Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Timeline

Timeline — Security Audit

A realistic week-by-week view of how Security Audit runs. Timelines compress for smaller scopes and extend for multi-entity or multi-site programmes; this baseline assumes a mid-size enterprise.

  • ISO/IEC 27001 Certified
  • ISO/IEC 27701 Certified
  • ISO 9001 Certified

Delivered by an ISO/IEC 27001, 27701 & 9001 certified organisation

Week-by-week plan

WeekPhaseKey activitiesOutput
Weeks 1–3ScopeAgree baseline, systems, locations and stakeholders.Signed-off scope pack and gate review
Weeks 4–6FieldworkInterviews, evidence review, control testing.Signed-off fieldwork pack and gate review
Weeks 7–9ReportFindings, ratings and remediation roadmap.Signed-off report pack and gate review
Weeks 10–12ValidateRe-test of remediated controls on request.Signed-off validate pack and gate review
12-week delivery plan

Gantt-style timeline titled "12-week delivery plan" over 12 Weeks with 4 phases: Scope from Week 1 to 3; Fieldwork from Week 4 to 6; Report from Week 7 to 9; Validate from Week 10 to 12.

Scope
Signed-off scope pack and gate review
Fieldwork
Signed-off fieldwork pack and gate review
Report
Signed-off report pack and gate review
Validate
Signed-off validate pack and gate review

What accelerates the timeline

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.
Conditions that compress delivery

Checklist titled "Conditions that compress delivery" with 4 items, every item marked complete: Executive sponsor engaged from day one with weekly steering attendance.; Existing asset inventory, network diagrams and HR org chart available.; GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).; Workforce available for awareness training within the engagement window..

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.

What typically extends it

  • Multiple legal entities, brands or geographies in scope.
  • Significant cloud migration running in parallel.
  • Open audit findings or regulator enforcement requiring remediation first.
  • Mergers, divestitures or system replacements mid-engagement.
Next: Pricing & Engagement