The timeline depends on organisational size, scope definition, and existing security maturity. Most mid-sized organisations require several months to implement the ISMS, conduct internal audits, complete management review, and accumulate sufficient evidence before certification audit.