Most ISO 27001 content is written by consultants, and consultant-written content has one structural problem: it’s selling the consultant. The timeline is vague because vague timelines mean longer engagements. The “complexity” is overstated because complexity justifies the fee. Risk assessments are presented as dark arts because if risk assessment were simple, you wouldn’t need to hire anyone.
ISO 27001 is not a legal problem. It is not a consulting problem. It is a project management problem — a reasonably well-defined one, running over about twelve months, with five phases, a known failure mode in each phase, and a certification audit at the end that most competently-run organisations pass on first attempt. This article is the project plan. Twelve months of it, phased, with honest durations and the specific places programmes tend to slip.
ISO 27001:2022 in context
As of October 2025, the 2013 version of ISO 27001 is dead. The three-year transition window closed on 31 October 2025, and any organisation pursuing certification today is pursuing it against ISO/IEC 27001:2022. This matters because about 70% of the ISO 27001 content still ranking on search engines refers to the 2013 version. If an article discusses “114 controls across 14 domains,” you’re reading legacy material.
The current standard has 93 Annex A controls grouped into four themes: Organisational (37 controls), People (8), Physical (14), and Technological (34). Eleven of those controls are new in the 2022 revision, covering threat intelligence, cloud services, data masking, secure coding, and related modern concerns. The core management system clauses — 4 through 10, covering context, leadership, planning, support, operation, performance evaluation, and improvement — received smaller structural changes. The spirit of the standard is unchanged: establish an Information Security Management System, run it through a Plan-Do-Check-Act cycle, and subject it to independent certification.
The commercial reason a US SaaS company pursues ISO 27001 is usually international customers. European and Asian enterprise buyers treat ISO 27001 as the baseline expectation where US buyers treat SOC 2 as the baseline expectation. If your pipeline is expanding outside North America, ISO 27001 becomes a cost of entry. The commercial reason is almost never voluntary.
The 12-month timeline at a glance
Twelve months is the honest duration for a first-time ISO 27001 certification at a 100–500 person SaaS company that already runs a SOC 2 programme. Organisations with no prior ISMS work often need fourteen to sixteen. Organisations with strong foundations can compress to ten, but not much less.
Phase 1: Scope and leadership alignment Months 1–2
Phase 2: Risk assessment and treatment Months 2–4
Phase 3: Control implementation Months 4–8
Phase 4: Internal audit and management review Months 8–10
Phase 5: Stage 1 and Stage 2 audits Months 10–12Two things about this shape are worth flagging up front. First, risk assessment is a phase in its own right — not a checkbox. The single largest failure mode on first-time ISO 27001 projects is under-investing in risk work and paying for it at Stage 2 when the auditor notices. Second, the certification audits themselves are split into two distinct stages separated by weeks, not days, and Stage 1 is substantive — not a pre-flight check.
Phase 1: Scope and leadership alignment (months 1–2)
Two months to define what you’re certifying and to get executive commitment to the programme in a form the auditor can later inspect.
Scope definition. The ISMS scope statement is the boundary of the audit. It identifies the services, locations, functions, technologies, and data that are inside the management system. A narrow, defensible scope is worth more than an expansive ambiguous one. “The information security management system covering the development, hosting, and operation of [product name] delivered from [cloud provider] to customers globally, including the supporting corporate IT infrastructure at [office locations]” is a decent scope statement. Vague scoping produces audit findings at Stage 1 and retroactive effort in Stage 2. Get it written early, review it with the auditor before Stage 1, and don’t change it mid-programme without a formal change.
Context of the organisation. Clause 4 of the standard requires you to document the internal and external issues, interested parties, and requirements that are relevant to the ISMS. This reads like box-ticking until you realise the auditor uses it in Stage 1 as evidence that leadership actually thought about why the ISMS exists. Treat it as a real document, not a template.
Leadership and roles. Top management must demonstrate leadership and commitment. In practice this means a named ISMS owner (often the CISO or Head of Security), a security steering committee that meets on a documented cadence, board-level awareness, and an information security policy signed by a senior executive. Auditors look hard at this. A programme that has the CEO’s name on a policy but no evidence the CEO has reviewed it in twelve months will get a finding.
