The timeline depends on your organisation's size and starting point. Those are the same variables that determine how long a consultant takes. The difference is that each phase builds understanding: the risk assessment, the control selection, the internal audit. The audit trail forms in the ISMS as you go, not after the fact. Your team understands every part of it when it is done.
