ucstoolkitucstoolkitucstoolkit
0
Compliance manager reviewing an ISO certification timeline and documentation checklist

How Long Does ISO Certification Take From Scratch? 2026

You have just been told that a tender, enterprise customer, insurer, or regulator expects ISO certification — and now someone has asked the awkward question: how long does ISO certification take if we are starting from zero? The honest answer is not “a few forms and an audit.” A small, focused business may reach certification in 3–6 months, but only if management gives the project time, documents are built quickly, evidence is collected properly, and the certification body has audit dates available. This guide gives you the practical timeline: what can move fast, what cannot, and where ISO documentation templates can genuinely reduce the work.

Quick Answer

ISO certification usually takes 3–6 months from scratch for a small or medium business with simple processes, committed leadership, and available staff. The formal certification audit process alone may take 6–10 weeks once the management system is ready, because it includes audit scheduling, Stage 1 audit, Stage 2 audit, and time to close any findings.

The fastest realistic route is to use ready-made ISO documentation, complete a focused gap analysis, run the system long enough to create evidence, perform an internal audit under Clause 9.2, hold management review under Clause 9.3, and then book a certification body. You can shorten documentation time, but you cannot skip implementation evidence.

In This Guide

How Long Does ISO Certification Take for a Small Business?

For most small businesses, ISO certification takes 3–6 months when starting from scratch. That range assumes you are implementing one standard, your processes are not highly regulated, and the project owner has real access to management, department heads, and records.

A company with 10–50 employees and one site can often move faster than a multi-site organization because fewer processes need to be mapped, fewer people need to be trained, and internal communication is simpler. A company with 100–500 employees may still certify in 3–6 months, but only if the scope is controlled and the project is not treated as spare-time admin.

How long does ISO 9001 certification take from scratch?

ISO 9001:2015 certification often takes 3–4 months for a small service business or office-based company that already has basic processes for sales, operations, purchasing, customer feedback, and corrective action. Manufacturing, construction, logistics, and technical service businesses usually need longer because process control, supplier control, inspection records, equipment checks, and nonconformity handling need stronger evidence.

ISO 9001 is usually the fastest starting point because it is broadly understood and focuses on the Quality Management System. If you are planning a project in the UAE, our ISO 9001 certification UAE guide explains the local certification path in more detail.

How long does ISO 27001 certification take compared with ISO 9001?

ISO 27001:2022 normally takes longer than ISO 9001:2015 because the Information Security Management System needs a risk assessment method, risk treatment plan, Statement of Applicability, and evidence for Annex A controls. A small SaaS, IT, or professional services company may complete ISO 27001 in 4–6 months, but it can take 6–9 months if access control, supplier security, incident response, asset management, or technical controls are immature.

The key difference is evidence. ISO 9001 evidence often comes from existing operational records. ISO 27001 evidence may require new security reviews, access reviews, risk treatment actions, policy rollouts, and control monitoring before the certification audit.

How long do ISO 14001, ISO 45001, ISO 22301, ISO 13485, ISO 15189, ISO 20000-1, and QHSE projects take?

Environmental, safety, business continuity, medical, laboratory, IT service, and integrated QHSE projects usually need more planning than a basic ISO 9001 project. ISO 14001:2015 needs environmental aspects, compliance obligations, operational controls, and emergency preparedness. ISO 45001:2018 needs hazard identification, legal requirements, consultation, and occupational health and safety controls. ISO 22301:2019 needs business impact analysis and continuity arrangements.

Specialist standards can take longer. ISO 13485:2016 for medical devices and ISO 15189:2022 for medical laboratories usually require stronger technical evidence and regulatory alignment. ISO 20000-1:2018 for IT service management needs service management processes that are actually operating, not just described. An integrated QHSE system can be efficient, but it still requires quality, environmental, and health and safety evidence to work together.

Starting Point Typical ISO Certification Timeline What Usually Drives the Timeline
Small business, one simple ISO standard 3–4 months Documentation, internal audit, management review, certification body availability
SME with several departments or one technical standard 4–6 months Process mapping, training, risk assessment, records, corrective actions
Multi-site business or complex operations 6–9 months Scope control, site consistency, legal requirements, evidence across locations
Highly regulated or specialist standard 6–12 months Technical validation, regulatory evidence, competence records, operational controls

Quick check: Before asking for the fastest possible date, define the certification scope. One office, one service line, and one standard is very different from certifying every branch, warehouse, project site, laboratory, or data center at the same time.