Auditor selection. ISO 27001 audits are conducted by accredited certification bodies, not by any CPA firm. Select one in Phase 1. Reputable certification bodies are booked out significantly further ahead than SOC 2 auditors, often two quarters or more during renewal season. The choice of certification body is worth modest research — some are known for being process-oriented and pragmatic, others for being pedantic and adversarial. Your peer network in the industry is a better source than the certification body’s website.
On whether to use a consultant: the same pattern applies as with SOC 2. A good consultant compresses the learning curve. A bad consultant sells you their proprietary template library and their ongoing support retainer. Useful consultants are paid for scoping and the risk assessment, and hand the programme back to you for implementation.
Phase 2: Risk assessment and treatment (months 2–4)
This is the phase that most first-time programmes underestimate by a factor of two. Two months to do risk assessment properly, and if it takes one, you probably did it wrong.
Asset identification. What are the information assets inside your scope? Applications, infrastructure, data stores, sensitive information categories, intellectual property. Not every laptop and every USB stick — a defensible level of granularity is asset categories grouped by shared risk characteristics. The output is an asset inventory that the auditor will ask to see and that will be referenced across the rest of the ISMS.
Risk identification. For each asset or asset category, what could go wrong? Confidentiality breaches, integrity failures, availability losses. The old ISO 27005 risk taxonomy is a reasonable starting point, though you’re free to use any methodology that’s consistent. The output is a risk register.
Risk analysis and evaluation. Each risk gets a likelihood and an impact, scored on a scale your methodology defines. This produces a risk score, and risks above a threshold become candidates for treatment. The methodology itself doesn’t matter much — what matters is that you apply it consistently, document it, and can explain it to an auditor who will ask.
Risk treatment. For each risk above threshold, a treatment decision: mitigate (apply controls), accept (document the rationale), transfer (insurance or contractual), or avoid (stop doing the risky thing). The treatment plan becomes the input to control selection.
Statement of Applicability (SoA). The SoA is the most commonly underestimated artefact in the entire ISO 27001 programme. It lists every one of the 93 Annex A controls and, for each, states whether the control is applicable, whether it is implemented, and if not applicable, why not. It also links each applicable control to the risks it addresses. Auditors read the SoA cover to cover before Stage 2 and probe weakly-justified exclusions mercilessly. “Not applicable because we don’t have a physical office” is fine for A.7.4 (Physical security monitoring) if you genuinely have no offices. “Not applicable because we don’t do that” is not a justification for anything.
The honest reality: the risk assessment and SoA phase regularly takes longer than Phase 3 control implementation because the thinking required is harder than the engineering required.
Phase 3: Control implementation (months 4–8)
Four months to close the gaps between the controls the SoA says you’ll apply and the controls you actually have running.
The work in Phase 3 is almost entirely overlapping with what a mature SOC 2 programme already covers. Access management, change management, incident response, vendor management, HR controls, logging and monitoring, business continuity. If you’re coming into ISO 27001 from a clean SOC 2 Type II, realistically 60–70% of your controls are already in place. The gaps tend to cluster in three areas:
Documented processes. SOC 2 tolerates informal processes if the evidence shows they worked. ISO 27001 requires documented procedures for the processes listed in the standard — including things SOC 2 doesn’t care much about, like classification of information, cryptography management, and secure development lifecycle policies. If your documentation culture is “read the code and the runbook,” expect to produce a lot of policy pages in Phase 3.
Physical security. ISO 27001 has explicit requirements in this area that SOC 2 Security-only reports don’t emphasise. If your scope includes any offices, you’ll need physical access controls, secure disposal procedures, clear desk and clear screen policies, and evidence these are being followed.
Supplier security. The 2022 revision tightened the supplier management requirements, including controls on cloud services specifically (A.5.23). Vendor inventories that are acceptable for SOC 2 often need enriching with data on cloud service configurations, shared responsibility boundaries, and supplier security agreements.
The position worth taking: if you’re coming from SOC 2, don’t rebuild your control environment. Map the controls you already run against Annex A, identify the genuine gaps, and implement against those gaps only. Rebuilding a working control framework to fit a different framework’s language is expensive and pointless.
