Planning your ISO 27001 journey: from start to certificate

Why planning is crucial for ISO 27001 success

Most organisations that get stuck in their ISO 27001 journey don't do so due to lack of knowledge or budget. They get stuck due to lack of planning. Without clear milestones, nobody knows where they stand. Without clear time investment, compliance always loses to "more urgent" matters. And without dedicated responsible parties, the ball stays on the ground.

A good plan prevents three classic pitfalls. First, it prevents scope creep—wanting to certify more and more things than originally intended. Second, it prevents planning paralysis—endlessly continuing to analyse without actually starting. And third, it prevents last-minute stress—discovering three weeks before the audit that crucial matters aren't in order.

The best ISO 27001 journeys we see are characterised by three things: a dedicated project leader who's available six to eight hours per week, management that makes quick decisions instead of deliberating for weeks, and a realistic planning of twelve to eighteen weeks instead of the illusion that it can be done in six weeks.

The journey in six concrete phases

Phase 1: Preparation lays the foundation (week 1-2)

The first two weeks determine whether the rest of your journey runs smoothly or constantly falters. In this phase you determine your scope—what exactly are you certifying, and what deliberately stays out of scope. You assemble your project team and make clear who's responsible for what. You set up the Tidal platform and connect the first systems like your cloud environment and identity provider. And crucial: you communicate to the organisation what's going to happen and why.

For an organisation of ten to fifty people, this means approximately eight to ten hours of work for the project leader, and two to three hours for management to approve scope and budget. For organisations of fifty to two hundred people, somewhat more time is added—twelve to sixteen hours project leader, four to six hours management—mainly because more stakeholders must give input on scope.

At the end of this phase you have a project plan with realistic timeline, a scope document describing what will and won't be certified, and a working Tidal account with your first integrations. If you do this well, you have momentum and phase two can start directly. Do this sloppily, and you begin every following phase with uncertainty about what exactly needs to happen.

Phase 2: Setting up your ISMS creates insight (week 3-5)

Weeks three to five are about understanding where you stand. You conduct a risk inventory: what information must you protect, what are the threats, and how likely and impactful are these? You create an asset mapping: which systems, data and processes are critical for your organisation? And you do a gap analysis: what does ISO 27001 require, and what do you already have versus what's still missing?

Tidal helps enormously in this phase by structuring the risk assessment with predefined scenarios for common IT risks. Instead of thinking from scratch about all possible threats, you get a starting point that you adapt to your situation. The automatic tests that run via integrations on your Microsoft, Google or AWS environment give direct insight into your current security posture. And the gap analysis against ISO 27001 Annex A shows precisely which controls you still need to implement.

For smaller organisations, this phase means twelve to sixteen hours of work for the project leader, and four to six hours for stakeholders who give input about risks and assets in their domain. For medium-sized organisations that's twenty to twenty-four hours project leader and eight to twelve hours stakeholders, because there are more systems and processes to inventory.

The result is a risk assessment report showing which risks you've identified and how you deal with them, an asset inventory with classifications indicating which information is most critical, a gap analysis with concrete action list of what you must implement, and a Statement of Applicability explaining which Annex A controls you do and don't implement and why.

Phase 3: Implementation brings you to compliance (week 6-10)

Weeks six to ten are the heaviest of the journey. This is where you actually implement controls, write policies, adjust technical configurations, and train people. It often feels like you'll never finish, but with good planning and the right tools it's absolutely achievable.

You select and implement controls based on your risk assessment. You write policies and procedures—or rather, you adapt templates for your organisation. You configure technical controls such as multi-factor authentication, access controls, and logging. You roll out a training and awareness programme so your team knows what's expected of them. And towards the end of this phase you approach external ISO auditors and schedule the certification audit.

The Tidal platform saves enormous time in this phase. The ninety-three predefined controls from ISO 27001 Annex A give you a complete overview of what you must implement. The thirty-plus policy templates adapted to Dutch legislation means you don't have to write from scratch. The automatic compliance tests for cloud environments continuously check whether your configurations comply. And being able to assign and monitor tasks ensures that manual activities aren't forgotten.

