A current, practical, India-specific guide to ISO 27001:2022 — the Annex A 2022 control framework, the 12-step implementation journey, alignment with DPDP Act 2023 and RBI/SEBI cyber frameworks, realistic cost and timeline for SMEs, and how to choose the right certification body.
ISO 27001:2022 is the international standard for Information Security Management Systems. It is not a checklist; it is a management framework that says: identify your information assets, assess threats and vulnerabilities, decide what risks are acceptable, select controls that bring residual risk to acceptable levels, document everything, audit yourself, and keep improving. The standard defines requirements in clauses 4–10 (mandatory) and a control catalogue in Annex A (93 controls, of which you apply or justify exclusion).
The 2022 revision restructured Annex A from 14 domains to 4 themes (Organizational, People, Physical, Technological) and introduced 11 new controls explicitly addressing threat intelligence, cloud security, configuration management, data leakage prevention, secure coding, and ICT readiness for business continuity. Organizations on the older ISO 27001:2013 version have until October 2025 to transition; after that, 2013 certificates become invalid.
For Indian organizations in 2026, ISO 27001:2022 is becoming the default information-security baseline — driven by the DPDP Act 2023, RBI and SEBI cyber frameworks, enterprise procurement pre-qualification, and increasingly PSU IT/OT supply contracts. This page is the definitive walk-through. If you'd rather jump to a scoping call, contact us.
None of these reasons existed in their current form three years ago. Together they make ISO 27001:2022 the most pragmatic single investment for information-security maturity in India.
India's Digital Personal Data Protection Act mandates 'reasonable security safeguards' for personal data. ISO 27001:2022 + ISO 27701 (privacy) is the closest internationally-recognized scaffolding to demonstrate compliance to the Data Protection Board.
RBI's Cyber Security Framework for banks, NBFCs, payment system operators, and ARC entities prescribes specific control families. ISO 27001 Annex A 2022 maps cleanly to most of them, with a few overlays (CISO function, table-top exercises, board reporting).
SEBI's Cybersecurity & Cyber Resilience Framework (CSCRF 2024) for regulated intermediaries, exchanges, and depositories explicitly references ISO 27001 as one credible benchmark for control coverage and ISMS maturity.
Multinational customers, BFSI tier-1s, and PSU IT/OT procurement increasingly list ISO 27001 as pre-qualification. Without it, your bid is filtered out before technical evaluation begins.
The 2022 revision restructured Annex A from 14 domains into 4 themes — 93 controls total. Each control is "applied" or "not applied with justification" on your Statement of Applicability.
Policies, roles and responsibilities, segregation of duties, threat intelligence, information security in supplier relationships, ICT readiness for business continuity, legal/regulatory/contractual obligations, intellectual property rights. The governance backbone.
Screening, terms and conditions of employment, awareness training, disciplinary process, responsibilities after termination, confidentiality agreements, remote working, information security incident reporting. The human-factor controls.
Physical security perimeters, secure office and facilities, monitoring physical access, protection against physical and environmental threats, working in secure areas, clear desk and clear screen, equipment siting, secure disposal, off-premises equipment.
User endpoint devices, privileged access rights, information access restriction, secure development lifecycle, configuration management, information deletion, data leakage prevention, network security, web filtering, cryptography, vulnerability management, logging.
The sequence we run on every ISO 27001 engagement. Realistic timing: 16–24 weeks from scope to certificate for an SME with no prior ISMS.
Define ISMS scope — products, services, locations, third parties, exclusions. This single document drives every downstream artefact, from the SoA to the audit certificate language. Get it wrong here and the entire program drifts.
Walk-through of every Annex A control. Map current state, target state, evidence gaps. Output is a colour-coded register with effort estimates and owner assignments — what gets fixed, what's already in place, what's not applicable.
Asset register → threats → vulnerabilities → impact + likelihood → residual risk. The risk methodology is yours to define (qualitative is fine), but it must be repeatable and documented. We use a tested framework that survives auditor scrutiny.
The contract between you and the auditor. Each of the 93 controls marked as Applied / Not Applied with justification. SoA is the most-inspected document at Stage 2 — typos and missing justifications are the most common minor non-conformances.
Information security policy (board-approved), 10-15 supporting policies (acceptable use, access control, change management, supplier security, incident response, business continuity, cryptography, data classification, backup, secure development). Tailored to your stack — no boilerplate.
Closing actual control gaps — MFA rollout, privileged access management, log aggregation, vulnerability scanning cadence, security awareness training, supplier security questionnaires, BCP exercises. The longest phase, typically 8–12 weeks.
