Let us be honest about timelines. A typical ISO 27001 certification takes six to twelve months, because the standard requires your Information Security Management System (ISMS) to operate for a period before an external auditor can certify it. What you absolutely can do in 90 days is build the foundation properly, so the rest of the journey is execution, not firefighting.
The mistake I see most often is teams buying a pile of policy templates on day one and calling it progress. Documents are not an ISMS. An ISMS is a working system of decisions: what you are protecting, what could go wrong, what you are doing about it, and how you keep improving. Here is how to stand that up in a quarter.
Days 1 to 30: scope, context and buy-in
- Define the scope precisely. Which products, services, locations and teams are in? A tight, honest scope is the single biggest lever on cost and timeline. Overscoping is the classic way to stall.
- Understand context and interested parties. Customers, regulators, partners, what do they require of you? This shapes everything.
- Secure leadership commitment. ISO 27001 demands top-management involvement. Name an owner, agree the budget, and put the ISMS on the leadership agenda.
- Run an honest gap assessment. Where are you today against the clauses and the Annex A controls? This becomes your roadmap.
A tight, honest scope is the single biggest lever you have on the cost and the timeline of certification.
Days 31 to 60: risk and the core of the system
- Run a risk assessment. Identify your information risks, assess them consistently, and decide how to treat each one. The risk assessment, not the policy pack, is the engine of the ISMS.
- Build the Statement of Applicability (SoA). Decide which Annex A controls apply, and justify any exclusions. This is a mandatory, audit-central document.
- Write the policies you will actually follow. Start with the mandatory ones and the high-risk areas. Practical and used beats comprehensive and ignored.
- Define your risk treatment plan. Owners, actions and timelines, the bridge from "we know our risks" to "we are doing something about them."
Days 61 to 90: operate, evidence and plan the audit
- Start operating the controls and capturing evidence. Access reviews, logs, training records, supplier checks, certification depends on showing the system runs, not just that it exists on paper.
- Roll out awareness training. People are in scope; a simple, well-run awareness programme is quick to start and visible to auditors.
- Schedule your internal audit and management review. Both are mandatory before certification. Booking them now sets the rhythm for the months ahead.
- Engage a certification body. Lead times can be long, so start the conversation in the first quarter, not when you think you are ready.
Practical tips for a fast, sane start
- Scope narrow, expand later. Certify the part of the business that needs it first; widen the scope at the next surveillance audit.
- Reuse one backbone. The same ISMS satisfies much of NIS2 and DORA too. Build once, map to many, rather than running parallel programmes.
- Evidence as you go. Retrofitting six months of records the week before an audit is painful and obvious. Capture from day one.
- Avoid template overload. A lean set of documents you follow beats a 200-file library nobody reads.
- Treat it as a management system, not a project. The "continual improvement" loop is the point; certification is a milestone, not the finish line.
What "done in 90 days" really means
At the end of a focused quarter you should have: a defined scope, leadership commitment, a completed risk assessment, a Statement of Applicability, the core policies, a risk treatment plan in motion, controls beginning to operate, and a certification body engaged. That is not a certificate, but it is the hard part finished. Everything after it is steady execution toward the audit, with no nasty surprises.
Starting your ISO 27001 journey?
We scope, assess and lead ISO 27001 implementations, building one backbone that also serves your NIS2 and DORA obligations, with certification support along the way.
Book a 20-minute discovery callThis article is general information from circl3.tech, not a guarantee of certification timelines. Actual effort depends on your scope, maturity and the certification body, we recommend a scoped assessment for your organisation.