The short answer
For most IT companies going through ISO 27001 the first time, plan for 9 to 12 months on the traditional path. Well-prepared teams with dedicated resources can hit 6 to 9 months. With a compliance automation platform, the pre-audit readiness work typically compresses to 8 to 16 weeks, though the certification audit itself still follows its own timeline.
Here is a side-by-side view of the two paths:
| Phase | Traditional approach | With automation platform |
|---|---|---|
| Gap analysis | 3 to 6 weeks | 1 to 2 weeks |
| ISMS documentation and SoA | 8 to 14 weeks | 3 to 5 weeks |
| Control implementation and evidence collection | 8 to 16 weeks | 4 to 8 weeks |
| Internal audit and management review | 3 to 5 weeks | 2 to 3 weeks |
| Stage 1 audit (documentation review) | 1 to 2 weeks | 1 to 2 weeks |
| Remediation window between Stage 1 and Stage 2 | 4 to 8 weeks | 4 to 8 weeks |
| Stage 2 audit (on-site or remote) | 1 to 2 weeks | 1 to 2 weeks |
| Total to certificate | 6 to 12 months | 4 to 7 months |
One thing automation does not change: Stage 1 and Stage 2 audits happen on the certification body's schedule, not yours. Even after you finish all internal work, you are waiting on auditor availability, which often adds 4 to 8 weeks between stages.
The 4 phases in detail
Phase 1: gap analysis (weeks 1 to 6)
Before writing a single policy, you need to know where you stand. A gap analysis maps your current security controls against ISO 27001:2022 Annex A (93 controls across four categories: organizational, people, physical, and technological).
The output is a prioritized list of gaps. Some will be quick wins, like enabling MFA or formalizing an existing process. Others, like building a formal supplier security review process from scratch, take real work.
Teams that skip this phase or do it superficially pay later. They start writing policies and halfway through discover whole control areas they missed.
Phase 2: ISMS documentation and Statement of Applicability (weeks 4 to 18)
This is where most timeline slippage happens.
ISO 27001 requires a documented Information Security Management System. At minimum that means an information security policy (top-level), a scope document defining what is in scope for the ISMS, a risk assessment methodology with results, a risk treatment plan, a Statement of Applicability, and documented objectives with measurement criteria.
The Statement of Applicability lists all 93 Annex A controls, states whether each applies to your organization, and justifies any exclusions. It sounds mechanical but it is not. Each exclusion has to survive auditor scrutiny. Writing a defensible SoA for the first time typically takes 2 to 4 weeks even for experienced compliance teams.
Add 12 to 20 supporting policies (access control, cryptography, incident response, business continuity, supplier relationships, and more), and you are looking at the largest documentation burden in any compliance framework.
Phase 3: control implementation and evidence collection (weeks 8 to 24)
Documentation says what you do. Evidence proves you are doing it.
The controls that consume the most implementation time are asset management (building and maintaining an accurate inventory of information assets), supplier security (reviewing and documenting security requirements for vendors who process your data), human resources security (background checks, onboarding and offboarding checklists, security awareness training records), vulnerability management (setting up a regular scanning and patching cadence and documenting results), and access reviews (periodic reviews of who has access to what, documented and signed off).
For a 30 to 80 person IT outsourcing or SaaS company, this phase routinely runs 3 to 5 months without automation. Gathering evidence for 93 controls manually is largely a copy-paste and screenshot job spread across many people.
Phase 4: internal audit and management review (weeks 16 to 26)
ISO 27001 requires an internal audit before certification. This is not optional and cannot be waved through. The internal audit must check that the ISMS conforms to the standard and to your own policies, and that it is effectively implemented.
Management review is a formal meeting (documented with minutes) where top management reviews ISMS performance, audit results, incidents, and decides on resource allocation going forward.
Both must be completed before Stage 1. Auditors ask for the records. If you do not have them, Stage 1 will find a nonconformity and you will need to remediate before Stage 2.
Why ISO 27001 takes longer than SOC 2
SOC 2 Type II typically takes 6 to 9 months total. ISO 27001 runs 9 to 12 months. Three structural reasons account for the gap.
The ISMS scope document is a formal management decision. In SOC 2, scope is largely determined by what systems your service auditor covers. In ISO 27001, you write a scope document that defines exactly what is inside the ISMS, get it approved by top management, and defend it to auditors. Changing scope mid-process requires re-running parts of risk assessment.
The Statement of Applicability has no SOC 2 equivalent. SOC 2 Trust Service Criteria apply in full. ISO 27001 requires you to evaluate each of 93 controls, decide applicability, document rationale for exclusions, and link each included control to your risk treatment decisions. Auditors scrutinize this document carefully.
Internal audit is mandatory before certification. SOC 2 has no equivalent pre-audit requirement. For ISO 27001, the internal audit and management review are part of the standard itself (clauses 9.2 and 9.3). They take 3 to 5 weeks and cannot be backdated.
