6 Factors That Can Affect Your ISO 27001 Timeline
Thanks to the advent of Google Maps, we have the option to check our travel time before we depart for a destination.
In Florida, where Schellman is based, that’s particularly helpful if you’re traveling from Tampa to Orlando, since the latter is more often than not snarled into a web of traffic that you’re stuck wasting hours sitting in. Google Maps doesn’t eliminate the traffic, of course, but it does help to set expectations for your trip so you can plan better accordingly.
As an ISO Certification Body, we’ve completed over 400 ISO 27001 certifications in just the last 12 months, but pinning down a timetable for each client continues to be tricky. We’d like to be able to do that—to make things easier for you—but we just can’t make like Google Maps and calculate an estimated time of arrival completion.
The standard is too holistic and there are too many different variables that can affect your certification to say precisely, but that doesn’t mean we can’t help you at all when it comes to discerning your ISO 27001 timeline.
In this article, we will detail six factors that can affect how much time you’ll spend getting ISO 27001 certified. Read on to glean a better understanding of the internal elements within your organization that could play a part in condensing or extending your certification audit period.
Like Google Maps, we won’t be able to clear any obstacles, but we will help you be in better position to plan out your audit schedule with more reasonable expectations.
What Affects Your ISO 27001 Timeline?
In fact, ISO 27006 provides some guidance on projecting estimated certification timetables. These six factors are those that ISO 27006 considers when calculating potential audit time.
1. Your Preparation
The preparation demanded ISO 27001 is so extensive we wrote a whole blog about the steps you should take to ensure you’re ready.
In our experience, it can take anywhere from 3 months to a year for an organization to fully prepare for their ISO 27001 certification.
You’ll need to do things like:
- Determine the scope of your information security management system (ISMS)
- Obtain management buy-in
- Define information security related roles and responsibilities
- Conduct risk assessment / treatment
- Establish a statement of applicability
- Perform an internal audit of your ISMS
- Set monitoring / measurement activities
Read our article on the ramp-up period for full details, but obviously the list of to-do’s is extensive. ISO 27001’s comprehensive approach to security will mean devoting enough time to put everything into place and perform checks. Your time spent doing all this will absolutely affect your overall timeline for certification.
2. Employee Count
Certainly the most initially quantifiable factor, the number of employees you plan to have in scope will also play a part in the total number of audit days needed during your initial audit process—meaning Stage 1 and Stage 2.
The correlation is simple—the more people that need to be interviewed by your certification body, the more time it will take, especially when you mix in having to fit interviews into individual schedules.
But ISO/IEC 27006:2015, which certification bodies are required to follow when performing ISMS audits, does provide minimum requirements based on the number of persons doing work under the organization’s control (e.g., in-scope headcount).
3. Scope Modifications
We mentioned before that establishing your ISMS scope is something you do ahead of the actual certification process.
However, those first determinations don’t always stick. When do you make scope modifications after the fact, that can result in more or less audit time.
Actual additional time is calculated based on guidance from ISO 27006, but common modifications include adding or removing:
- Systems; or
- Processes, etc.)
4. Surveillance and Recertification Time
Those first three particularly affect the time needed for your initial certification audit. In turn, your initial audit affects the rest of your ISO 27001 process, namely the surveillance and recertification audits:
- Each of your surveillance reviews will take about 1/3 of the initial certification audit time.
- Your recertification review will take about 2/3 of the initial certification audit time.
So, if your initial audit took 12 total days, the surveillance review will span about four days while the recertification will span about eight days.
ISO 27001 is cyclical, so you will always need to go through the initial audits before rounds of surveillance and recertifications.
Beyond that baseline though, if your auditor identifies any major and minor nonconformities during those reviews, that may result in additional time needed.
Not only that, but you must correct all identified minor nonconformities / correct and remediate all identified major nonconformities before your auditor can even issue or re-issue your ISO 27001 certification.
Correction and remediation time can vary from a matter of weeks to months, extending your audit timeline.
6. Organizationally Specific Factors
Aside from these more general factors, there are also some elements particular to your organization that will come into play when calculating the number of days to be spent on the audit.
- The complexity of the ISMS (e.g., criticality of information, risk situation of the ISMS, etc.)
- The type(s) of business performed within scope of your ISMS
- The previously demonstrated performance of your ISMS
- The extent and diversity of technology utilized in the implementation of the various components of your ISMS (e.g. number of different IT platforms, number of segregated networks)
- The extent of outsourcing and third-party arrangements used within the scope of your ISMS
- The extent of information system development
- The number of sites / disaster recovery sites.
But these factors don’t always mean adding time to your projected schedule—sometimes, they can lead to a reduction in time spent.
What Will Extend Your ISO 27001 Timeline?
Those things that will require additional audit time include:
- Complicated logistics, e.g., more than one building or location in the scope of the ISMS;
- Potential language barriers, whether that be between auditors and staff or in documentation;
- Auditors having to visit temporary sites to confirm activities at the permanent sites(s); or
- A high number of standards and regulations that apply to your ISMS.
What Can Help Shorten Your ISO 27001 Timeline?
Conversely, those things that can mean net less audit time include:
- A high level preparedness for certification or high maturity of your ISMS in place;
- Auditor prior knowledge of your organization (e.g., if you’ve already been certified to another standard by the same certification body, that familiarity helps);
- No/low risk product/processes;
- Processes involving a single general activity (e.g. service only); and
- A high number of persons doing work under the organization’s control performing the same tasks.
Moving Forward With Your ISO 27001 Certification
There are so many variables that can affect different aspects of your ISO 27001 certification, it’s difficult to predict an experience until the work is actually being done. But as you continue to prepare your ISMS for future certification, you now understand many of those things that can either add time to your audits or save you some when the time comes.
While you consider next steps toward certification, read our content on the latest changes ISO has published, reasons to go through with getting certified, and even possible other compliance options that could benefit you in a pinch:
- ISO/IEC 27002:2022: A High-Level Breakdown of the Update
- 5 Big Benefits to Getting ISO 27001 Certified
- SOC 2 vs. ISO 27001: What are the Differences?
And, if you’d rather talk through the specifics of what your ISO 27001 timeline could look like, please feel free to reach out to us. We’re happy to set up a conversation to go over some of these variables as they affect your organization in particular so that you feel more comfortable in your future scheduling.