How to get ISO 27001 certified in 12 months — without paying a consultant $75,000 or spending 18 months going in circles.
A practicing security consultant (ISO 27001 Lead Auditor, CISSP, CISM) shares the step-by-step system used to certify an 800-attorney Am Law firm in under 12 months — including 50+ ready-to-use templates that eliminate months of documentation work.
Christopher Kinnon's credentials:
ISO 27001 Lead Auditor · CISSP · CISM · 20+ years in IT · 12+ years in information security · Legal IT since 2010 · 12+ audits · 2 full implementations · 3 ISMS programs built
Before we go further — is this the right page for you?
You're in the right place if you're the person at your company who got handed the ISO 27001 project. Maybe a prospect asked for it on a call. Maybe a big client put it in the contract. Maybe your CEO heard about it at a conference and now it's your problem.
You know the certification matters. You're not sure where to start. You've looked at three options and none of them feel right:
- ✗Hire a consulting firm and spend $75,000–$150,000 with no guarantee of success
- ✗Read the raw standard yourself — 37 pages that say "the organization shall determine" without telling you how, written for a hospital and a software shop simultaneously
- ✗Buy a template pack — 230 Word files with no sequence, no guidance, no audit context
- ·You want someone to handle everything with zero involvement from your team
- ·You have a $500 budget and are hoping to piece this together from YouTube
- ·You work at a large enterprise with a dedicated GRC team (this is built for lean teams)
Here's what usually happens
You download the standard. You read it. It's 37 pages of intentionally abstract requirements. Nothing is specific. Everything says “the organization shall determine...” with no guidance on how. It applies to a hospital, a bank, a manufacturing plant, and a five-person software shop simultaneously — which means it's genuinely useful to none of them without interpretation.
So you look for help.
Consulting firms quote $60K, $95K, $120K. One firm sends a proposal with a 12-month timeline and a team of people you've never met who will “lead the implementation.” The proposal is beautiful. The price is not.
You look at template packs. You find one for £299 that promises “everything you need.” You download 230 files. You open three of them. They're generic. There's no guidance on what to fill in, what order to do things, or what actually matters versus what's bureaucratic padding.
You search YouTube. There are 40-minute videos explaining clause 4.1 in abstract terms. There are zero videos showing you what to actually write in your risk register for a 60-person SaaS company.
Six months pass. You have a folder of half-finished documents. Your prospect is asking for a status update.
Every month without certification is a real cost
Lost contracts. Enterprise procurement teams put ISO 27001 in vendor requirements as a hard gate. If you're not certified, you don't get to submit a proposal. Most companies never find out what they lost because they never saw the RFP.
Failed security questionnaires. When a client sends a 120-question security assessment and you have to answer "no" to half of it, the deal slows down or dies. Certification lets you answer most of those questions with documented evidence instead of wishful thinking.
Insurance costs. Cyber liability carriers are tightening underwriting. If you can't demonstrate formal information security management, premiums go up and coverage limits go down. Some carriers are starting to price ISO 27001 certified companies differently.
The salary math. A dedicated GRC Analyst costs $80,000–$110,000 per year in salary alone. They'll still need templates, training, and 18+ months to understand your environment before the real implementation work starts.
Time. The companies that get certified fastest aren't the ones with the biggest teams. They're the ones with a clear system. Without one, smart people do months of work in the wrong order.
Who built this
I'm a practicing security consultant. Not an academic. Not someone who passed a certification and immediately started selling courses.
My career: 20+ years in IT, starting at a Help Desk in 2003. Help Desk → Info Systems Specialist → Info Security Manager → ISO Consultant → Info Security Governance. Most of that time in Legal IT since 2010 — small firms and Am Law firms.
The project that clarified the system: an 800-attorney Am Law firm that needed ISO 27001 certification. Zero to certified in under 12 months. That implementation taught me what works in a law firm environment. Not generic security advice — the real constraints of attorney-client privilege, partner access models, legal holds, conflicts of interest.
What you're looking at now is that system, packaged. Built from practitioner reference documents (155 audit questions, 150+ DCF controls, 29 mandatory reviews). 50+ templates. 10 modules. Real credentials: ISO 27001 Lead Auditor, CISSP, CISM.
When the standard updated to ISO 27001:2022, I didn't write a summary post about it. I updated client ISMSs. That's the difference.
