The implementation duration depends primarily on the size of the organization:
- Companies of up to 20 employees – up to 3 months
- 20 to 50 employees – 3 to 5 months
- 50 to 200 employees – 5 to 8 months
- More than 200 employees – 8 to 20 months

Note: There are some other factors that influence the speed - if a company is using some tool or a consultant, if some documentation already exists, etc.

Examples:
- A SaaS company of 40 employees already implemented ISO 9001 and ISO 22301 - they might need less than 3 months to implement ISO 27001 because they already have lots of documentation and processes in place.
- A manufacturing company of 150 employees is using a consultant for implementing ISO 27001 - their implementation time will be closer to 5 months because of the external help they are getting.
- A healthcare organization of 500 employees is compliant with GDPR and HIPAA, and is using a documentation toolkit for ISO 27001 implementation - their implementation time will be less than a year.