Independent walk-through of all controls before CB Stage 1. Findings logged, root cause analysis done, corrective actions tracked to closure. Internal audit independence is a control in its own right — we run it as an external assessor would.
Documented review by top management covering ISMS performance, audit results, threat landscape changes, resource adequacy, improvement opportunities. Minutes signed. Without this, Stage 2 fails on clause 9.3.
CB assessor reviews ISMS documentation off-site and may do a brief site visit. Output is a Stage 1 report listing readiness gaps. We help close everything before Stage 2 — never go to Stage 2 with open Stage 1 findings.
On-site control verification. Auditor interviews staff, samples records, observes operations. We attend, support evidence retrieval, manage scope of audit, and close any minor non-conformance inside the visit window where possible.
Any minor NCs raised — corrective action plans documented, root cause analysis, evidence of closure submitted to CB. Majors require re-audit and almost never happen with proper Stage 1 readiness.
ISO 27001 certificate valid for 3 years, with surveillance audits at year 1 and year 2 (lighter scope), and full re-certification at year 3. We can stay on retainer for surveillance or hand over cleanly to your internal team.
Same standard. Different control emphasis, different audit scrutiny, different layered frameworks. Six sectors we deliver most frequently.
RBI Cyber Framework alignment, payment card environment scope carve-out, third-party risk for vendors, board cyber-risk reporting cadence.
Concurrent ISO 27001 + PCI DSS + DPDP coverage. NPCI vendor onboarding readiness, SOC 2 layered on for US/EU customers.
ISO 27001 for EU/UK B2B procurement, SOC 2 Type II layered for US customers, multi-region data residency design, sub-processor management.
Client-specific scope statements per customer contract, US/UK/EU client audit support, secure transmission and remote access controls, US HIPAA overlay for healthcare-customer BPO.
ISMS scoped per service line, customer audit support, ITIL + 27001 integration, IT/OT supply for PSU contracts that increasingly require ISO 27001 baseline.
Patient data handling, electronic medical records, ISO 27799 (healthcare infosec) overlay, DPDP + sensitive personal data protection.
Patterns from active engagements. Each of these is preventable if the implementation phase treats them as load-bearing rather than checkbox.
Missing justification for excluded controls, or 'Applied' marked without evidence to back it. The single most common Stage 2 finding.
One-time exercise at certification, no quarterly refresh, no link to incident outcomes or threat intelligence. Auditors check timestamps.
Vendor list, but no contractual security clauses, no questionnaire response evidence, no quarterly review. Annex A.5.19–A.5.23 is heavily inspected post-2022.
User access not reviewed quarterly, privileged accounts not segregated, leaver process incomplete. Easy NC to raise, hard to defend if records aren't there.
Training delivered but no completion evidence, no quiz/test, no role-specific content. Annex A.6.3 expects targeted, measurable training.
Documented IR plan but no table-top exercise, no actual incidents logged, no post-incident review. Auditors look for a real or simulated event with documented learnings.
Three frameworks that overlap but answer different questions. Most Indian organizations targeting global customers run two or three concurrently — ISO 27001 as the management spine, SOC 2 for US customer-facing attestation, DPDP for statutory obligations.
| Dimension | ISO 27001:2022 | SOC 2 | DPDP Act 2023 |
|---|---|---|---|
| Scope | Entire ISMS — people, process, technology, suppliers | Specific services / Trust Service Criteria | Personal data handling only |
| Governing body | ISO + IAF/NABCB-accredited CBs | AICPA + licensed CPA firms | Government of India (Data Protection Board) |
| Output | 3-year accredited certificate | Annual SOC report (Type I / Type II) | No certificate — statutory obligation |
| Buyer expectation | EU, UK, India enterprise, PSU | US enterprise, especially SaaS customers | Indian regulators + customers |
| Includes pen-test? | Not by default — handled via A.8.8 / A.8.29 | Type II expects evidence of testing | Implied via 'reasonable safeguards' |
Scope drives everything. The same standard applied to a 30-person SaaS exporter is wildly different in effort and cost from the same standard applied to a 500-person BPO with US bank customers and FedRAMP-adjacent controls. Below are the ranges we see most consistently in our engagements.
Caveat — costs reflect 2026 Indian market for accredited CBs (BSI, TUV Nord, DNV, BVQI, DEKRA, LRQA, SGS, Intertek, BSCIC, IRQS, URS, RINA). Non-accredited certificates appear cheaper but are rejected by enterprise procurement and PSU tenders, making the apparent saving illusory.