For small organisations, this phase requires sixteen to twenty hours from the project leader and eight to ten hours from the broader team implementing controls. For medium-sized organisations that's twenty-four to thirty-two hours project leader and sixteen to twenty hours team. The difference mainly lies in the number of systems that need configuring and the number of people that need training.

If you do this well, by the end of week ten you'll feel that your organisation has genuinely become more secure, not just compliant on paper. You have implemented controls with evidence that they work, approved policy documents, trained employees who know their responsibilities, and a scheduled certification audit.

Phase 4: Monitoring and measuring proves it works (week 11-12)

Weeks eleven and twelve are about validating that what you've implemented actually works as intended. You critically review your control implementation. You conduct an internal audit—or have this done by someone independent of the implementation team. You hold a management review where the board discusses progress and makes decisions. And you pick up action items that come from the audit.

Tidal's automated monitoring of technical controls means you don't have to manually check whether backups are still running or access rights still match. The internal audit checklist with evidence makes it easy to systematically go through all requirements. The management review templates and dashboards give management direct insight into status and risks. And the corrective actions system ensures that improvement points aren't forgotten.

This phase requires eight to twelve hours from the project leader and four to six hours from auditors and management for smaller organisations. For medium-sized organisations that's twelve to sixteen hours project leader and six to eight hours auditors and management. The time differs mainly in how long the internal audit takes—more systems and processes means more time needed to review everything.

The result is an internal audit report that objectively assesses whether you comply with ISO 27001, management review minutes showing that the board is involved, and corrective action plans for matters that still need improving before the certification audit.

Phase 5: Certification is the final validation (week 13-14)

Weeks thirteen and fourteen are the moment everything works towards: the external audit. This consists of two parts. Phase 1 is a documentation review where the auditor checks whether you have all required documents and these are of sufficient quality. Phase 2 is an on-site assessment where the auditor conducts interviews, checks systems, and validates that practice corresponds with what you've documented.

If non-conformities are found—matters that don't comply—you must resolve these before the certificate can be issued. Small findings you can usually fix within a week. Larger non-conformities can cost extra weeks or even months. Within two to four weeks after a successful audit you receive your ISO 27001 certificate.

Tidal helps through real-time evidence access during the audit—the auditor can directly see that your controls work without you having to make screenshots. The non-conformity tracking and resolution workflow ensures you systematically address all findings. And the operational planning helps you to continue monitoring after certification.

For the project leader, this phase means four to six hours of work for a small organisation and six to eight hours for a medium-sized organisation, plus the days that the auditor is on-site. Those audit days vary—usually one to two days for smaller organisations, two to three days for medium-sized.

The end result: an ISO 27001 certificate valid for three years, an audit report with any improvements for the future, and a scheduled surveillance audit that annually checks whether you maintain the level.

Who you need on your team

A successful ISO 27001 journey stands or falls with the right people in the right roles. You don't need twenty people, but the people you have must have dedicated time available.

The ISMS Manager or project leader is mandatory and the pivot of the project. This is often a compliance manager, IT manager, or operations manager who invests six to eight hours per week. This person coordinates the project daily, communicates with stakeholders, manages the Tidal platform, and monitors progress. Without this dedicated responsible party, the project gets stuck.

The Management Sponsor is also mandatory—usually the CEO, CTO, or a senior manager. This person invests less time—one to two hours per week and four hours for the management review—but their role is crucial. They approve budget, take on escalations, approve policies, and chair the management review. Without management commitment you get no priority and no budget for what's needed.

The Implementation Team consists of two to four people from IT, HR, Operations, and possibly Legal, depending on your scope. They invest zero to four hours per week per person, depending on how many controls fall in their domain. They implement controls, give input for the risk assessment, and review policies for their area.

The Internal Auditor can be internal or external, but must always be independent of the implementation team. This person invests one to two days for the audit. They plan the internal audit, execute it, identify non-conformities, and report to management. For small organisations, one person can combine multiple roles, except the internal auditor—they must truly remain independent.

