Can you integrate ISO 27001 and ISO 42001 into a single management system?

Yes. Both standards follow the same Annex SL high-level structure, which means they share identical clause numbers and a common backbone. Organisations that already hold ISO 27001 can extend their existing management system to cover ISO 42001 rather than building a second system from scratch. Industry research suggests ISO 27001-certified organisations achieve ISO 42001 compliance 30 to 40 percent faster than those starting fresh.

How long does it take to integrate ISO 42001 into an existing ISO 27001 system?

For organisations with a mature ISO 27001 ISMS in place, integration typically takes between three and six months. The process begins with a gap analysis against ISO 42001 (two to three weeks), followed by extending the risk register, developing AI-specific policies, expanding the internal audit scope, and updating management review to cover AI governance performance.

What does ISO 42001 add that ISO 27001 does not cover?

ISO 27001 protects the confidentiality, integrity, and availability of information. ISO 42001 governs how AI systems behave. The key additions include AI risk assessment covering bias and fairness, AI lifecycle governance from design through retirement, data governance for training data quality, transparency and explainability requirements, human oversight controls, and AI-specific supplier management for third-party models and components.

Why integrate ISO 27001 and ISO 42001 instead of running them separately?

Integration avoids duplication of context analyses, risk assessments, internal audits, and management reviews. Certification bodies prefer integrated systems because they present a coherent governance framework. Most importantly, AI systems do not operate in isolation from information security. The data training your models needs protection, AI outputs are information assets, and the risks are interconnected, so the governance should be too.

How Long Does ISO 27001 Certification Really Take? Realistic Timelines by Company Size

May 7
4 min read

ISO 27001 University: Research, IP & Student Records UK GDPR — **How Long Does ISO 27001 Certification Really Take? Realistic Timelines by Company Size**

How Long Does ISO 27001 Certification Really Take? Realistic Timelines by Company Size

How long does ISO 27001 take? It is the first question most organisations ask, usually because there is a deadline driving the enquiry. A contract that requires certification by Q3. An investor that wants to see a security framework before closing. A tender submission that demands evidence of information security governance.

The honest answer is that it depends on where you start, how big you are, and how fast your leadership team makes decisions. But vague answers do not help you plan. So here are the realistic timelines I see across my client base, broken down by company size and starting maturity.

Startup with Nothing in Place: 5–7 Months

For a post-seed or Series A startup with fewer than 50 employees, a single primary product, and cloud-based infrastructure, the typical timeline from engagement to certification readiness is five to seven months. This assumes no existing ISMS, limited formal documentation, and a team that has not been through an ISO audit before.

The breakdown looks roughly like this. Scoping and context analysis takes about two weeks. The gap analysis and roadmap development takes another two to three weeks. Building the risk assessment, Statement of Applicability, and core documentation takes six to eight weeks. Implementing controls and training staff takes four to six weeks concurrently. The internal audit takes one to two weeks. And the external audit, Stage 1 and Stage 2, takes two to three weeks including any gap between stages.

This is an achievable timeline, but it requires consistent engagement from the leadership team. The biggest risk to this timeline is not the technical work. It is waiting for decisions.

SME with Some Policies in Place: 3–5 Months

For a mid-sized company with 50 to 250 employees that already has some documented policies, a password manager, access controls, and perhaps Cyber Essentials certification, the timeline shortens to three to five months.

The acceleration comes from having a starting point. If you already have access controls documented, an acceptable use policy, a basic incident response process, and some awareness training in place, the gap analysis identifies targeted work rather than a blank canvas. The documentation phase is shorter because you are refining and formalising existing practices rather than creating everything from scratch.

The risk at this size is coordination. More departments, more stakeholders, more systems, and more people who need to be involved in risk assessments, interviewed during audits, and trained on their responsibilities. Strong project management and a clear internal champion make the difference between three months and five.

Enterprise Extending Scope: 6–12 Months

For a larger organisation with an existing security function, multiple locations, complex IT infrastructure, and potentially other management systems already in place, the timeline extends to six to twelve months or more.

The additional time is not because ISO 27001 is harder for larger organisations. It is because scope is wider, stakeholder engagement takes longer, risk assessments are more complex, and the documentation needs to cover more ground. If the organisation has multiple sites, auditor travel and on-site assessment time increases. If there are complex supply chains, supplier management controls require more evidence.

For enterprises that already hold ISO 9001, ISO 14001, or ISO 45001, there are efficiencies to be gained through integrated management system approaches. The shared Annex SL structure means common clauses can be aligned, reducing duplication.

What Actually Slows Things Down

In my experience, the factors that delay ISO 27001 projects are rarely technical. They are organisational.

Decision paralysis is the most common culprit. The risk assessment identifies an issue. Management cannot decide on the risk treatment. Weeks pass. The same applies to policy approvals, scope decisions, and resource allocation. The most effective clients empower a single person to make decisions and escalate only when genuinely necessary.

Leadership availability is the second factor. ISO 27001 requires visible top management commitment. Management reviews need to happen. Policies need to be endorsed. If the CEO or CTO is perpetually unavailable, the project stalls.

Risk assessment delays occur when organisations overthink the methodology, try to assess every conceivable risk, or get trapped in analysis paralysis. A pragmatic, focused risk assessment that covers the real threats to your real assets is far more valuable than an exhaustive theoretical exercise that takes months to complete.

And underestimating internal audit time is common. The internal audit is not a formality. It is a rigorous assessment that needs to be planned, resourced, and conducted by someone independent of the ISMS implementation. Leaving it to the last week before the external audit is a recipe for unpleasant surprises.

How to Accelerate Your Timeline

If you have a hard deadline, there are practical ways to shorten the timeline without cutting corners.

Define a tight, focused scope. The narrower your initial scope, the fewer controls, the less documentation, and the fewer audit days required. Certify what matters most first and expand later.

Appoint a dedicated internal champion. One person who owns the project, makes day-to-day decisions, and keeps the momentum going. This does not need to be a full-time role, but it needs to be a prioritised one.

Engage a specialist early. A consultant who has done this before can accelerate every phase: scoping, gap analysis, documentation, risk assessment, and audit preparation. You avoid the learning curve and benefit from templates, methodologies, and experience that would take months to develop internally.

And make decisions quickly. Every week a policy sits in someone’s inbox awaiting approval is a week added to your timeline.

If you have a deadline and want to understand whether it is achievable, book a free 20-minute scoping call. I will give you an honest assessment based on your size, starting maturity, and the time you have available.

To discuss, book a free 20-minute scoping call.

ISO 27001

ISO 42001

Sampson ISO Audit & Consult Ltd