMS. Identify the risks to the confidentiality, integrity, and availability of information within scope. Evaluate them against your defined risk criteria. Decide a treatment for each - accept, mitigate, transfer, avoid. The output is the risk register, the risk treatment plan, and the Statement of Applicability (SoA).
The SoA is where most first-time teams stall. It is a controlled document listing every Annex A control, your decision on whether it is applicable, and the justification. If you cannot complete the SoA, you do not yet understand your risk landscape - which means Stage 4 is going to surprise you. Our walkthrough on how risk assessment works step by step covers the methodology in depth.
Control Implementation - The Stage Everyone Underestimates
Now you actually build or adjust the controls marked applicable in the SoA. This is the longest stage by some distance - typically 12 to 18 weeks - and it is where every realistic ISO 27001 project budget gets blown. The reason is mundane. Some controls are policy-only and take a week. Others require system changes - a new logging stack, a refactored access provisioning process, a vendor-management tool, MFA enforcement on systems that previously did not have it. Those are quarterly projects in themselves.
Sequence inside this stage matters too. Build the foundational controls first - access control, asset management, logging, backups. They feed evidence into every other control. Build the human controls next - security awareness training, onboarding/offboarding, incident response. The supplier controls and physical controls usually come last because they depend on the foundations being in place. The full list of 93 controls and what each one means is broken down in ISO 27001 Annex A controls explained simply.
Internal Audit & Management Review
Clause 9.2 requires you to run an internal audit covering the entire ISMS before you bring an external auditor anywhere near it. The internal audit is run by someone independent of the area being audited - either an internal auditor trained for the role, or a consultant. The audit covers Clauses 4 through 10 and every applicable Annex A control. It produces findings, which the team then closes through corrective action.
Clause 9.3 then requires a management review - a leadership-level meeting that examines internal audit results, risk landscape changes, control effectiveness, and resource needs. The output is a documented set of decisions and improvement actions. This is the stage that turns a paper ISMS into an operational one. Skipping it produces a Stage 1 audit that fails.
Stage 1 External Audit
The certification body sends an external auditor to run a documentation review and readiness check. The Stage 1 auditor evaluates whether your ISMS is designed correctly, whether all mandatory documents exist, whether scope is reasonable, and whether the system looks ready for operational testing in Stage 2. The audit typically lasts one to three days, depending on scope.
Stage 1 produces three categories of finding - Major nonconformities (which must be closed before Stage 2 can proceed), Minor nonconformities (which must be closed during or shortly after Stage 2), and Observations (improvement suggestions). A clean Stage 1 with only minor findings is normal. Going into Stage 1 with major findings means Stage 2 gets pushed back, and so does the certificate.
Stage 2 Audit & Certification
The Stage 2 auditor spends typically three to ten days (depending on organisation size) evaluating whether the ISMS actually operates as documented. This is evidence sampling, control testing, employee interviews, walkthroughs of incident response plans, examination of access reviews, scrutiny of vendor management records. The auditor is checking whether the system is alive, not whether the documents look polished.
If the audit closes successfully - major findings closed, minor findings on a remediation plan - the certification body issues your ISO 27001 certificate. Validity is three years. Surveillance audits run in years 1 and 2 (smaller scope), and a full recertification audit happens in year 3. The certificate goes on your website, in your sales decks, and most importantly in your security questionnaire responses.
Life After the Certificate
The work does not stop on certification day. The ISMS has to keep running, evolving, and improving. Surveillance audits in years 1 and 2 typically focus on changes since the last audit, the effectiveness of corrective actions, and a sample of operational controls. They are smaller than Stage 2 but they expect the ISMS to still be functioning, not frozen at the snapshot from certification.
Year 3 brings the recertification audit - essentially a full Stage 2 again. Teams that maintained the ISMS continuously sail through; teams that let it slip after the initial certificate find themselves running a mini-implementation just to recertify. The companies that capture the most real business value from ISO 27001 are the ones that treat the ISMS as ongoing infrastructure, not a 12-month project that ends.
Realistic Cost & Time Budget
The cost question gets dodged on almost every consultancy website because the honest answer is uncomfortable - "it depends, mostly on your scope." Here is the breakdown that holds up across the dozens of implementations I have seen first-hand.
| Cost Component | Small SMB (under 50 staff) | Mid-Sized (50โ250 staff) |
|---|---|---|
| Internal time (FTE-equivalent) | 0.4โ0.6 FTE ร 9โ12 months | 0.8โ1.2 FTE ร 12 months |
| Consultant fees (optional) | $8Kโ$25K | $25Kโ$60K |
| Certification body - Stage 1 + 2 | $7Kโ$12K | $15Kโ$25K |
| Tooling (GRC platform, training) | $3Kโ$8K / year | $10Kโ$30K / year |
| Surveillance audit (years 1, 2) | $3Kโ$5K each | $6Kโ$12K each |
| Total Year 1 | $18Kโ$50K + internal time | $50Kโ$115K + internal time |
The internal time is the bigger expense, and it is rarely budgeted explicitly. A 0.6 FTE for 9 months is roughly half a senior security person's working year. Treat it as a real line item, not a "we'll fit it in around BAU" assumption - the projects that fail are usually the ones where the internal owner was supposed to do this on top of their day job.
