ISO 27001 in 2 weeks — a day-by-day plan
A day-by-day breakdown of how a small team can reach ISO 27001 certification in two weeks.
"Can we get ISO 27001 in two weeks?" is one of the questions we hear most often. The honest answer: yes — if you have executive buy-in, a decent starting posture, and the right tooling. Here's the day-by-day.
Day 1: scope and commit
Before touching a control, get alignment on the scope of your ISMS. Which products, services, teams, and locations are in? Which are out? This is where most programs lose time — not the control work.
Day 2: risk assessment
Run your first formal risk assessment. If you don't have a methodology, borrow ours — it's in the Templates library. Log every significant risk in a register; you'll need it for your Statement of Applicability anyway.
Days 3–7: control implementation
Pick the Annex A controls that apply. Document the ones already in place, implement the gaps. In Asurvo, this is the point where evidence collection starts flowing automatically — by the end of the week, your control coverage is real, not aspirational.
Day 8: internal audit
Run an internal audit against your ISMS. Log findings, open corrective actions, and close them before the external auditor arrives.
Day 9: management review
Hold your management review, document outputs, and sign off on residual risk.
Day 10: certification audit
Hand the auditor a clean workspace. Evidence is current, findings are closed, and the trail is auditor-ready out of the box.
The honest truth
Two weeks is tight. It's doable, but only if your program isn't built on spreadsheets. Real-time dashboards, evidence reuse, and auditor-ready exports are what turn a 3-month slog into a 2-week sprint.