How Long Does ISO Certification Take in Australia?
By ComplyOn team · April 2026
Introduction
"How long will it take?" is usually the second question after "how much will it cost?"
The honest answer is: it depends. But that is not particularly useful, so this post breaks down realistic timelines for each standard, explains what actually drives the timeline, and tells you what you can do to move faster.
The short version: most small to medium Australian businesses take two to six months to certify to a single standard. An integrated HSEQ system typically takes five to eight months. Businesses that move faster have documentation ready, key people available, and a consultant who keeps things moving.
The Two Phases
Before getting into timelines, it helps to understand that ISO certification happens in two distinct phases.
Phase 1 - Implementation This is the work of building your management system - the gap analysis, the documentation, the implementation, the internal audit. This is the phase where most of the time is spent and where you have the most control over the pace.
Phase 2 - Certification audit This is when the certification body auditor reviews your system. It involves a Stage 1 audit (document review) and a Stage 2 audit (implementation verification). The gap between Stage 1 and Stage 2 is typically four to eight weeks. Certification bodies have their own scheduling constraints and you will need to book in advance.
The total timeline runs from the start of implementation through to receiving your certificate after the Stage 2 audit.
TIMELINES BY STANDARD
ISO 9001 - Quality management
Typical timeline: 2 to 5 months
ISO 9001 is the most widely implemented management system standard and the implementation is well understood. For a small business with reasonably straightforward operations, three to four months from gap analysis to certificate is achievable. Businesses with more complex operations, multiple sites, or significant existing documentation that needs to be assessed may take four to five months.
What slows it down: Businesses that have never documented their processes face a longer documentation phase. Businesses where the owner or key manager is the only person who can sign off on documentation can create bottlenecks when that person is unavailable.
ISO 45001 - Work health and safety
Typical timeline: 3 to 6 months
ISO 45001 implementation timelines are similar to ISO 9001 for most businesses. Construction and trade businesses that already have SWMS, induction procedures, and incident records have a genuine head start - that documentation is relevant to the standard and reduces the build time.
What slows it down: Businesses with complex contractor management arrangements, multiple work sites, or significant safety risk take longer because the hazard identification and risk assessment process is more extensive. Businesses that need to implement new operational controls - not just document existing ones - add time for the changes to bed in before the certification audit.
ISO 14001 - Environmental management
Typical timeline: 3 to 5 months
ISO 14001 timelines are broadly similar to ISO 9001. Businesses with existing environmental management documentation - site environmental management plans, EPA licence compliance records - move faster. The most time-intensive part of ISO 14001 implementation is typically the environmental aspects and impacts assessment, which requires a thorough review of operations.
What slows it down: Businesses with complex environmental obligations, multiple environmental licence conditions, or significant aspects across many operational areas take longer to work through the planning phase.
ISO 27001 - Information security
Typical timeline: 3 to 9 months
ISO 27001 typically takes longer than the other standards. The risk assessment and statement of applicability process is more involved, and the implementation of technical controls often requires coordination with IT teams and third-party providers. Technology companies with mature existing security controls may move through the documentation and governance layer faster than the timeline suggests - but businesses starting from a low base of security maturity may need longer.
What slows it down: Risk assessments that are not completed promptly, technical control gaps that require significant remediation before the system is audit-ready, and supplier security arrangements that need to be established or documented. ISO 27001 also has more specific requirements around management commitment and internal audit than some businesses expect.
HSEQ - Integrated management system
Typical timeline: 3 to 8 months
An integrated HSEQ system covering ISO 9001, ISO 45001, and ISO 14001 takes longer than a single standard - but not three times as long. The shared structure of the three standards means there is significant overlap in the documentation and management system work. A well-run HSEQ implementation is roughly 50 to 60 percent of the time that three separate implementations would take.
What slows it down: Everything that slows individual standards, multiplied across three. The most common delay point in HSEQ implementations is the environmental aspects assessment, which is often the least familiar part for businesses coming from a primarily safety-focused background.
WHAT ACTUALLY DRIVES THE TIMELINE
Understanding what moves the dial on implementation time helps you plan and set realistic expectations.
1. The gap between where you are and where you need to be This is the biggest single factor. A business with no existing documentation, no safety procedures, and no quality processes is starting from further back than a business with established systems that just need to be shaped into a management system. The gap analysis at the start of the engagement establishes this and informs the timeline.
2. The availability of key people ISO certification requires input from the business - reviewing documentation, attending awareness sessions, participating in the internal audit, signing off on the management system. When the person whose sign-off is needed is unavailable for weeks at a time, the project stalls. The businesses that move fastest are the ones where the right people can give a few hours a week consistently.
3. How quickly decisions get made Documentation gets written. It goes to the client for review. If feedback comes back within a few days, work continues. If it sits for three weeks, the project loses momentum and the timeline extends. Fast decision-making is one of the most underrated factors in a fast certification.
4. The consultant's workload and process A consultant who is managing too many engagements simultaneously will not move as fast as one who has capacity to push your engagement forward. Fixed milestones and clear accountability on both sides help. At ComplyOn we agree a timeline at the start and hold to it.
5. Certification body scheduling Once your system is ready, you are dependent on the certification body's availability. Most certification bodies have reasonable lead times but booking Stage 1 and Stage 2 audits well in advance avoids delays at the end of the process. We advise clients to approach the certification body early - before the system is fully complete - so the audit is scheduled and ready when the system is.
HOW TO MOVE FASTER
If you have a deadline - a tender submission date, a contract requirement, a client who has given you a specific timeframe - here is how to give yourself the best chance of meeting it.
Start the gap analysis immediately. The gap analysis tells you exactly how much work is required. Until you have done it, you are guessing at the timeline. The sooner you know the scope, the sooner you can plan.
Get documentation ready before we start. Any existing policies, safety plans, quality procedures, or environmental documents should be gathered and made available at the start. Do not wait to be asked for them.
Nominate a single internal contact. One person who can coordinate feedback, approvals, and internal communication. Not a committee. One person.
Book the certification body early. As soon as you have a realistic implementation timeline, approach the certification body and book the Stage 1 audit. You can always reschedule if you need more time. What you cannot do is conjure an audit date at short notice.
Be realistic about deadlines. If a tender requires ISO certification in six weeks and you are starting from scratch, it is not achievable. Understanding this early is better than discovering it late. We will tell you honestly at the start whether your deadline is realistic.
WHAT HAPPENS AFTER CERTIFICATION
The certificate is issued after a successful Stage 2 audit. Most certification bodies issue the certificate within two to four weeks of the Stage 2 audit being completed.
The certificate is valid for three years. In year one and year two, your certification body conducts a surveillance audit - a shorter audit that checks the system is being maintained. In year three, a full recertification audit takes place.
Between audits, the system needs to be maintained - internal audits conducted, corrective actions managed, documentation kept current. This is where many businesses struggle after the initial implementation. Our Stay Certified service is designed for businesses that need help keeping up with the ongoing requirements.
SUMMARY
Most Australian small and medium businesses take two to six months to certify to a single standard. HSEQ takes three to eight months. ISO 27001 takes three to nine months. The timeline depends primarily on the gap between your current state and the standard's requirements, the availability of key people, and how quickly decisions get made.
If you have a specific deadline, tell us at the start. We will assess whether it is achievable and tell you what would need to happen to meet it.