How Fast Can I Get ISO Certified If We Need It Urgently?

The fastest realistic ISO certification timeline is usually 8–12 weeks, but that assumes the business already has a working management system, basic records, trained staff, completed internal audit, completed management review, and a certification body with available audit dates. From true zero, 30 days is rarely credible.

Can you get ISO certified in 30 days?

You may be able to prepare a large amount of documentation in 30 days, especially if you use templates. You may also complete a gap analysis, define the scope, draft procedures, assign responsibilities, and train key staff. But certification is not only a document review. Auditors need to see that the system has been implemented.

A 30-day certification claim should be treated carefully. If a company has no internal audit, no management review, no corrective action records, no risk evidence, and no proof that procedures are used, the project is not certification-ready. It may be document-ready, but that is not the same thing.

Can you book the ISO certification audit before documents are ready?

You can contact certification bodies early and reserve dates, but you should not book Stage 1 and Stage 2 audits blindly. Certification bodies such as BSI, Bureau Veritas, DNV, SGS, LRQA, and Intertek will expect a defined scope and enough documented information to review before or during Stage 1.

Early booking makes sense when you have a credible project plan and leadership commitment. It becomes risky when the audit date is used to force a rushed implementation. If your documents are incomplete two weeks before Stage 1, you may end up paying for delays, rescheduling, or repeat audit time.

How long do you need to run the ISO system before the audit?

There is no universal rule that every ISO system must run for exactly three months before certification. The practical requirement is that you need enough records to prove the system is operating. For a simple ISO 9001:2015 Quality Management System, several weeks of evidence may be enough if processes are active and records are clear.

For ISO 27001:2022, ISO 14001:2015, ISO 45001:2018, ISO 22301:2019, ISO 13485:2016, ISO 15189:2022, and ISO 20000-1:2018, auditors may expect stronger evidence because risk controls, operational controls, business continuity arrangements, laboratory processes, service reviews, or compliance obligations need time to demonstrate.

Pro tip: If you are under tender pressure, separate “documentation prepared” from “certification achieved” in your internal plan. Templates can compress document creation dramatically, but audit evidence still needs real activity, dates, records, and responsible owners.

ISO Certification Timeline From Scratch: What Happens Week by Week?

An ISO certification timeline from scratch is easiest to manage when you break it into phases. The mistake is treating ISO as one task called “get certified.” It is really a sequence of decisions, documents, implementation evidence, internal checks, and external audit stages.

  1. Define the scope and certification objective: Decide which ISO standard applies, which locations, services, products, departments, and legal entities are included, and why certification is needed. A narrow, accurate scope is faster than an ambitious scope nobody can support.
  2. Complete a gap analysis: Compare current processes against the standard requirements. Identify missing policies, procedures, risk registers, records, controls, competence evidence, legal registers, or audit activities.
  3. Build the documented information: Prepare policies, procedures, forms, registers, risk assessments, objectives, process maps, and records required by the standard. This is where many projects lose weeks if everything is written from scratch.
  4. Implement the system: Train staff, assign process owners, start using the forms, collect records, review risks, track objectives, and make sure the management system is part of daily work.
  5. Run the internal audit: Conduct an internal audit under Clause 9.2 using a structured audit plan and checklist. Record findings, evidence, conformity, and any nonconformity.
  6. Hold management review: Complete management review under Clause 9.3. Top management should review performance, objectives, audit results, customer feedback, risks, opportunities, resources, and improvement actions.
  7. Close internal findings: Correct gaps before the certification body sees them. Corrective action is not just fixing a document; it means identifying the cause and making sure the issue does not repeat.
  8. Complete Stage 1 audit: The certification body reviews readiness, scope, documented information, and whether the organization appears prepared for Stage 2.
  9. Complete Stage 2 audit: The auditor tests implementation evidence, interviews staff, samples records, reviews processes, and decides whether the management system meets the standard.
  10. Close external audit findings: If minor nonconformities are raised, submit corrective action and evidence within the certification body’s deadline. Certification is issued after acceptance.

What happens between Stage 1 and Stage 2 ISO audits?

Stage 1 is a readiness review. The auditor checks whether the scope is clear, documented information is available, internal audit and management review have been completed, and the organization looks prepared for Stage 2. For many small businesses, Stage 1 may take 1 day. For larger or more complex organizations, it may take 1–2 days or more.

