ISO 27001 is engineering, not paperwork. Treat it as paperwork and it eats your roadmap for two quarters. Treat it as engineering and it ships in 90 days with no heroics.
Weeks 1–2: scoping and gap analysis. Define the ISMS scope — which business units, products and data flows are in. Map existing controls against Annex A. Identify the gaps. We use a one-page tracker with row-level evidence requirements.
Weeks 3–4: automation infrastructure. Vanta or Drata or Secureframe. Pick one and wire it in. Connect it to your IdP, your code repos, your cloud accounts and your HRIS. Most of the controls you need are evidence collection problems, and these tools collect 70–80% automatically.
Weeks 5–6: policy authoring. We have a templated policy library that we customize. Information Security, Access Control, Vendor Management, Business Continuity, Incident Response, Data Classification, Acceptable Use, Change Management. Each policy is a one-page document, signed by the responsible owner, reviewed annually.
Weeks 7–8: control implementation. Where automation cannot help — onboarding/offboarding checklists, quarterly access reviews, vendor risk assessments — implement the operational rituals and prove they happen.
Weeks 9–10: penetration test and code review. External pen test. Internal application security review. Findings tracked against severity SLAs. By the audit window, all High and Critical findings should be remediated or accepted with documented compensating controls.
Weeks 11–12: pre-audit and audit. Internal mock audit by us. Stage 1 audit by your certification body. Stage 2 follows on a 6–12 month cycle.
The pattern that holds: clients who invest in automation tooling early ship faster than clients who try to do it manually. Clients who treat policies as living documents survive surveillance audits. Clients who treat them as one-time deliverables fail their first.