My company is looking at implementing 27001 to meet customer requirements in India. We are currently ISO 9001 certified and SOX compliant. My employee count is around 650. What has been the forum's time and effort experience with the 27001 implementation?
Hello and welcome to the Cove. Your answer is going to be very dependent upon the scope of your ISMS. You certainly can save some time in not having to create the management systems aspects of ISO 27001, which are heavily leveraged from similar (sometimes identical) ISO 9001 requirements.
The rest of the work is going to be dependent on the scope (as mentioned) of the ISMS - what's the focus of implementation, what controls are identified as being applicable (from annex A) and how broad their application is across the business. So, it's going to require the boundaries (scope) of the ISMS to be defined, before anything else is done. From that a work plan/assignments can be drawn up and a time estimate made from that in turn.