ISO 27001 project schedule development

Answer: Yes. In a general manner, to determine the time needed for each step individually you need to:

1 - Identify which result you have to deliver (e.g., information security policy)
2 - Identify which tasks required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 - Identify how much time you need to perform each task
4 - Identify the sequence in which the tasks should be executed

After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of the method, but for small and medium implementations it works well.

When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.

I recommend you to look at our Project checklist for ISO 27001 implementation (https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation), which can give you some ideas about tasks required in a ISO 27001 implementation project.

To get an estimated duration of the whole project you can use our Duration calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

These materials will also help you regarding ISO 27001 schedule development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/