One question that we are often asked is “how long does it take to implement ISO 27001?”. With many organisations requiring ISO 27001 alignment or certification in short time periods due to tenders, bids or contracts, many senior management need quick answers to the question how long does it take to implement ISO 27001?
In order to calculate this, a number of factors need to be considered and these are outlined below.
1. Scope
The scope of the information security management system can have wide ranging impacts from a financial, resource and time perspective. A smaller scope will obviously require considerably less effort to implement and maintain than a larger scope, but a poorly scoped system will not provide any business benefit and may result in a non-conformity at external audit.
Therefore, getting the scope right is imperative from a risk, cost, resource and time perspective. If the organisation is able to justify that a reduced scope enables effective risk management for their core assets then this can reduce the time required to implement ISO 27001, allowing shorter timescales to certification.
See our article on how to define ISO 27001 scope for more information.
2. Resources
The resources available to implement, manage and maintain the information security management system can arguably have the largest impact on the time it takes to achieve ISO 27001 certification. As is so often the case with security, if the ISMS is handed to the IT department to manage in addition to their day jobs this will likely take a much longer time to implement.
However, if senior management are able to assign dedicated resources to the implementation and management of the system then this time can be significantly reduced and will result in a more effective system in shorter timescales. In addition to the man hours required, senior management must also assign sufficient budgets to implement controls which may consist of new technology, processes or even physical premises.
Resource and budget must be assigned for any project to be successful, but this is especially important when implementing ISO 27001 in tight timescales.
3. Size
As a follow up to point 1, the size of the organisation will also have an impact on how long it may take to implement ISO 27001. A small organisation with 5-10 employees, one office and a small network will obviously be much easier to manage from a risk perspective than a multi-national with thousands of employees and global offices.
While the ISMS does not need to be implemented organisation-wide, the size of the organisation will obviously have an impact on how the ISMS can be scoped. For example, it may not be effective to scope an ISMS around one office building when the company operates nationwide or even globally.
4. Maturity
The organisations current maturity is a key point in understanding how long it will take to implement ISO 27001. For example, an organisation with a poor policy landscape, no understanding of risks and no expertise within the company to implement an ISMS will obviously take a much longer time than a company that is already aligned with industry best practice.
To understand the current posture, it is recommended that a gap analysis is undertaken against the control framework to gain an understanding of exactly how long it will take based on the gaps that exist.
So, with the above points considered how long does it take to implement ISO 27001? well, a medium sized organisation dedicating full time resource can expect to implement and operate a fully functioning information security management system in between 8-12 months.
This may seem longer than you first anticipate, but the time allows for a culture of information security to be inherited, policies/procedures to be implemented, communicated and, most importantly, understood. Documenting policies and procedures in an incoherent, rushed manner can lead to a disjointed and unfamiliar framework for employees to adhere to.
Therefore, an 8-12 month time period allows the organisation to understand and define its requirements (policies) and implement working practices to support these requirements (procedures).
For larger organisations, an estimated time frame can be between 12-15 months to allow for wider distribution, training, communications and audits to take place. It is important for organisations to understand that initial time frames are indicative for implementing and operating the system, but an ISMS requires continual improvement as part of the plan, do, check, act life cycle.
Therefore, senior management must ensure that once ISO 27001 certification has been obtained that sufficient resources are assigned to manage the system on an on-going basis.
In conclusion, when initiating the ISO 27001 journey the first questions that pop into senior management heads are how much is this going to cost? And how long does it take to implement ISO 27001? While these are legitimate questions that require answers, there is no singular answer that can be accurate enough.
The organisation needs to understand their environment, size, scope, budget, resource and maturity before a number or date can be estimated for ISO 27001 implementation. However, as a rule of thumb ISO 27001 implementation timescales for medium to large sized organisations can take anywhere between 8 months and 2 years.
