I was told that you are the main expert on the ISO documentation. My organization wants to put a project plan together on filling all of this out and we’re wondering if you have estimated timelines that it takes to perform the various activities. Obviously every organization is different but general guidelines would be good to help us with staff scheduling.
In a general manner, to determine the time needed for each step individually you need to:
1 – Identify which result you have to deliver (e.g., information security policy)
2 – Identify which tasks are required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 – Identify how much time you need to perform each task
4 – Identify the sequence in which the tasks should be executed
After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of t he method, but for small and medium implementations it works well.
When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.
Included with the toolkit you bought you have access to Conformio platform, where you'll find ISO 27001 Step-by-step guide that also can help you.