How long does ISO 27001 certification take?

Typical timeline is 6-12 months for initial certification. Factors affecting duration: organization size, existing security maturity, resource availability, and complexity of IT environment. Small organizations with good existing practices may certify in 3-6 months.

What policies are required for ISO 27001?

Core policies include: Information Security Policy, Access Control Policy, Risk Management Policy, Asset Management Policy, Human Resources Security Policy, Physical Security Policy, Operations Security Policy, Communications Security Policy, Incident Management Policy, Business Continuity Policy, Compliance Policy, and Supplier Security Policy.

What's the difference between ISO 27001:2013 and 2022?

ISO 27001:2022 reorganized controls from 14 domains (114 controls) to 4 themes (93 controls): Organizational (37), People (8), Physical (14), Technological (34). New controls address cloud security, threat intelligence, data masking, and secure coding. Organizations must transition by October 2025.

What is a good readiness score for certification?

Target 70%+ overall readiness before engaging a certification body. Critical requirements: formal risk assessment (100% required), core policies documented (100%), access controls managed, incident response tested. Some gaps are acceptable if you have a remediation plan.

How much does ISO 27001 certification cost?

Costs vary by organization size. Small organizations (< 50 employees): $10,000-$30,000 for audit fees, plus $20,000-$50,000 implementation. Medium organizations: $30,000-$100,000 total. Large enterprises: $100,000+. Ongoing costs include annual surveillance audits and continuous improvement.

Technology

ISO 27001 Readiness Calculator

Evaluate your organization's readiness for ISO 27001 certification across all four control domains. Get maturity scores, gap analysis, and a prioritized roadmap to certification.

Quick Assessment Scenarios

Organizational Controls

Documented Security Policies

Risk Assessment Level

Asset Inventory Coverage

People Controls

Security Awareness Training

Technological Controls

Access Control Maturity

Incident Response Level

Related Calculators

You might also find these calculators useful

Compliance Gap Calculator

Analyze compliance posture and identify gaps

SOC Readiness Calculator

Assess Security Operations Center maturity

GDPR Fine Calculator

Estimate GDPR penalties based on violation type and circumstances

Vendor Risk Calculator

Assess third-party vendor security and compliance risk

Assess Your ISO 27001 Certification Readiness

ISO 27001 is the international standard for information security management. Our ISO 27001 Readiness Calculator evaluates your organization across all four control domains—Organizational, People, Physical, and Technological—providing a comprehensive maturity assessment and roadmap to certification.

Understanding ISO 27001:2022 Assessment

ISO 27001:2022 reorganized information security controls into 4 themes with 93 controls total. This assessment evaluates your implementation across Organizational controls (37), People controls (8), Physical controls (14), and Technological controls (34). Organizations typically need 6-12 months to achieve certification, with about 60% passing on their first audit attempt.

Readiness Formula

Readiness = (Org × 0.35) + (Tech × 0.30) + (People × 0.20) + (Physical × 0.15)

Why Assess ISO 27001 Readiness?

Identify Control Gaps

Discover which of the 93 controls need implementation before certification. Focus resources on high-priority gaps.

Plan Certification Timeline

Get realistic estimates for time to certification based on your current maturity level and identified gaps.

Prioritize Implementation

Understand which control domains need the most attention. Address critical gaps before minor improvements.

Reduce Audit Risk

Organizations that assess readiness beforehand have higher first-time pass rates. Avoid costly re-audits.

Build Business Case

Quantify the effort required for certification to justify budget and resources to leadership.

Track Progress

Re-assess periodically to measure improvement and maintain momentum toward certification.

How to Use the ISO 27001 Readiness Calculator

Common ISO 27001 Assessment Scenarios

Pre-Certification Planning

Organizations beginning their ISO 27001 journey. Establish baseline and create implementation roadmap.

Gap Analysis

Identify specific control gaps before engaging a certification body. Prioritize remediation efforts.

Surveillance Audit Prep

Already certified organizations preparing for annual surveillance audits. Ensure continued compliance.

Re-Certification Assessment

Prepare for the three-year re-certification audit. Verify all controls remain effective.

Vendor Assessment

Evaluate supplier security posture against ISO 27001 requirements during procurement.

Board Reporting

Generate quantitative metrics on security maturity for executive and board presentations.

Frequently Asked Questions

ISO 27001 requires: (1) Management commitment and ISMS policy, (2) Risk assessment and treatment plan, (3) Implementation of relevant controls from Annex A, (4) Documentation of policies and procedures, (5) Internal audit program, (6) Management review, (7) Continuous improvement process. The 2022 version has 93 controls in 4 categories.

Assess Your ISO 27001 Certification Readiness

Understanding ISO 27001:2022 Assessment

Readiness Formula

Readiness = (Org × 0.35) + (Tech × 0.30) + (People × 0.20) + (Physical × 0.15)