ISO 27001 in 12 Months: What the Case Studies Actually Show
Every ISO 27001 consultant will tell you "it takes 9 to 12 months." Every ISO 27001 vendor will offer you a 90-day sprint to certification. Both are technically defensible, and both are somewhat misleading.
The 9-to-12-month figure is real. Across six organisations we have taken through ISO 27001 and related certifications, the range was 11 to 14 months from engagement start to first clean audit. Not 9. Not 6. Not 90 days. But also not the 18 to 24 months that organisations managing the process alone frequently report.
Here is what those six engagements looked like:
OrganisationFramework(s)Time to certification readinessGuroo LearningISO 27001, ISO 900111 monthsApromoreISO 27001, ISO 9001, SOC 2 Type II12 monthsVeridaptSOC 211 monthsKaplan AustraliaISO 2700113 monthsFiskilSOC 2, Consumer Data Right14 monthsCreditorWatchISO 27001, SOC 212 months
These are real engagements with named contacts, published outcomes, and confirmed timelines. The first thing these numbers should tell you is that the variance matters as much as the average.
What Drives the Lower End of the Range
Guroo Learning reached certification readiness in 11 months without hiring a single internal compliance resource. Three factors drove the pace. First, their technical environment was relatively contained — a cloud-native infrastructure with a well-defined scope. Second, their General Manager was a committed internal champion: someone with the authority to enforce policies and the mandate to allocate team time to compliance tasks. Third, they chose a single certification target initially (ISO 27001) and added ISO 9001 as a parallel rather than a separate workstream.
Veridapt also reached SOC 2 readiness in 11 months, with zero new compliance hires. The mechanism was the same: a contained cloud environment, a founder-level champion who treated compliance as a deal enabler rather than a distraction, and a clear initial scope that did not attempt to include every system from day one.
The pattern at the lower end of the range is not speed for its own sake. It is the absence of the factors that slow programmes down.
What Drives the Higher End of the Range
Fiskil took 14 months — the longest in the corpus — because they were simultaneously navigating SOC 2 and Consumer Data Right requirements. Those two frameworks overlap but do not align cleanly. CDR imposes specific technical and procedural requirements that do not map directly onto the SOC 2 control set. Reconciling them required deliberate framework alignment work, not just stacking one onto the other. The 14-month timeline was not a failure. It was an accurate reflection of genuine complexity handled methodically.
Kaplan Australia took 13 months. They were operating as a registered higher education provider under TEQSA, ASQA, and state-based regulatory requirements, all of which added complexity to scope decisions and control design. They also achieved a clean first-pass audit — no non-conformances — which reflects the quality of the preparation rather than the speed of it.
The higher end of the range is driven by framework complexity, regulatory specificity, and scope decisions made in the first 60 days of an engagement. It is rarely driven by poor execution.
What the 90-Day Promises Actually Deliver
There are certification bodies who will conduct an expedited audit against a minimal control set. The result is technically a certificate. What it is not is a compliance programme that will hold up at first surveillance, answer rigorous enterprise vendor questionnaires, or survive a real incident.
We have seen the downstream cost of those sprints when organisations arrive at their first surveillance audit having drifted from controls they never operationalised, or when a major customer's security review reveals gaps the certificate was supposed to close. The more useful question is not "how quickly can we get the certificate" but "how long until the certificate means something."
A certification achieved with genuine control implementation, tested through internal audit, with staff who understand their obligations, is a defensible asset. A certification achieved against a minimum viable control set, with evidence collected by consultants who no longer work with you six months later, is a liability you are not yet aware of.
What QuickStart and Audit Assist Are Designed to Address
Cyberlinx's QuickStart programme is designed for organisations starting from scratch or with a limited compliance baseline. It establishes a rapid policy and risk foundation: the gap assessment, the scoped risk register, the core policy suite, and the control mapping that gives the engagement a defined starting point rather than an open-ended discovery phase. Guroo Learning, Veridapt, and Fiskil all started with QuickStart.
Audit Assist is designed for organisations that have a baseline programme in place and need to close the gap to certification readiness. The focus is on evidence quality, control implementation, and preparation for the audit cycle. Apromore, Kaplan Australia, and CreditorWatch used Audit Assist to push from a partially built programme to a clean first audit.
After either path, the Continuous Compliance Programme (CCP) maintains the programme continuously — handling evidence collection, monitoring, surveillance readiness, and policy updates as the organisation's environment changes — so that the certificate at month 11 or 14 is still accurate at month 23 when the surveillance auditor returns.
The Question Worth Asking Before You Start
The timeline question is usually framed as: how quickly can we get certified? The more useful question is: what does the programme look like at first surveillance? If the answer is "I don't know, we will deal with that when we get there," the programme has not been designed for sustainability — only for the initial certificate.
If you are planning an ISO 27001 or SOC 2 certification and want to understand what a realistic timeline looks like for your environment, contact Cyberlinx at info@cyberlinx.com.au to discuss scope.
Related Articles