Phase 4: Internal audit and management review (months 8–10)
Two months that inexperienced programmes treat as a formality and pay for at Stage 2.
Internal audit. ISO 27001 requires the organisation to audit its own ISMS before the certification body does. This is not the same as the gap assessment you did in Phase 1. The internal audit is a full examination of whether the ISMS is operating effectively against the standard and against your own policies. It must be conducted by someone sufficiently independent of the area being audited, on a planned schedule, producing documented findings that management then addresses.
Two structural options exist: train an internal team member to perform the audit, or engage a qualified external internal auditor (which sounds contradictory but isn’t — the auditor is external to your organisation but performs the internal audit function). External internal audits are usually cheaper for first cycles and meet the independence requirement cleanly.
Management review. Clause 9.3 requires top management to review the ISMS on a planned basis. The review has specified inputs: internal audit results, nonconformities, risk assessment changes, stakeholder feedback, policy effectiveness, and more. It has specified outputs: decisions about continual improvement, resource allocation, and policy changes. It must produce a documented output — the management review record — that the auditor will read.
The common failure: treating the management review as the agenda item on a quarterly leadership meeting. The standard wants a distinct artefact with specific inputs and outputs. Put a date on the calendar, prepare the pack against Clause 9.3’s requirements, and produce the record as a standalone document.
Phase 5: Stage 1 and Stage 2 certification audits (months 10–12)
The certification audit is split into two stages separated by several weeks, not a single event.
Stage 1 is a documentation and readiness review. The auditor examines your ISMS documentation — policies, risk register, SoA, internal audit results, management review record, and scope statement — and assesses whether the ISMS is sufficiently mature for Stage 2. Stage 1 often takes one to three days for a mid-sized organisation. Findings at Stage 1 are typically observations or minor nonconformities that must be addressed before Stage 2 proceeds.
Treat Stage 1 as substantive. It is not a rubber stamp. Organisations that think Stage 1 is a pre-flight check and arrive with half-finished documentation routinely get their Stage 2 rescheduled.
Stage 2 is the implementation audit. The auditor spends several days — typically three to ten depending on scope — interviewing personnel, inspecting evidence, sampling control operations, and testing whether the ISMS documented at Stage 1 is the ISMS operating in practice. Stage 2 findings are categorised as major nonconformities (which must be addressed before certification), minor nonconformities (which must be addressed on a remediation plan but don’t block certification), observations (informational), and opportunities for improvement.
Most first-time certifications receive a handful of minor nonconformities and one or two observations. This is normal and not a failure. A major nonconformity at Stage 2 is recoverable but requires a remediation period and a follow-up audit before the certificate is issued. Zero findings is rare and, honestly, slightly suspicious — competent auditors find things.
Certification is valid for three years. In each of the intervening two years, the certification body conducts a surveillance audit — a lighter-touch examination focused on a rotating subset of controls and on any changes since certification. At year three, you recertify with a full audit comparable in scope to Stage 2.
Where this plan commonly slips
Five failure modes account for most first-time ISO 27001 programmes that miss their twelve-month target.
Risk assessment done as theatre. A team produces a 200-row risk register in an afternoon, scores everything Medium, and moves on. The auditor reads it and asks how those likelihood and impact scores were derived. The team has no answer. Stage 1 gets a finding and the risk assessment gets redone. Cost: one to two months.
SoA written as a compliance artefact rather than a thinking artefact. Every Annex A control marked “applicable, implemented” with a one-line justification copied from the standard. The auditor reads the SoA, picks six controls, asks to see the implementation evidence and the linkage back to specific risks, and finds mismatches. Cost: significant Stage 1 remediation.
Internal audit scheduled for the last possible week. Programme runs through Phase 3, enters Phase 4, and nobody has booked the internal auditor. The internal audit ends up compressed into the final weeks before Stage 1, findings are rushed, management review happens the same week, and Stage 1 sees it all as last-minute theatre. Cost: a disappointed auditor and a tough Stage 1.
Leadership engagement that doesn’t show up in documentation. The exec sponsor is genuinely engaged — they attend the steering meetings, they’ve reviewed the policy, they ask good questions. None of this is documented. The auditor looks for evidence of top management leadership as specified in Clause 5 and finds a signed policy, a steering committee charter nobody has referenced in six months, and a management review record that reads like someone filled it in yesterday. Cost: an uncomfortable interview.
