How long must these ISMS controls be in place before being able to get an audit? IN other words, some of these policies will be new and we are just creating and implementing them as we go through the process of trying to get certified. Do certification boards need to see these policies in place for a specified period of time first?
This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such a criteria. The best would be if you ask for proposals from couple of certification bodies, and ask them this specific question.