The period between Stage 1 and Stage 2 is used to correct readiness issues. This may include completing missing records, clarifying scope, strengthening risk assessment, improving legal compliance evidence, or closing obvious gaps before the full certification audit.

How long does it take to close ISO audit findings?

Minor findings may be closed in 1–4 weeks if the cause is simple and evidence is easy to produce. More serious findings can take 30–60 days or longer, especially when they require process changes, training, technical control improvements, supplier reviews, or additional records.

A major nonconformity can delay certification until the certification body accepts corrective action evidence. That is why a serious internal audit is worth the time. It is better to discover gaps internally than during Stage 2.

Quick check: Your project plan should include internal audit and management review before the certification audit. If those activities are missing from the timeline, the plan is not complete.

What Steps Take the Longest in ISO Certification?

The longest parts of ISO certification are usually documentation, implementation evidence, internal audit, management review, corrective actions, and audit scheduling. The standard itself is rarely the main delay. The delay comes from people being busy, decisions not being made, and records not existing when the auditor asks for them.

How much time do ISO documents take to prepare?

Writing ISO documents from scratch can take several weeks, even for a small business. You may need a quality policy, scope statement, process interaction map, risk register, objectives, documented procedures, forms, registers, internal audit plan, management review template, corrective action form, and records of competence, suppliers, customers, controls, incidents, or legal compliance.

The time depends on how much already exists. A business with clear processes may only need to structure and formalize existing information. A business with informal “tribal knowledge” must convert daily practice into documented information that staff can actually follow.

How long does internal audit take for ISO certification?

Internal audit time depends on the scope. A small single-site ISO 9001 audit may take 1–2 days including preparation, interviews, evidence review, and reporting. A more complex ISO 27001, ISO 14001, ISO 45001, or integrated QHSE audit may take several days because more processes, risks, controls, sites, or legal obligations need to be sampled.

The audit itself is not just a checklist exercise. Under Clause 9.2, the organization must evaluate whether the management system conforms to its own requirements and the ISO standard. That means the auditor needs evidence, not opinions.

How long does management review take before ISO certification?

The meeting may only take 1–3 hours for a small organization, but preparation takes longer. Clause 9.3 expects management to review system performance, audit results, customer satisfaction, objectives, nonconformities, corrective actions, risks, opportunities, resources, and improvement needs.

Weak management review minutes are a common audit problem. The meeting should show decisions, actions, owners, deadlines, and resource commitments. A page of generic notes saying “everything is fine” is not strong evidence.

What Documents Do You Need Before the ISO Certification Audit?

You need enough documented information to show that the management system is defined, implemented, monitored, and improved. The exact documents depend on the standard, but most ISO management systems follow a similar structure because ISO 9001:2015, ISO 14001:2015, ISO 45001:2018, ISO 22301:2019, ISO 27001:2022, and ISO 20000-1:2018 use a common management system approach.

What ISO documents are auditors likely to request first?

Auditors usually start with the scope, context of the organization, interested parties, risks and opportunities, objectives, documented procedures, internal audit records, management review records, corrective action records, and evidence that processes are being controlled. For ISO 9001:2015, that often includes customer requirements, process controls, supplier evaluation, competence, monitoring, and nonconformity handling.

If ISO 9001 is your starting point, the ISO 9001:2015 Documentation Toolkit gives you editable policies, procedures, forms, and records so you are not building the QMS documentation from a blank page.

What records prove the ISO system is working?

Records are the part you cannot fake at the last minute. Examples include training records, supplier evaluations, risk assessments, inspection records, customer feedback, incident logs, corrective action records, access reviews, environmental monitoring, legal compliance checks, business continuity tests, service reviews, or laboratory competence records.

For ISO 27001:2022, records may include asset inventories, risk treatment actions, access control reviews, supplier security reviews, incident logs, internal audit evidence, and Statement of Applicability updates. For ISO 45001:2018, records may include hazard assessments, consultation evidence, incident investigations, emergency drills, and legal compliance evaluations.

Pro tip: Create a simple evidence tracker with columns for clause, required record, owner, location, status, and last updated date. This one spreadsheet can prevent the most painful pre-audit scramble.

What Can Speed Up ISO Certification Without Cutting Corners?

