For a UK SME with no existing management system, realistic timelines run 4–9 months from kick-off to certification audit, depending on three factors.
Starting point. If you already have decent IT security practices but no formal ISMS documentation, you're closer to 4 months. If you're building security controls and a management system simultaneously, budget closer to 9.
Internal capacity. Someone needs to own this day-to-day — usually a CTO, Head of IT, or Compliance Manager carving out a few hours a week. Businesses that try to run certification entirely through an external consultant with no internal owner tend to stall at the evidence-gathering stage.
Audit scheduling. Stage 1 and Stage 2 audits with your certification body need booking in advance — popular UKAS-accredited bodies can have 4–6 week lead times during busy periods, typically Q1 and Q4.
A realistic phased breakdown:
- **Weeks 1–4:** Gap analysis, scope definition, risk assessment methodology
- **Weeks 5–12:** Control implementation (Annex A), policy and procedure documentation
- **Weeks 13–16:** Internal audit, management review, corrective actions
- **Weeks 17–20+:** Stage 1 audit, remediation, Stage 2 audit
The biggest timeline killer isn't the standard — it's evidence. Auditors certify against what you can demonstrate, not what you intend to do. Building evidence collection into business-as-usual from week one, rather than scrambling before the audit, is what separates a 4-month certification from a 9-month one.
Ready to talk about your business?
Book a free, no-obligation call. We will tell you exactly what certification would involve for your size, sector, and starting point.