We're CB-neutral. The right CB depends on your customer base, geographic reach, and procurement reality — not on referral commissions. Four practical rules we apply when recommending:
The questions we hear most often during scoping calls with CTOs, CISOs, and operations leads.
ISO 27001 is the international standard for Information Security Management Systems (ISMS). The 2022 revision restructured Annex A from 14 control domains (114 controls) to 4 themes (93 controls), introduced 11 new controls explicitly addressing threat intelligence, cloud security, ICT readiness, data leakage prevention, web filtering, secure coding, and configuration management. Organizations certified to the 2013 version have until October 2025 to transition.
ISO 27001 is a management-system standard producing a 3-year accredited certificate. SOC 2 is a controls attestation (Type II = period of evidence) producing an annual report. ISO 27001 is the expectation in EU/UK/India and for most Indian PSU and enterprise procurement. SOC 2 is the expectation for US enterprise SaaS customers, especially for vendor risk reviews. Indian SaaS exporters to the US frequently maintain both — ISO 27001 as the management baseline, SOC 2 Type II as the US customer-facing attestation.
DPDP requires 'reasonable security safeguards' but doesn't prescribe controls. ISO 27001:2022 Annex A — with ISO 27701 (privacy) layered on — is the closest internationally-recognized framework that maps to DPDP's expectations: data classification (A.5.12, A.5.13), data subject rights workflows (A.5.34), breach notification procedures (A.5.24, A.5.27), and processor obligations (A.5.19, A.5.23). When the Data Protection Board issues compliance enforcement actions, ISO 27001 + ISO 27701 will be the documented baseline most defensible organizations point to.
Typical timeline is 16–24 weeks (4–6 months) for an SME with no prior ISMS: weeks 1–3 scope and gap analysis, weeks 4–6 risk assessment and SoA, weeks 5–10 policy authoring (parallel), weeks 7–18 control implementation, weeks 18–20 internal audit and management review, weeks 21–24 Stage 1 + Stage 2 CB audits. Aggressive timelines of 10–12 weeks are possible for already-mature security operations but rarely advisable.
For an Indian SME (50–250 employees, single site, IT/SaaS scope): consultancy fees ₹1,50,000–₹4,50,000 depending on starting maturity and scope size; CB audit fees (Stage 1 + Stage 2) ₹1,00,000–₹2,50,000; tooling (vulnerability scanning, log aggregation, access management if absent) ₹50,000–₹2,00,000 first-year. Total ₹3,00,000–₹9,00,000 first year. Year-2 surveillance audit ₹60,000–₹1,20,000. Year-3 re-certification audit at near-original cost.
ISO 27001 doesn't explicitly mandate a penetration test, but Annex A.8.8 (Management of technical vulnerabilities) and A.8.29 (Security testing in development and acceptance) effectively require periodic technical testing. In practice, most Stage 2 auditors expect to see evidence of a VAPT exercise within the audit window. We bundle VAPT into our ISO 27001 engagements — a single vendor handles ISMS + testing for consistency.
Yes — scope is defined by you. Common SME and mid-market approach is to certify a specific product, service line, or business unit (with its own people, premises if applicable, and infrastructure) rather than the entire entity. The scope statement on the certificate must match the audited scope precisely. Customers reading the certificate can see exactly what's covered, so scope clarity is also a sales asset.
Minor NCs (most common) require a documented corrective action plan and evidence of closure submitted to the CB within an agreed window (typically 30–90 days). The certificate is then issued. Major NCs require a re-audit before the certificate can be issued. With proper Stage 1 readiness, major NCs are rare — and one of the things we explicitly underwrite in our engagement model.
Sharpest growth: fintech and PayTech (RBI, NPCI, payment card environment scopes), BFSI back-office BPO (US/UK/EU customer audit demands), Indian SaaS exporters (EU/UK procurement, SOC 2 + 27001 combos), PSU IT/OT vendors (NTPC, ONGC, IOCL, Indian Railways IT supply increasingly cites 27001), and healthcare/HealthTech (ABDM, hospital chains, diagnostic networks).
Three practical commitments: (1) Lead auditor on every call — no junior hand-off; (2) Fixed-price scoped engagement with milestone deliverables, no hourly billing surprises; (3) VAPT bundled in, so Stage 2 auditor sees consistent vendor evidence instead of stitching together two suppliers' work. We work CB-neutral and recommend the certification body based on your customer base and procurement requirements, not on referral commissions.
Tell us your scope and customer drivers (RBI / SEBI / DPDP / enterprise procurement). Within 48 hours we come back with a gap report, fixed-price proposal, and a realistic 4–6 month plan.
