ISO 27001 Roadmap: 12 Months to Certification

An ISO 27001 implementation takes between 8 and 14 months depending on your organisation's current maturity level. Anyone expecting to finish in three months is seriously underestimating the effort involved. This article walks you through the structured 5-phase journey from the first gap analysis to the Stage 2 certificate, with realistic timelines, effort estimates, and the key milestones for each phase. Understanding the phases lets you start with the right preparation immediately, rather than spending energy on the wrong sequence.

Phase 1: Scope and Gap Analysis (Months 1-2)

Before writing a single policy, you need to know what you want to certify. The scope defines which departments, locations, and systems fall under the ISMS. A scope that is too broad significantly delays the project; a scope that is too narrow risks the certifiability of the whole effort. Start with a stakeholder kick-off: senior management, IT leadership, the data protection officer, and the departments with the highest information protection needs should all be involved from the outset.

The external gap analysis follows. Typically this takes 3 to 5 days and delivers a maturity score for all relevant control areas plus a prioritised action plan. The result shows you exactly which controls are already met and where the greatest effort lies. Use the interactive control explorer for an initial self-assessment before engaging an external consultant. That way you arrive at the gap analysis better prepared and save consulting days.

The output from Phase 1 is the foundation for all subsequent phases: without a clear scope and a realistic gap picture, you risk focusing on the wrong controls in Phase 2 and being corrected by the external auditor in Phase 4.

• •Timeline: 2 months
• •Outputs: Scope document, maturity score, prioritised action plan
• •Kopexa tool: Control explorer (self-assessment)

Phase 2: ISMS Build (Months 3-6)

Phase 2 is the most labour-intensive phase of the entire project. This is where you build the information security management system: from the information security policy and risk methodology through to the actual implementation of technical and organisational measures. The most important principle: risk analysis before policies. Many organisations start by writing policies without knowing which risks they are meant to address. That is work in the wrong order.

The risk methodology defines how you assess and prioritise risks. The risk register documents all identified risks with likelihood, impact, and mitigation measures. Technical measures are then implemented on this basis: multi-factor authentication, encrypted backups, access control on a need-to-know principle, patch management. In parallel runs the awareness cycle: training for all staff is mandatory, not optional. Supplier audits for critical service providers also belong in this phase.

The central output of Phase 2 is the Statement of Applicability (SoA v1): a table of all 93 Annex A controls with a justification for whether and how each is applied. The SoA is the most important document for the external auditor. More details on the SoA page.

• •Timeline: 4 months
• •Outputs: ISMS documentation, risk register, Statement of Applicability v1, training records
• •Kopexa modules: Risks, Policies, IT Assets, Vendors

Phase 3: Internal Audit and Management Review (Months 7-8)

ISO 27001 Clause 9.2 mandates internal audits. They are not a bureaucratic add-on but the quality gate before the external auditor arrives. Gaps found internally can be closed calmly, without them appearing in the official audit report. External findings can, by contrast, lead to postponement of the certification date.

The internal audit checks whether the ISMS is lived as documented. Typical findings: policies exist but are not practised; backups are documented but never tested; MFA is activated but with an exception list covering a third of all accounts. Immediately afterwards comes the Management Review per Clause 9.3: senior management assesses ISMS performance using KPIs, audit findings, and a risk report. The Management Review is simultaneously the evidence that information security is a board-level matter, which is exactly what the external auditor checks.

Corrective actions from the internal audit are documented in the nonconformity register. Open actions must be resolved, or at least accompanied by a clear implementation plan, before Stage 1 can begin.

• •Timeline: 2 months
• •Outputs: Internal audit report, nonconformity register, management review minutes
• •Kopexa module: Audit workflow

Phase 4: Stage 1 Audit (Month 9)

The Stage 1 audit is a documentation review by the external certification auditor (TÜV, DQS, Bureau Veritas, or another accredited certification body). The auditor checks whether the ISMS documentation meets the requirements of the standard and whether the organisation is ready to proceed to Stage 2. Stage 1 typically takes place on-site or remotely over two to three days.

Audit findings are grouped into four categories: critical (nonconformity that prevents certification), major (significant deviation that must be resolved before Stage 2), minor (lesser deviation with a correction deadline), and observation (advisory note without a correction requirement). With critical or major findings, a correction process follows: typically you have four to six weeks for remediation before Stage 2 can start.

In Stage 1, the auditor checks, among other things, the Statement of Applicability, the scope, the risk methodology, and the completeness of the documentation. A well-prepared SoA is the decisive difference between a smooth Stage 1 and a costly remediation round.

• •Timeline: 1 month (including preparation)
• •Outputs: Stage 1 audit report, findings list, go/no-go for Stage 2
• •Kopexa tool: Statement of Applicability

Phase 5: Stage 2 Audit and Certification (Months 11-12)

Stage 2 is the actual certification audit. Unlike Stage 1, the auditor here assesses the practical implementation of the ISMS: conducting interviews with role holders (CISO, IT leadership, business units), sampling the risk register, checking log files, training records, change management protocols, and testing whether the documented ISMS is actually lived in practice.

A common mistake is treating Stage 2 as a one-time hurdle. The certificate is valid for three years, but it is not maintenance-free. Annual surveillance audits check that the ISMS remains effective. After three years comes the recertification audit. Organisations that stop maintaining the ISMS after Stage 2 risk losing the certificate at the first surveillance audit.

Evidence archiving is critical: all proof must be retrievable at any time. A central evidence archive saves weeks of preparation time at surveillance audits compared to scattered SharePoint folders and email threads.

• •Timeline: 2 months
• •Outputs: ISO 27001:2022 certificate (valid 3 years), certification report
• •Kopexa module: Evidence archiving, Audits

Timeline Overview: All 5 Phases at a Glance

The following table shows the typical timelines per phase and the corresponding Kopexa tool. The total duration of 12 months applies to organisations with a medium maturity level. At a very low starting point (no existing ISMS), 14 to 18 months is more realistic.

Common Mistakes in the ISO 27001 Roadmap

From working with organisations of various sizes and industries, we know the typical roadmap mistakes. Here are the five most common:

1. 1."Let's start with policies": Without a completed risk analysis, you don't know which risks your policies should address. Policies that are not derived from the risk register do not fulfil the standard's purpose. Always do the risk analysis first.
2. 2."The external auditor can also advise us": Certification auditors are prohibited from advising the same organisation due to conflict of interest rules. Consultant and certification auditor must always be different individuals or firms.
3. 3."Six months is enough": Below 50 employees this is possible in exceptional cases. For medium and large organisations it is unrealistic. Plan for at least 12 months, unless you already have a well-documented ISMS from another framework.
4. 4."Certificate means finished": The certificate is the beginning of ISMS operations, not its end. Surveillance audits, annual risk reviews, and continuous improvement measures are normative obligations. Organisations that stop after certification lose the certificate.
5. 5."One person is enough": ISMS roles must be diversified. CISO, internal auditors, and risk owners cannot all be the same person. Auditors explicitly check segregation of duties. Self-service with Kopexa or with partner support: role separation is essential in both cases.

Next Step: Start with the Control Explorer

The easiest entry point into the ISO 27001 roadmap is a structured self-assessment against the 93 controls. The interactive control explorer shows you all Annex A controls, cross-mappings to NIS2, TISAX, GDPR, and BSI IT-Grundschutz, and an initial overview of your action areas. Combined with the SoA template, you have the foundation for Phases 1 and 2 in hand.