What must your team be able to do? Project management is essential—planning, coordinating, communicating. Organisational knowledge is crucial—understanding processes, systems, stakeholders. And willingness to learn is important—ISO 27001 can be learned during the project, you don't need to be an expert to start.

Nice to have but not essential: compliance experience with ISO 27001, GDPR, or other standards helps, but isn't necessary. IT security knowledge helps in understanding technical controls, but Tidal helps with implementation instructions. Audit experience helps to know how auditors think, but the templates guide you through the process.

Realistic timelines and what influences them

The total project duration for a small organisation of ten to fifty people is twelve to fourteen weeks. For medium-sized organisations of fifty to two hundred fifty people that's sixteen to twenty-two weeks. These are realistic timelines for organisations that approach it seriously with dedicated resources.

What accelerates the journey? Experience with compliance projects helps enormously—if you've previously implemented GDPR or other standards, you recognise patterns. A dedicated project leader who's available part-time can quickly resolve blockages. Management that makes decisions directly instead of letting everything sit for a week prevents waiting times. And Tidal expert support can help you find shortcuts and avoid pitfalls.

What delays the journey? A complex IT landscape with dozens of legacy systems and external dependencies takes more time to inventory and secure. Multiple locations or business units require more coordination and documentation. Limited availability of the team—if everyone only has one hour per week—means everything takes longer. And lack of management commitment ensures decisions are postponed and priority is absent.

How do you stay on track during the journey

The question we hear most: "how do we know if we're on track?" Tidal gives you multiple indicators. The completion percentage per phase and overall directly shows how much you've completed. Risk coverage shows the percentage of risks with adequate controls—you want to see this above ninety percent. Document approval status shows which policy documents still need approving. And team engagement via task progress shows whether everyone's doing their part.

Additionally, there are key milestones you must hit. In week two you must have taken Tidal into use and completed getting started. In week five your risk assessment must be one hundred percent complete. In week eight all necessary controls must be implemented. In week eleven your internal audit must yield no major findings. And in week thirteen your management review must be executed.

If you hit these milestones, you're on schedule. Miss a milestone by a week? No panic, but time to analyse why and adjust. Miss multiple milestones by multiple weeks? Then you must either deploy more resources, or adjust your planning and reschedule the audit.

Common planning questions

"Can we accelerate the journey?" is often asked. The answer: yes, but not everything. Control implementation you can accelerate by deploying extra people. Documentation you can accelerate with templates and parallelisation. Team training you can accelerate through intensive sessions instead of spread over weeks.

But some things cannot be accelerated. The internal audit must come after implementation, not before—you can't audit what doesn't yet exist. The management review cycle must be given time—management must be able to reflect on what exists. And external audit scheduling has lead time—auditors plan weeks to months ahead.

"What if we need to change scope along the way?" is a justified concern. Small changes like adding or removing assets are usually doable within the project. Tidal makes scope adjustments technically easy. Large changes like new locations or business units cost two to four weeks extra and possibly require rescheduling the audit.

After certification, scope changes are also possible but require extra audit days. It's better to be more complete during scope determination than having to expand later—that costs more time and money.

The next step: from plan to action

You now have a roadmap from start to certificate. The most effective way to start: set up your Tidal account this week and invite your team. Schedule stakeholder interviews for next week—not next month. Block time in your calendar for the coming three months—otherwise it disappears under "more urgent" matters. And communicate the project to the organisation—transparency creates support.

A crucial insight: project momentum. Start within two weeks after the decision to go for ISO 27001. The longer you wait, the more other priorities intervene and the greater the chance the project gets postponed. The best time to start was yesterday. The second-best time is now.

If you want to know how Tidal can help you complete your ISO 27001 journey in twelve to fourteen weeks instead of the traditional six to nine months, contact us for a demo. We'll show you how other startups and scale-ups have halved their certification time and what that concretely means for your planning.