The full ISMS Accelerator system
Ten modules. The sequence matters — this is not a library of lessons you pick through. Each module covers one phase of the implementation. You complete the work for that phase, then move on. No backtracking. No wondering if you missed a step.
Module 0 — Orientation and project setup
Before you touch a single document: project structure, who needs to be involved, how to get leadership buy-in, how to set a realistic timeline. Most teams skip this and pay for it at month seven.
Module 1 — Context of the organization (Clause 4)
"Determine the context of your organization" — the standard gives you almost nothing to work with. This module makes it concrete. You'll finish with a completed context analysis, a documented scope statement, and a clear understanding of which interested parties you need to account for throughout the rest of your ISMS. Getting scope wrong here causes audit findings six months later.
Module 2 — Leadership and commitment (Clause 5)
ISO 27001 fails when leadership signs the policy without understanding what they're committing to. This module gives you the tools to run a management briefing that produces real commitment — and the documented evidence of it that an auditor will look for.
Module 3 — Risk assessment and planning (Clause 6)
Where most implementations stall. The standard tells you to do a risk assessment and gives you almost no guidance on how. This module provides a methodology that works for companies with 10 to 500 employees — not a methodology designed for a bank with a 30-person risk team. You'll finish with a completed risk register and a risk treatment plan.
Module 4 — Support and resources (Clause 7)
Competence, awareness, communication, documented information. These sound administrative. They generate the most common nonconformity in first-time audits. This module covers what auditors look for and how to document each area without creating busy-work that nobody maintains 18 months from now.
Module 5 — Operational planning and Annex A controls (Clause 8)
The largest module. Covers Annex A control selection and implementation. You won't implement all 93 controls — nobody does. This module shows you how to pick the right ones based on your risk treatment plan and build them in a way that's auditable. Includes the Statement of Applicability walkthrough.
Module 6 — Performance evaluation (Clause 9)
Monitoring, internal audits, and management review. Auditors look at this closely because it tells them whether your ISMS is real or a paper exercise. This module builds a measurement system that works for lean teams and looks credible to external auditors.
Module 7 — Improvement (Clause 10)
Nonconformity management, corrective action, continual improvement. What to do when something goes wrong — and how to document the response in a way that shows the ISMS is working, not breaking down.
Module 8 — Certification readiness
The 8-week pre-audit checklist. What Stage 1 and Stage 2 audits involve. How to prepare your team for auditor interviews. What to do if an auditor raises a finding mid-audit. How to close nonconformities fast. This is the module that turns "hoping for the best" into walking in with documented confidence.
Module 9 — Surveillance and post-certification maintenance
Getting certified is not the finish line. ISO 27001 requires annual surveillance audits and a three-year recertification cycle. This module covers how to maintain the ISMS after certification so those audits are routine instead of emergency events.
Module 10 — Management review and KPIs (advanced)
An extended module on building a mature ISMS review cycle. KPI design for information security, trend analysis, how to present security metrics to leadership in a way that actually gets decisions made.
BONUS: BONUS: Law firm vertical
Everything in the core course adapted for law firms. Attorney-client privilege in cloud systems. Partner and associate access controls. Incident response that preserves legal privilege. RFP response templates for law firm security questionnaires. Built for firms from 10 to 300 attorneys.
50+ templates
Every module includes the templates needed to complete it. These are not blank documents with a logo at the top. Each one is built from practitioner reference documents — with guidance notes explaining what a section needs to contain, examples where the content isn't self-explanatory, and notes on what an auditor will look for when reviewing it.
- ✓Project charter and implementation timeline
- ✓Context analysis worksheet
- ✓Interested parties register
- ✓ISMS scope statement (SaaS, professional services, healthcare-adjacent examples)
- ✓Information security policy
- ✓Risk assessment methodology document
- ✓Risk register (pre-populated with common SMB risks)
- ✓Risk treatment plan
- ✓Statement of Applicability (pre-mapped to ISO 27001:2022 Annex A — all 93 controls)
- ✓Roles and responsibilities matrix
- ✓Competence and training records
- ✓Document control procedure
- ✓Internal communication plan
- ✓Internal audit checklist (clause-by-clause)
- ✓Internal audit report
- ✓Management review agenda and minutes
- ✓Nonconformity and corrective action log
- ✓Incident response plan
- ✓Business continuity plan framework
- ✓Supplier security assessment questionnaire
- ✓Asset inventory and management procedure
- ✓Information classification policy and handling guide
- ✓Acceptable use policy
- ✓Access control policy
- ✓Change management procedure
- ✓Vulnerability management procedure
- ✓Physical security checklist
- ✓HR security policy (onboarding / offboarding)
- ✓ISMS improvement register
- ✓Certification audit preparation checklist
- ✓Post-certification maintenance calendar
- ✓10+ additional templates from student feedback
Bonus module: SMB enterprise sales playbook
Once you're certified, how do you use it to win deals? This module covers how to turn your ISO 27001 certification into a sales asset: how to answer security questionnaires fast, how to position the certification in proposals and RFPs, and how to respond when a prospect asks what ISO 27001 actually means for protecting their data. Built for SMBs selling into enterprise procurement.
