Indicative Timeline for 27001 Compliance
ISO-27001 Compliance is effectively a 3-year cycle following the certification.
| Year 1 | Certification Activity | Duration* |
|
Audit Preparation and Certification Duration between 3 and 10 months depending on size and complexity of the organisation and dedication |
Initiate the Journey |
1 day |
| Information Security Status Assessment |
1-2 weeks | |
| Information Security Status Report |
1 week | |
| Establish a Compliant ISMS | 2-8 months*** | |
| Internal Audit and Report |
1 week | |
| External Audits and Reports |
4-6 weeks | |
|
ISO-27001 Certification |
2 weeks |
Year 2 | Compliance Confirmation | Duration* |
Audit Preparation** and Remote Audit | Internal ISMS Compliance Confirmation | 1-2 weeks |
External ISMS Compliance Confirmation | 1 week |
Year 3 | Compliance Confirmation | Duration* |
Audit Preparation** and Remote Audit | Internal ISMS Compliance Confirmation | 1-2 weeks |
External ISMS Compliance Confirmation | 1 week |
Notes:
* The time estimates are provided in duration, not effort.
** Audit Preparations in years 2 and 3 and the Compliance Confirmation effort will depend on the ongoing efforts to keep compliance of the ISMS up to date
*** At the end of Year 3, the clock and journey are technically reset. However, assuming the ISMS has been kept compliant throughout would realistically reduce the “Establish a Compliant ISMS” duration to 4 to 8 weeks
Initiate the Journey – 1 day
Opening meeting with senior management and security team to describe the route demonstrate the Vanta toolset and set expectations for the following stage.
Information Security Status Assessment – 1-2 weeks
Opening meeting with senior management and security team to describe the route demonstrate the Vanta toolset and set expectations for the following stage.
Information Security Status Report – 1 week
Opening meeting with senior management and security team to describe the route demonstrate the Vanta toolset and set expectations for the following stage.
Establish a Compliant ISMS – 2-8 months
Opening meeting with senior management and security team to describe the route demonstrate the Vanta toolset and set expectations for the following stage.
Internal Audit and Report – 1 week
One of our independent auditors assess your certification readiness.
External Audits and Reports – 4-6 weeks
Two external certified and independent auditors assess your compliance in a two-phase audit.
ISO-27001 Certification – 2 weeks
At the close of the second phase external audit compliance is confirmed but formal certification can take up to 10 days.
Year One and Year Two Audits and Reports
12 and 24 months after certification two external audits are conducted to confirm ongoing compliance.