QualityNexus Get in touch
Service · ISO 27001:2022 · ISMS

ISO 27001 consultancy
with VAPT bundled in.

End-to-end ISO 27001:2022 ISMS implementation for Indian organizations. Senior IRCA / Exemplar Global lead auditor on every call, Annex A 2022 controls coverage, bundled VAPT, DPDP Act 2023 overlay, and accredited certification body coordination on a fixed-price scope.

93Annex A 2022 controls
16–24 wkTypical SME timeline
₹3–9LTotal first-year cost band
VAPTBundled, not subcontracted

ISO 27001:2022 is the international standard for Information Security Management Systems. For Indian organizations in 2026, it's increasingly the de-facto compliance baseline — driven by the DPDP Act 2023, RBI Cyber Framework, SEBI CSCRF, and enterprise procurement that filters bids before technical evaluation.

We deliver ISO 27001 consultancy with three commitments unusual in this market: (1) Senior lead auditor on every call — no junior hand-off; (2) VAPT bundled into the engagement so Stage 2 sees consistent vendor evidence instead of stitched-together work from two suppliers; (3) Fixed-price scoping with no hourly-billing surprises. We are CB-neutral.

If you'd like the full implementation walk-through with regulatory context (DPDP, RBI, SEBI, comparison vs SOC 2), read our ISO 27001 implementation pillar. This page is the service offering — what's in scope, deliverables, timeline, pricing.

What's in scope

What this engagement covers

Six explicit scope areas — what you can expect, end to end, on a typical engagement.

Scope definition + gap analysis

Define ISMS scope — products, locations, third parties, exclusions. Walk-through of all 93 Annex A 2022 controls. Output is a SoA-ready register with current state, target state, and effort estimates.

Risk assessment + treatment plan

Asset register → threats → vulnerabilities → impact + likelihood → residual risk. Repeatable methodology, documented, audit-defensible. Risk treatment plan with control selection rationale.

Policy suite + Statement of Applicability

Information security policy (board-approved) + 10–15 supporting policies (acceptable use, access control, change, supplier security, IR, BCP, crypto, classification, backup, secure dev). Tailored to your stack.

Control implementation support

MFA rollout, privileged access management, log aggregation, vulnerability scanning cadence, security awareness training, supplier security questionnaires, BCP exercises. We co-implement, not just advise.

VAPT — bundled, not subcontracted

Annex A.8.8 + A.8.29 require periodic technical testing. We bundle VAPT into the engagement — single vendor, consistent evidence, single point of accountability at Stage 2. No vendor-stitching.

Internal audit + CB audit support

First-cycle internal audit run as an external assessor would. Management review hosted. CB Stage 1 (documentation) + Stage 2 (on-site) attended; minor NCs closed inside the visit where possible.

How we deliver

The 4-stage delivery process

From kickoff to handover. Senior lead auditor accountable end to end.

  1. 01

    Scope + gap (week 1–3)

    Scope workshop with leadership. Gap analysis vs 93 Annex A controls. Risk methodology documented. Deliver gap report with detailed remediation plan.

  2. 02

    Policy + SoA + implementation (week 4–12)

    Policy suite authored. Statement of Applicability drafted. Control implementation runs in parallel: access management, logging, vulnerability scanning, awareness training, supplier security.

  3. 03

    VAPT + internal audit + review (week 13–18)

    Penetration testing and vulnerability assessment delivered. Internal audit independent walk-through. Findings closed. Management review hosted. NC-free state achieved before CB audit.

  4. 04

    Stage 1 + Stage 2 CB audit (week 19–24)

    CB Stage 1 documentation review. We close any gaps. Stage 2 on-site control verification. We attend, manage scope, close minor NCs. Certificate issued within 4–8 weeks of clean Stage 2.

Deliverables

What you walk away with

Concrete artefacts handed over at engagement close — not slides, not summaries.

  • 01 ISMS scope statement and Statement of Applicability (SoA)
  • 02 Risk register, risk treatment plan, and methodology document
  • 03 Information security policy + 10–15 supporting policies
  • 04 VAPT report (external + internal) with remediation guidance
  • 05 Awareness training material and completion records
  • 06 Internal audit checklist, audit report, and CAPA register
  • 07 Management review pack with signed minutes
  • 08 Stage 1 + Stage 2 CB audit on-site support and NC closure
Sector use cases

Where this engagement most often fits

Same service. Different control emphasis, different audit scrutiny.

Banks & NBFCs

RBI Cyber Framework alignment, PCI DSS environment scope carve-out, third-party risk programme, board cyber-risk reporting cadence, table-top incident exercises.

Fintech & PayTech

Concurrent ISO 27001 + PCI DSS + DPDP coverage. NPCI vendor onboarding readiness. SOC 2 layered on for US/EU customer attestation.

