ISO 27001 in 90 Days: What It Actually Takes

The promise is seductive: ISO 27001 certification in 90 days. Vendors sell it. Consultants quote it. And occasionally — under very specific conditions, with a very small scope, in an organization that already has significant security maturity — it is achievable. Most of the time, it is not. Here is what 50+ implementations have taught us about what actually happens, and what to do about it.

What 90 Days Assumes

A 90-day ISO 27001 engagement assumes: a defined and narrow scope (single system, single product, not the whole organization), executive sponsorship that clears blockers in hours not weeks, no significant policy gaps (i.e., policies already exist and just need alignment), an organization that has already done SOC 2 or similar, and a certification body with available Stage 1 and Stage 2 slots in your timeline.

When any of these conditions are absent — and they usually are — the realistic timeline for a first-time ISO 27001 implementation in a mid-market organization with a meaningful scope is 6–12 months to Stage 2 certification.

The Three Gaps That Blow Timelines

1. The Policy Gap

ISO 27001:2022 expects a comprehensive policy library — not just an Information Security Policy, but Access Control, Change Management, Supplier Security, Business Continuity, Incident Response, Asset Management, and more. Organizations that have never documented their security controls formally discover at gap assessment that they are writing 15–25 policies from scratch. Each policy needs author review, management approval, and evidence of communication. This alone takes 6–10 weeks in organizations without dedicated security resources.

2. The Risk Register Gap

ISO 27001's core is risk management. The standard requires a documented risk assessment methodology, a risk register with identified and evaluated risks, a risk treatment plan, and a Statement of Applicability (SoA) that maps your controls to Annex A and documents why each was included or excluded. Organizations that try to build this in a spreadsheet over a weekend produce something that looks like a risk register and fails Stage 1 audit scrutiny. Building a defensible risk register takes 4–8 weeks of serious work.

3. The Evidence Gap

Documentation is necessary but not sufficient. Auditors want evidence that controls are operating — access review logs, change management tickets, penetration test reports, vulnerability scan results, supplier risk assessment records, training completion certificates. If an organization has controls but has not been collecting evidence systematically, Stage 2 becomes a scramble to reconstruct six months of operations in four weeks. This is where most first-time certifications struggle most visibly.

What the Fast Ones Actually Did

The fastest successful certifications we have managed — genuine certification in under 9 months — shared a common approach: they scoped tightly, started evidence collection on day one (not month four), and treated the risk register as a living operational document rather than an audit artifact. They also had executive sponsors who could make decisions about risk acceptance in real-time rather than sending decisions through committee cycles that took weeks.

Post-Certification: The Drift Problem

Certification is not the end. ISO 27001 is a living management system. The organizations that lose their certification on recertification audit — or receive major non-conformities in surveillance audits — are almost always the ones that treated the implementation as a project with a finish line rather than an ongoing operational program. The ISMS needs internal audit cycles, management reviews, and continuous control monitoring. Building that operational infrastructure during implementation, not after, is what separates sustainable certification from a single-use audit performance.