ISO 27001 in 90 Days: A Realistic Guide

Index

• Is 90 Days Realistic?
• Prerequisites
• The Timeline
• Common Blockers
• What Auditors Actually Check

Is 90 Days Realistic?

Yes. I have done it. At Omnio, we went from zero to ISO 27001 certified in 4 months. That included building the entire security program from scratch.

Most consultants will tell you 12 months. They are wrong, or they are billing hours.

The key is focus. If security is a priority and someone is dedicated to it, 90 days is achievable for a company under 50 people.

Prerequisites

Before you start the clock, you need:

• Executive buy-in: Someone with authority who will push blockers
• A dedicated person: At least 50% of their time on this project
• Basic hygiene: MFA enabled, encryption in place, access controls exist
• Cloud infrastructure: On-prem adds months of complexity

If you are missing any of these, add time accordingly.

The Timeline

Weeks 1-2: Scoping and Gap Analysis

• Define your ISMS scope (what systems, what data, what locations)
• Assess current state against ISO 27001 controls
• Identify gaps and prioritize

Weeks 3-6: Documentation

• Write core policies (Information Security Policy, Access Control, etc.)
• Create procedures that match what you actually do
• Document risk assessment methodology
• Build asset inventory and risk register

Weeks 7-10: Implementation

• Close technical gaps (logging, monitoring, backups)
• Implement missing controls
• Train employees on policies
• Collect evidence of controls operating

Weeks 11-12: Internal Audit and Management Review

• Conduct internal audit (required before certification)
• Hold management review meeting
• Address findings

Week 13+: External Audit

• Stage 1: Documentation review
• Stage 2: Implementation audit (usually 2-4 weeks after Stage 1)

Common Blockers

• No asset inventory: You cannot protect what you do not know you have
• Missing logging: Auditors want to see audit trails
• No backup testing: Having backups is not enough, you must test restores
• Incomplete access reviews: Who has access to what, and is it appropriate?
• No incident response plan: What happens when something goes wrong?

What Auditors Actually Check

Auditors sample. They do not check everything. They will look at:

• Evidence that policies exist and are followed
• Risk assessment process and results
• Access control implementation (they will ask to see specific user access)
• Change management records
• Incident logs (if any incidents occurred)
• Training records
• Management review minutes

The goal is demonstrating a working system, not perfection. If you can show continuous improvement, minor gaps are acceptable.