Built by a practitioner
“This course is built from the system I use as a consultant and Lead Auditor. The 800-attorney Am Law firm project showed me what works in a law firm environment. That's what you're getting — practitioner knowledge, not theory.”
Course launching soon. Join the founders list for early access and founding member pricing.
Three ways to get certified
DIY
The self-paced option for people who learn best by doing.
- ✓Full 10-module video course
- ✓50+ implementation templates
- ✓Plain English Cheat Sheet
- ✓First 30 Days Roadmap
- ✓Lifetime access and all future updates
- ✓Community access
Guided
The structured option with expert support at every stage.
- ✓Everything in DIY
- ✓12 monthly group coaching calls
- ✓Hot seat sessions
- ✓Priority community support
- ✓Certification guarantee
Done-With-You
The direct-access option for teams that want a consultant in their corner.
- ✓Everything in Guided
- ✓6 private 1-on-1 sessions (90 min each)
- ✓Document review of your actual ISMS
- ✓Mock internal audit with written findings
- ✓Custom implementation roadmap
- ✓Direct email access for 90 days
- ✓Surveillance audit preparation
Limited seats. Apply and I'll let you know current availability.
Start before you spend a dollar
ISO 27001 Cost Calculator
Put in your company size and target timeline. Most people who run the numbers are surprised by how wide the gap is between their options.
Open the calculator →Plain English Cheat Sheet
The standard in plain English — every major clause explained in one or two sentences without the standards-body language.
Download free →First 30 Days Roadmap
Day-by-day tasks starting from zero. Not a 40-page guide — a checklist you can open Monday morning and start following.
Get the roadmap →How your investment is protected
30-day money-back guarantee. Go through any part of the program in the first 30 days. If it's not what you expected, email me and I'll refund you in full. No forms. No questions about why.
Certification guarantee (Guided and Done-With-You). Follow the system — complete the modules, use the templates, do the implementation work — and you don't get certified, I'll keep working with you until you do at no additional cost. I've never had anyone fail certification who actually did the work. The guarantee is there if you need it.
Lifetime access. The course and templates are yours permanently. When ISO 27001 updates again, enrolled students get updated materials.
Questions people ask before enrolling
Not ready for the full program?
Start with the Readiness Kit for $97. You'll get a gap assessment scorecard covering all 4 themes and 93 controls, an implementation timeline, a leadership presentation template, and 3 production-ready starter templates. It's everything you need for Week 1 — and the $97 is credited toward any program tier when you're ready to upgrade.
Get the Readiness Kit — $97 →The practical case for starting now
I'm not going to put a countdown timer on this page. That's either real or it's not, and if it's not, you know it.
Every month you don't start is a month your certification target moves back. If you need to be certified by December and it's February, you have 10 months. A typical team takes 11–14 months without the system. 9–12 months with it. The sooner you start, the more margin you have.
The competitive piece is more concrete. Companies that get certified this year will use that certification in enterprise sales cycles starting next quarter. Procurement teams run vendor security assessments before they'll sign a contract. If your competitors are certified and you're not, you don't lose on price or quality — you just don't make it past the security questionnaire. That's a category of lost business you'll never even know about.
Everything above plus 12 group sessions with Chris, live Q&A, and direct audit prep support.
Enroll in Guided →Everything above plus 6 private sessions with Chris, document review, mock audit, direct Slack/email access.
Apply for Done-With-You →P.S. — If you're deciding between DIY and Guided, I'd push you toward Guided. The monthly coaching calls alone are worth the price difference. At $2,500 more than DIY, you're buying accountability — not just content. You get direct access to someone who's been through 12+ audits and knows exactly what auditors look for. That's worth something when the audit is months away and the stakes are real.