For most Australian organisations, ISO 27001 certification takes six to twelve months from a standing start to the certificate. A small, mature team can move faster; a large or multi site scope takes longer. The pace is set by how long the management system has to run before the Stage 2 audit, not by effort alone.
How long does ISO 27001 certification take?
Six to twelve months for most organisations, measured from a standing start to the certificate in hand. A small team with tidy documentation and a narrow scope can be ready in under six months. A large or multi site scope runs past twelve. The work falls into three parts: building the management system, running it long enough to produce evidence, then two audits by an accredited certification body. The complete ISO 27001 guide sets out the wider picture; the timeline below is the clock.
What are the stages, and how long does each take?
Certification is not one event. It is a build, an operating period, and then a two stage audit. The build is the part you control: what ISO 27001:2022 requires is clauses 4 to 10 and the 93 Annex A controls, written up and put in place. The operating period and the audit scheduling are the parts you do not fully control, and they are where most of the calendar goes.
| Stage | Indicative duration | What happens |
|---|---|---|
| Gap analysis and scoping | 4 to 8 weeks | Set the scope, the Statement of Applicability direction, and the gaps against clauses 4 to 10 and the 93 Annex A controls |
| Build the ISMS | 2 to 4 months | Risk assessment and treatment, policies, the Statement of Applicability, and the controls put in place |
| Operate and gather evidence | 2 to 3 months | Run the controls, then complete one internal audit and one management review |
| Stage 1 audit | 1 day on site, weeks of lead time to book it | The certification body reviews documentation and readiness for Stage 2 |
| Close findings, then Stage 2 | 2 to 6 weeks | Fix Stage 1 gaps, then Stage 2 tests the system in operation and decides the certificate |
Why must the management system run before the Stage 2 audit?
Because Stage 2 tests the system in operation, not on paper. The standard sets no fixed minimum operating period, but an auditor needs evidence that the controls have actually run: a completed internal audit, a management review, and records that show the ISMS working over time. Finish writing your policies on a Friday and you are not ready to certify on the Monday. The records do not exist yet. This is the single point teams underestimate, and it is calendar time, not effort, so you cannot buy your way past it.
What makes ISO 27001 certification take longer?
Four things, in roughly this order. Scope: more systems, sites and business units mean more to build and more to audit. Maturity: thin documentation and missing controls turn into remediation work before you can operate. Decision speed: slow internal sign off on risk treatment and resourcing stretches the build. And audit lead time: accredited bodies book weeks ahead, so a late booking delays the certificate even when you are ready. The audit duration itself scales with the number of people in scope under ISO/IEC 27006-1, not with revenue, which is also what shapes the certification cost.
How long between Stage 1 and Stage 2, and what happens after?
Usually a few weeks. Stage 1 reviews your documentation and readiness; you close any gaps it finds, then Stage 2 tests the system in operation and decides the certificate. After that the certificate is valid three years: surveillance audits in years one and two, full recertification in year three. One currency note: the transition from ISO/IEC 27001:2013 ended on 31 October 2025, so every current certificate is to the 2022 version. If a provider still references the 2013 standard, treat it as out of date.
Can you get certified faster?
Within limits. A narrow scope, controls that are already mostly in place, and quick internal decisions all shorten the build, and a small team with an audit slot booked early can reach a certificate well inside six months. What you cannot compress past a point is the operating period the ISMS needs before Stage 2 and the certification body’s lead time. Cybernion’s ISO 27001 readiness runs the build and the operating period in parallel where the scope allows, and books the audit early so it is not the thing you wait on. Talk to us if you have a date you need to hit.
Frequently asked questions
Rarely. It is possible only for a very small, mature team with a narrow scope and an audit slot already booked, because the management system still has to run and produce records before the Stage 2 audit.
Three years. Annual surveillance audits take place in years one and two, with full recertification in year three.
No. Surveillance audits are annual, but full recertification is every three years.
Usually a few weeks, enough to close any Stage 1 findings. It runs longer if the documentation review surfaces material gaps.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, Requirements, 2022
- ISO/IEC 27006-1:2024, Requirements for bodies providing audit and certification of information security management systems, 2024
- ISO/IEC 17021-1:2015, Conformity assessment, Requirements for bodies providing audit and certification of management systems, 2015
Last updated: 21 June, 2026