SaaS Exporters

ISO 27001 for EU/UK B2B procurement. SOC 2 Type II layered for US customers. Multi-region data residency design. Sub-processor management programme.

BPO / KPO / ITeS

Client-specific scope statements per customer contract. US/UK/EU client audit support. Secure transmission and remote access controls. HIPAA overlay for healthcare-customer BPO.

Pricing model

How engagements are scoped and priced

Fixed-price wherever scope is well-defined; T&M or retainer where ongoing work needs flexibility.

SME · single site Most common

30–250 employees, single location, IT/SaaS scope. Fixed-price consultancy ₹1.5L–₹3.0L + CB audit fees ₹1.0L–₹2.0L (paid separately to BSI/TUV/DNV/BVQI etc.). VAPT bundled.

Mid-market / multi-site Distributed teams

Multi-site or distributed-remote team. Fixed-price consultancy ₹3.0L–₹6.0L + CB fees. Includes deeper VAPT scope and supplier security programme rollout.

Retainer (post-cert) Ongoing ISMS run

Monthly retainer covering surveillance prep, quarterly risk review, internal audit cycle, supplier reviews, IR exercises. ₹35K–₹80K/month depending on scope.

Frequently asked

FAQs

01 How is ISO 27001 different from SOC 2 — do we need both?

ISO 27001 is a management-system standard producing a 3-year accredited certificate. SOC 2 is a controls attestation producing an annual report. ISO 27001 is the expectation in EU/UK/India enterprise and PSU procurement; SOC 2 is the US SaaS-customer expectation. Indian SaaS exporters to the US frequently maintain both — ISO 27001 as management spine, SOC 2 Type II for US customer-facing attestation.

02 How does ISO 27001 relate to DPDP Act 2023?

DPDP mandates 'reasonable security safeguards' but doesn't prescribe controls. ISO 27001:2022 Annex A — with ISO 27701 layered on — is the closest internationally-recognized framework that maps to DPDP's expectations (data classification, breach notification, processor obligations). When the Data Protection Board issues enforcement actions, ISO 27001 + 27701 is the documented baseline most defensible organizations will point to.

03 What does 'VAPT bundled' actually mean?

ISO 27001 Annex A.8.8 (vulnerability management) and A.8.29 (security testing) effectively require periodic technical testing. Most consultants do ISMS implementation only and ask you to engage a separate VAPT vendor. We do both — single engagement, consistent methodology, single point of accountability at Stage 2. The CB auditor sees one coherent evidence package, not two suppliers' stitched-together work.

04 How long does the entire process take?

Realistic timeline: 16–24 weeks (4–6 months) for an SME with no prior ISMS. Aggressive 10–12 week timelines are possible for already-mature security operations but rarely advisable. Multi-site or regulated entities (banks, NBFCs, payment system operators) typically run 24–36 weeks.

05 What's the realistic all-in cost?

For an Indian SME (50–250 employees, single site, IT/SaaS scope): consultancy ₹1.5L–₹3.0L + CB Stage 1+2 audit fees ₹1.0L–₹2.0L + VAPT (bundled) included + first-year tooling (if absent) ₹50K–₹2.0L. Total first-year ₹3.0L–₹9.0L. Year-2 surveillance ₹60K–₹1.2L.

06 Which certification bodies do you work with?

All major IAF / NABCB-accredited bodies — BSI, TUV Nord, TUV SUD, DNV, BVQI (Bureau Veritas), DEKRA, LRQA, SGS, Intertek, IRQS, URS, RINA, BSCIC. We recommend a CB based on your customer base, export markets, and procurement requirements — not on referral commissions.

07 Can ISO 27001 be combined with ISO 9001 or ISO 27701?

Yes — and it's often cheaper. Annex SL alignment means 9001 / 14001 / 45001 / 27001 share clauses 4–10 and only diverge on annex controls. ISO 27701 (privacy) is a direct overlay on 27001 — typically 25–40% incremental effort for the combined engagement vs running them sequentially.

08 What happens if Stage 2 raises non-conformances?

Minor NCs (most common) — documented corrective action plan and evidence of closure submitted to CB within 30–90 days; certificate then issued. Major NCs require a re-audit before certification. With proper Stage 1 readiness, majors are rare. We explicitly underwrite this in our engagement model.

Related

Pairs well with

ISO 27001 Implementation Guide Full pillar — DPDP, RBI, Annex A walk-through ISO 27001 — standard overview What the standard requires VAPT Services Pen-testing and vulnerability assessment All services 9 service lines Lead auditors IRCA + Exemplar Global credentials Talk to us Free 30-min scoping call

ISMS + VAPT in one engagement.

Tell us your scope and customer drivers (RBI / SEBI / DPDP / enterprise procurement). Within 48 hours we come back with a fixed-price proposal.

Get an ISO 27001 plan Read the implementation guide