Where Teams Burn Months
Across the implementations I have seen, the same five failure points recur. If you sequence around them, you eliminate two-thirds of the rework that consumes most of the buffer.
โ Common Failures
- Skipping the gap assessment - discovers gaps at internal audit instead
- Scope set by ambition, not reality - controls cannot be evidenced for half the scope
- Policies before risk assessment - policies need to be re-written when risk treatment changes
- Underestimating Stage 4 - engineering changes scoped at 4 weeks become 14
- Internal audit run by the implementer - independence requirement fails Stage 1
โ What Works
- Gap assessment first, every time, even if "obvious"
- Scope matches what you can evidence today
- Risk assessment drives policy content, not the other way around
- Stage 4 budgeted at 12+ weeks with engineering involved early
- Independent internal auditor - different person, ideally different reporting line
The 14-Month Implementation That Should Have Been 9
A B2B SaaS company we worked with started their ISO 27001 programme with a downloaded policy pack, three weeks of furious documentation, and a target audit date five months out. By month four they were ahead of schedule on paper. By month six they were two months behind reality.
The gap surfaced when the internal auditor (correctly) refused to sign off because backup testing had never been performed, vendor management was a spreadsheet that had not been updated in seven months, and the access review process did not yet exist. Three months of additional work followed - building the missing controls, generating evidence, re-running the internal audit. They certified at month 14. A proper gap assessment in week one would have surfaced the same issues, on a longer but less stressful timeline. The certificate was identical. The project cost was nearly double.
Final Thought
ISO 27001 is one of the few compliance programmes that genuinely improves the organisation if it is implemented seriously. The risk assessment forces a conversation about what actually matters. The control implementation surfaces the gaps that a breach would otherwise expose. The internal audit habit becomes the muscle that catches problems early. The certificate is the visible outcome - but the real value is the operating discipline the programme installs.
The teams that get there in nine months and the teams that get there in nineteen are not separated by skill. They are separated by sequence. Run the gap assessment first. Let the risk assessment drive the policy. Budget Stage 4 honestly. Run an independent internal audit. The diagram is the same. The execution is what makes the difference. If you are deciding whether your business needs ISO 27001 at all, our six-trigger self-assessment guide is the right place to start.
Frequently Asked Questions
A focused team with engaged leadership typically takes 9-12 months from gap assessment to certification. Smaller organisations with simpler scope can compress to 6-8 months. The most common failure pattern is underestimating control implementation (Stage 4) - teams budget 6 weeks and end up needing 12-16 because of system changes nobody anticipated.
Stage 1 is a documentation review - the auditor checks whether the ISMS is designed correctly, whether mandatory documents exist, and whether the organisation is ready for Stage 2. Stage 2 is operational - the auditor evaluates whether the ISMS is actually working through evidence sampling, control testing, and interviews. Stage 1 finds gaps; Stage 2 finds whether the system runs.
Total cost ranges from roughly $15,000 to over $100,000 depending on scope, organisation size, and consultant involvement. The certification body audit typically costs $7,000-$25,000 for SMBs. Internal time is usually the larger expense - expect 0.5-1 FTE equivalent for 9-12 months. Surveillance audits in years 2 and 3 add roughly 30-50% of initial certification cost annually.
Not strictly required, but most first-time implementations benefit from one. The standard is detailed, the Annex A controls require interpretation, and an experienced consultant prevents the common rework that comes from misreading requirements. The pragmatic split is consultant-led for the first certification and internal team for surveillance and recertification cycles.
Certification is valid for three years. Surveillance audits happen in years 1 and 2 (smaller scope, focused on changes and effectiveness), and a full recertification audit happens in year 3. Between audits, the ISMS must continue to operate - internal audits annually, management reviews, ongoing risk treatment, and corrective action when issues surface.
Yes, and many organisations do. The control overlap between ISO 27001 Annex A and SOC 2 Trust Services Criteria is roughly 70-80% - meaning the bulk of the implementation work serves both. The differences are mostly structural (ISO 27001 needs an ISMS and Statement of Applicability; SOC 2 needs a defined system description and trust services criteria mapping). Our breakdown of ISO 27001 vs SOC 2 vs GDPR covers the differences.
Lack of operational evidence. The ISMS exists on paper - policies are written, controls are listed in the SoA - but the day-to-day records that prove the system actually runs are missing. Backup tests not performed, access reviews not documented, vendor risk assessments not completed, incident response plans not exercised. Auditors do not fail organisations for paperwork errors. They fail organisations whose ISMS turns out to be a binder rather than a working system.