Skip to content
Vectel
Support/Compliance and regulations

How do I choose scope and plan the runway for an ISO 27001 project?

The project lives or dies on realistic scope. Too broad gets heavy, too narrow looks unconvincing to customers. Runway depends on maturity and team size.

Try this first

  1. 1Set scope based on what you sell and to whom. For a SaaS SMB that is usually the product, the team building it and supporting processes, not the whole legal entity.
  2. 2Run a gap analysis against ISO 27001:2022. It covers governance, policies, risk management, people, physical security, technical controls and vendor management.
  3. 3Plan in two phases. Build the ISMS first and let it run in practice for at least a few months. Then schedule the stage 1 audit with the certifying body.
  4. 4Expect several months up to roughly a year for first certification, depending on maturity and team bandwidth. No exact guarantee; ask an external party to scope your situation.
  5. 5Plan annual recertification and internal audits in from day one. An ISMS that stalls after audit fails the next round.

When to bring us in

Limited internal capacity? An external ISMS coach for the first cycle pays off. Not to do everything, but to put you on the rails.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works