You can speed up ISO certification by shortening document preparation, assigning owners early, running tasks in parallel, controlling the scope, and using a realistic audit plan. You cannot speed it up by pretending a management system exists when nobody has used it.

Can a small business get ISO certified faster with templates?

Yes, a small business can move faster with templates because it avoids the slowest blank-page work: policy wording, procedure structure, forms, registers, audit templates, and management review formats. Templates are especially useful when the business knows what it does but does not know how to express it in ISO language.

The best use of templates is not copy-paste compliance. It is controlled customization. You adapt the scope, responsibilities, risks, process controls, records, and evidence to your organization. For more detail on this approach, see our guide on how an ISO documentation toolkit helps small businesses.

What work can be done in parallel during ISO certification?

Several workstreams can happen at the same time. One person can prepare documented information while process owners confirm procedures. Management can approve scope and objectives while the project owner builds the risk register. Staff training can start while records are being created. Certification bodies can be contacted while the internal audit plan is being prepared.

The practical limit is coordination. Parallel work only saves time when there is one clear project owner, weekly progress checks, and a visible action tracker. Without that, parallel work becomes parallel confusion.

When should you use a consultant instead of only templates?

Templates are enough for many straightforward SMEs, especially when someone internal can own the project. A consultant may be the better choice when the scope is complex, the business has multiple sites, regulated operations, weak internal capacity, or a high-risk certification deadline linked to a major contract.

A sensible middle route is also possible: use templates for documentation and bring in expert support for gap analysis, internal audit, or final readiness review. That usually costs less than handing over the entire project.

Can an ISO Documentation Toolkit Reduce the Timeline?

An ISO documentation toolkit can reduce the timeline by cutting the time spent writing policies, procedures, forms, registers, audit checklists, and management review templates from scratch. It does not replace implementation, staff involvement, internal audit, management review, or certification body assessment.

Which ISO documentation toolkit fits your certification project?

The right toolkit depends on your standard. ISO 9001:2015 is for quality management, ISO 27001:2022 is for information security, ISO 14001:2015 is for environmental management, ISO 45001:2018 is for occupational health and safety, ISO 22301:2019 is for business continuity, ISO 13485:2016 is for medical devices, ISO 15189:2022 is for medical laboratories, and ISO 20000-1:2018 is for IT service management.

For combined quality, environmental, and health and safety requirements, a QHSE or integrated management system toolkit may be more efficient than separate documents. To compare how these packages work, read our complete guide to ISO toolkits.

How do ISO templates shorten preparation without hiding responsibility?

Templates shorten preparation by giving you the structure, language, forms, and audit-ready layout. Your responsibility is to make them true. That means replacing generic placeholders, confirming the scope, assigning real owners, matching procedures to actual work, and generating records that prove the system is operating.

A good toolkit can save weeks. It cannot attend interviews for your staff, make management decisions, define risk appetite, approve resources, or create evidence for activities that never happened.

Quick check: Before buying any ISO toolkit, confirm the version year. For example, ISO 27001 should align with ISO 27001:2022, ISO 45001 with ISO 45001:2018, and ISO 22301 with ISO 22301:2019.

What Delays ISO Certification the Most?

The biggest ISO certification delays are usually avoidable. They happen when the project is treated as a document exercise, leadership is passive, audit evidence is missing, or the certification body is contacted too late.

What are the most common ISO certification timeline mistakes?

The most common mistake is starting with documents before defining the scope. A second mistake is assuming the consultant, compliance manager, or toolkit can “get the company certified” without process owners doing anything. A third mistake is waiting until the end to involve top management.

Other common mistakes include booking the audit too early, ignoring legal requirements, skipping staff awareness, using outdated templates, failing to close internal findings, and treating management review as a formality. These errors create delays because they appear exactly when there is the least time to fix them.

Why missing records cause ISO audit delays

Missing records are painful because records prove the system has been used. A beautiful procedure does not prove supplier evaluation happened. A risk policy does not prove risks were assessed. A training procedure does not prove staff are competent.

If a record is required but missing, the auditor may raise a nonconformity. If the missing evidence affects a major requirement, certification may be delayed until corrective action is accepted.

Why rushing management review creates weak evidence

Management review is often rushed because it appears near the end of the project plan. That is risky. Management review is where top management shows that the system has been reviewed, resourced, and improved.

Strong review minutes include inputs, decisions, actions, owners, and deadlines. Weak minutes are generic, undated, or disconnected from audit results, objectives, risks, and corrective actions. Auditors notice the difference quickly.

