ISO 27001 in 10 Weeks vs 6 Months: What Actually Changes?

"Anyone who tells you ISO 27001 takes ten weeks is cutting corners." We have heard this from competitors, from auditors at other firms, and occasionally from prospects who have already been told it by someone else. It is a useful objection to address head-on, because the answer reveals the difference between two genuinely different delivery models. And the difference is not what most founders assume. This guide explains exactly what the 10-week model compresses, what it does not compress, and how to tell the difference between a fast-track that works and a fast-track that gets you a certificate the buyer rejects.

The standard does not specify a timeline. ISO/IEC 27001:2022 specifies that an organisation must have a documented Information Security Management System covering the 93 Annex A controls (where applicable, justified through a Statement of Applicability), a risk assessment and treatment plan, an internal audit, a management review, and demonstrable evidence that controls are operating. None of those requirements has a calendar attached. The six-month timeline is a delivery convention, not a standards requirement. It exists because traditional consultancies run fortnightly workshops, write documentation from scratch for each client, and book audits late in the project.

Three things are compressed in a properly structured fast-track engagement. First, documentation cycle time: a traditional engagement writes 32-plus ISMS policies from a blank page over 8 to 12 weeks of fortnightly drafts, while a fast-track engagement starts with a pre-built, audit-tested policy suite covering all 93 Annex A controls, then tailors each document to your environment, scope, and risk profile in concentrated 1 to 2 week blocks. The output is the same: fully customised, audit-ready documentation. The cycle time is 70% shorter. Second, workshop scheduling: traditional projects schedule one or two hours of consultant time per week, while a fast-track engagement runs concentrated working sessions, typically half-day blocks, that move three or four workstreams forward in parallel. Third, audit body lead time: UKAS-accredited certification bodies are routinely booked 8 to 12 weeks ahead, and a fast-track engagement books the audit slots at project kickoff so the audit calendar runs in parallel with the implementation.

What the 10-week model does not compress is the part that matters for buyers asking the awkward questions. The audit itself, conducted by an independent UKAS-accredited certification body, takes the same number of auditor-days regardless of how the project was run. There is no shortcut. The control evidence period also remains: auditors expect to see controls operating, not just documented. A 10-week project provides 4 to 6 weeks of operating evidence by the time of Stage 2, which is sufficient for first certification under ISO/IEC 27006 guidance. The risk assessment on a 10-week project contains the same 150-plus entries, the same control mapping, and the same treatment decisions as a six-month project.

There are five questions to ask any consultant promising a fast timeline to tell a real fast-track from a corner-cutting one. Which UKAS-accredited certification body will conduct the Stage 1 and Stage 2 audit, and have you booked the slots? Will the team write a tailored Statement of Applicability against all 93 Annex A controls, or will you receive a generic SoA? How many clients passed Stage 2 on first attempt in the last twelve months? Who is the named lead auditor on the engagement and what are their credentials? What happens if you fail Stage 2? If a fast-track provider can answer all five clearly, the timeline is real. If they hedge on any of them, you are not buying speed. You are buying risk.

Two reasons explain why six-month projects are still common, neither of which serves the client. First, hourly billing: a consultancy that bills 150 to 200 pounds per hour against an open-ended scope earns more from a 30-week project than a 10-week project. Fixed-fee structures align the consultant's incentive with the client's. Second, internal capacity constraints: traditional consultancies allocate consultants across many concurrent projects at a few hours per week each, and a 10-week project requires concentrated capacity that stretches their calendar.

ISO 27001 in ten weeks is not a marketing gimmick. It is what happens when documentation is pre-built rather than written from scratch, workshops run in concentrated blocks rather than fortnightly drips, and audits are booked at kickoff rather than at the end. The standard is the same. The certificate is the same. The buyer's procurement team cannot tell the difference, and that is the point. What changes is the date the deal closes.