One of the overarching questions regarding the various ISO certifications is the timeline involved . The answer to this question is one that is not always easy to swallow, both for security managers and top management. The time, money and effort that are required can vary based on the organization seeking certification.
Note: For the benefits on ISO 27001 Certification, see our post on the Benefits of ISO 27001 Certification.
Often organizations employ external assistance in the ISO certification process. When searching for third party assistance, such as consultants in ISO certification, it is important that you ask for their projected project timeline for the ISO certification process. If the third party’s response to this questions is an exact time frame, or a short time period, they are either inexperienced in the process of ISO certification or not being honest with you. (Here we have included a brief example of a presentation which highlights the process of Implementing ISO 27001 )
The time it takes to obtain ISO certification is dependent on various factors, making it difficult to determine how much time the ISO certification process will require for each organization. In our experience in our own ISO certification process and through assisting other organizations, we have determined the following factors are fundamental in developing a general estimate of the timeline for ISO Certification:
Though, given the importance and benefits of being ISO certified, it may prove challenging to obtain the necessary resources to increase the efficiency and lower the time needed to obtain ISO certification. One of the first (and potentially most important) tasks to accomplish is getting the support from top management. Executive teams will be the gatekeepers to the resources, such as how much money and manpower will be allocated to the certification process. In a perfect world you would get unlimited access to resources as needed. In reality people and financial flexibility may not be available when needed for the ISO certification process.
This can be illustrated with a simple equation:
5 employees working 8 hours a day, or 40 human hours a day allocated to the project or 1 Quality Manager allocating 2 hours a day towards the certification process
We would not be doing ourselves justice if we failed to mention how Risk Management Software and Tools can reduce the time it takes to complete the certification process.
The size of the organization can have a major impact on the time it will take to implement an ISO standard and get ISO certified. Smaller organization may have more flexibility and ability to focus efforts on the ISO certification process as well as less infrastructure that requires altering, thus reducing the total timeline of the ISO certification process. However, a smaller organization may face greater limitations in regards to the resources available to commit to the process.
On the other side of the coin, larger organizations may face such issues as bottlenecking during the bureaucratic process, immense infrastructures, budget restraints, and of course, limited resources to allocate to the ISO certification process.
The state of the management system can greatly reduce or increase the ISO certification time. Organizations that already have a management system in place will experience less “growing pains” in the process of ISO certification. Organizations that are starting from scratch with have more systems, controls, and process to implement.
In order to obtain an understanding about the current state of the management system, a Gap Analysis can be performed. A Gap Analysis is the process where an organization determines its current status today, and where it wants to be in the future, thus defining the “Gap” between the current state and the goal state. The Gap Analysis can be viewed as a checklist that provides management an indication of the time that may be expected for the ISO certification to take.
Analyzing and considering the available resources, size of the organization and management systems will not give you an exact answer to how long the ISO certification will take, but can assist quality managers in proposing ISO certification project timelines to management teams.