Where most teams lose months
Policy documents get passed around indefinitely. A policy lands in someone's inbox, they add comments, it goes back, more comments. Without a defined review workflow and deadline, a single policy can sit in review for 3 to 4 weeks. Multiply by 15 policies and you have lost a quarter.
Risk assessment gets restarted. Teams often begin their risk assessment, get partway through, realize they have not correctly identified all information assets, and start over. Asset inventory is the foundation of risk assessment. If the inventory is incomplete, so is the risk assessment.
The internal audit has no assigned owner. Nobody wants to do it. It feels like audit theater when you are also the one who built the controls. But someone competent has to execute it, findings have to be documented, and if major nonconformities turn up, you need time to fix them. Teams that treat this as a last-minute checkbox often end up pushing back their Stage 1 date.
Certification body scheduling is outside your control. Accredited certification bodies book out 6 to 10 weeks in advance. Some popular CBs have 3 to 4 month waits for Stage 2 audits. Factor this into your target certification date from the start, not as an afterthought.
What automation actually changes
Compliance automation platforms like pTrackly change specific parts of the timeline. Knowing exactly what shifts and what stays fixed helps set realistic expectations.
Evidence collection through integrations with your cloud infrastructure, identity provider, MDM, and code repositories replaces manual screenshot gathering. A control that takes 4 hours to evidence manually can become continuous and automated. Policy templates pre-built for ISO 27001:2022 give teams a starting point that reflects the standard's requirements, so you review and adapt rather than write from scratch. Control tracking with clear ownership and status visibility removes the coordination overhead of chasing people across email and spreadsheets. Risk assessment tools structured around ISO 27001's methodology guide teams through asset identification, threat and vulnerability assessment, and risk treatment decisions rather than starting from a blank document.
What does not change: Stage 1 and Stage 2 audits must be conducted by an accredited certification body. No software replaces that. The auditor visits (or connects remotely), reviews your ISMS documentation, interviews staff, and samples evidence. That process takes as long as it takes. Internal audit must still happen; automation can track findings and remediation, but a qualified person still has to execute the audit. Management review is a human decision-making process. Someone in leadership has to review results and make resource decisions. Automation can prepare the input data, but the meeting and its minutes come from people.
Maintaining certification after year 1
ISO 27001 certification is valid for 3 years with annual surveillance audits.
The year 1 surveillance audit (around month 12 after certification) is shorter than the initial audit. It focuses on whether the ISMS is still operating effectively and whether you have addressed any nonconformities from the initial audit. Typically 1 to 2 audit days. The year 2 surveillance audit (around month 24) covers similar ground, often with a different focus area selected by the auditor. They may look more closely at supplier management or access reviews than they did in year 1. The year 3 recertification (before month 36) is a full re-audit, similar in scope to the original. Pass it, and you restart the 3-year cycle.
Between audits, you are expected to maintain your controls, run internal audits at planned intervals, update your risk assessment when significant changes happen (new product lines, new cloud services, staff growth, acquisitions), and keep your SoA current.
Teams that treat ISO 27001 as a one-time project rather than an ongoing program typically scramble at year 1 surveillance because their controls have drifted or their evidence is stale.
Practical questions
Do we need a consultant?
Not strictly required, but first-time teams benefit from one. A consultant with ISO 27001 implementation experience speeds up the gap analysis, helps write a defensible SoA, and can perform the internal audit if no internal resource is qualified. Budget for 30 to 80 hours of consulting time depending on company size and existing maturity. With an automation platform reducing documentation work, consulting time can focus on strategic decisions rather than policy writing.
Which certification body should we use?
For Japanese enterprise clients, look for CBs accredited by JAB (Japan Accreditation Board) or ISMS-AC. For European enterprise clients, accreditation by a national body in the IAF MLA network is standard (BSI, TUV Rheinland, Bureau Veritas, SGS, DNV are commonly recognized). Check whether your target clients specify a preferred accreditation body in their procurement requirements before choosing.
Cost varies significantly. BSI and Bureau Veritas tend to be on the higher end. Regional accredited CBs can be 30 to 50 percent less expensive for the same standard. The certificate carries the same weight as long as the CB is properly accredited.
Can we do ISO 27001 and SOC 2 in parallel?
Yes, and it is worth considering for companies targeting both Japanese and North American or European markets. The two frameworks share significant control overlap (access control, encryption, incident response, vulnerability management, business continuity). Running them in parallel avoids duplicating documentation and evidence work. The main complexity is managing two audit timelines simultaneously. Automation platforms that support both frameworks help because evidence collected for one can map to the other automatically.
The sequence most teams use: get ISO 27001 to Stage 1 first, then start the SOC 2 observation period, then complete both audits within a similar window. Total timeline is roughly the same as doing ISO 27001 alone because SOC 2 preparation shares so much groundwork.
If your target client has a specific certification deadline in their RFP, work backwards from that date. Add 8 weeks for auditor scheduling buffer that most teams forget. The controls that take longest to implement (supplier security reviews, asset inventory, access control documentation) need to start in week 1, not after the SoA is done.