Pro tip: Schedule management review only after the internal audit report is complete. That way leadership can review real audit results and make meaningful decisions before Stage 1 or Stage 2.

Frequently Asked Questions

How long does ISO certification take for a small business?

ISO certification usually takes 3–6 months for a small business starting from scratch. A simple ISO 9001:2015 project may be closer to 3–4 months, while ISO 27001:2022, ISO 14001:2015, ISO 45001:2018, or ISO 22301:2019 may take longer because they require risk, control, legal, continuity, or safety evidence. The timeline depends on scope, documentation readiness, staff availability, internal audit, management review, and certification body scheduling.

Can I get ISO 9001 certified in one month?

Getting ISO 9001:2015 certified in one month from zero is unlikely. You may prepare documents quickly in 30 days, especially with templates, but certification also requires implementation evidence, internal audit under Clause 9.2, management review under Clause 9.3, and a certification body audit. One month may be possible only if the company already has mature processes, records, trained staff, and an available certification body.

How long does ISO 9001 certification take from start to finish?

ISO 9001:2015 certification commonly takes 3–6 months from start to finish. A small office-based or service business may finish in about 3–4 months if its processes are already stable. A larger business, manufacturer, contractor, or multi-site organization may need 4–6 months or more because process controls, supplier evaluation, customer feedback, inspection records, corrective actions, and staff competence evidence must be prepared and tested.

What is the difference between ISO 9001 and ISO 27001 certification timelines?

ISO 9001:2015 often has a shorter timeline because many quality records already exist in normal business operations, such as customer orders, supplier checks, complaints, inspections, and corrective actions. ISO 27001:2022 often takes longer because it requires information security risk assessment, risk treatment, Statement of Applicability, Annex A control evidence, access reviews, supplier security checks, and incident management records.

Do I need three months of records before ISO 9001 certification?

ISO 9001:2015 does not state a universal rule requiring exactly three months of records before certification. The practical requirement is enough evidence to show the Quality Management System is implemented and effective. Some small businesses may have adequate evidence after several active weeks, while others need longer. Certification bodies expect records for key processes, internal audit, management review, objectives, customer feedback, supplier control, and corrective action.

Can an ISO documentation toolkit make ISO 27001 certification faster?

An ISO documentation toolkit can make ISO 27001:2022 certification faster by reducing the time spent creating policies, procedures, registers, risk templates, audit tools, and management review formats from scratch. It does not remove the need to implement controls, complete the risk assessment, approve the Statement of Applicability, train staff, collect evidence, perform internal audit, or complete certification body audits.

What delays ISO certification the most?

ISO certification is delayed most by unclear scope, missing documented information, lack of management involvement, weak records, incomplete internal audit, poor management review, unresolved nonconformities, and late certification body booking. The biggest hidden delay is usually staff availability. When process owners are too busy to confirm procedures, provide evidence, attend training, or close findings, the certification timeline extends quickly.

Next Steps

How long does ISO certification take? For most organizations starting from scratch, plan for 3–6 months. You can move faster if the scope is simple, leadership is committed, documents are prepared efficiently, and evidence is collected early. You should not rush internal audit, management review, or corrective action because those are the parts auditors use to confirm the system is real.

Ready to reduce the documentation stage without cutting corners? Browse our full range of ISO documentation toolkits to find editable, ready-made templates for ISO 9001, ISO 27001, ISO 14001, ISO 45001, ISO 22301, ISO 13485, ISO 15189, ISO 20000-1, QHSE, and other certification projects.

Can ChatGPT Write ISO Documentation for Certification? 2026Back to blog

Related Articles

Can ChatGPT Write ISO Documentation for Certification? 2026

Client Asked for ISO Certification? What to Do Next in 2026

Can a One-Person Company Get ISO Certified? 2026 Guide

Which ISO Certification Do I Need for My Business? 2026 Guide

QHSE Integrated Management System Documentation Checklist

Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday
January,February,March,April,May,June,July,August,September,October,November,December
Not enough items available. Only [max] left.
Shopping cart

Your cart is empty.

Return To Shop

Enable cookies to use the shopping cart
Add Order NoteEdit Order Note
Add A Coupon
Subtotal:
$0.00

View cart

Add A Coupon

Coupon code will work on checkout page

Shop
Sidebar
0Cart
Filter
Search
Menu