Trying to retrofit ISO 27001 onto a SOC 2 environment without a scope-level review. The team treats ISO 27001 as a different audit of the same environment. Scope boundaries don’t quite match, Annex A controls that SOC 2 doesn’t cover (physical, cryptography management, secure development) get missed, and Phase 3 discovers new gaps at the halfway mark. Cost: schedule slippage and engineering rework.
The failure pattern under all of these is the same. Teams that have done SOC 2 successfully assume ISO 27001 is the same shape. It isn’t. It is a more formal, more documentation-heavy, more management-oriented framework that requires evidence of governance alongside evidence of controls. Plan accordingly.
Integrating with SOC 2
Running ISO 27001 and SOC 2 as a combined programme is significantly more efficient than running them sequentially. Control overlap is high, evidence overlap is higher, and a single well-structured ISMS can support both reports with the right scoping. The practical trick is timing the audit calendar so that one observation period supports both reports, and sequencing Stage 1 and Stage 2 of the ISO audit around SOC 2 fieldwork so that the teams aren’t stretched across both at once.
For organisations already running a Type II SOC 2 programme that are now adding ISO 27001, the combined-programme guide lays out the Trust Services Criteria × Annex A crosswalk and the audit sequencing logic. The short version: do the ISO internal audit during the SOC 2 observation period, schedule Stage 1 two months after SOC 2 fieldwork completes, and time Stage 2 to land shortly after the SOC 2 report ships.
FAQ
How long does ISO 27001 implementation take?
Twelve months is realistic for a first-time certification at a mid-sized SaaS company with an existing SOC 2 programme. Fourteen to sixteen months is common for organisations starting from no formal ISMS. Organisations with strong existing foundations can achieve certification in ten months but not reliably less.
What’s the difference between ISO 27001:2013 and ISO 27001:2022?
The 2022 version restructured Annex A into 93 controls across four themes (previously 114 across 14 domains) and added eleven new controls covering threat intelligence, cloud services, data masking, and secure development. The core management system clauses received smaller changes. As of 31 October 2025, the 2013 version is no longer a valid certification target.
Do I need an internal auditor?
Yes. Clause 9.2 requires internal audits of the ISMS on a planned schedule. The auditor must be competent and sufficiently independent of the area being audited. Many organisations hire an external firm to perform the internal audit function rather than training an internal team member.
What is the Statement of Applicability?
A required document that lists every Annex A control, states whether each is applicable to your organisation, explains why where it isn’t, and links each applied control to the risks it addresses. It is the most commonly under-resourced artefact in first-time programmes.
How much does ISO 27001 certification cost?
Certification body fees for a first-time audit of a mid-sized SaaS company typically land in $20,000–$60,000 for Stage 1 plus Stage 2 combined. Annual surveillance audits cost roughly half that. Add internal effort, tooling, and any consulting fees; total first-year programme cost is usually $75,000–$200,000.
Is ISO 27001 certification valid worldwide?
Certificates issued by an accredited certification body are recognised internationally. The accreditation body (UKAS, ANAB, etc.) matters more than the certification body’s location. Check that your chosen certification body is accredited by an IAF member.
Do I need ISO 27001 if I already have SOC 2?
Depends entirely on your customer base. European and Asian enterprise buyers often require ISO 27001; US buyers often accept SOC 2. If your pipeline spans both, running both frameworks as a combined programme is the efficient answer.
What happens at Stage 1 vs Stage 2?
Stage 1 is a documentation review assessing ISMS readiness. Stage 2 is an implementation audit testing whether the documented ISMS is the operating ISMS. They are separated by several weeks and findings at Stage 1 must typically be addressed before Stage 2 proceeds.
How long is an ISO 27001 certificate valid?
Three years, with annual surveillance audits in years one and two and a recertification audit at year three.
Can I fail an ISO 27001 audit?
A major nonconformity at Stage 2 blocks certification until the issue is remediated and verified. This is recoverable but adds weeks or months. Most first-time programmes that are sensibly resourced receive only minor nonconformities and observations, which do not block certification.