Legal Articles & Insights

ISO 27001 Certification in India: A Step-by-Step Guide for 2025

By Siri Law LLP Date March 2025 Read 16 min

ISO 27001 Certification in India — step by step guide by Siri Law LLP

ISO/IEC 27001 is the world's leading international standard for information security management. For Indian organisations — from IT companies and fintechs to hospitals and NBFCs — achieving certification is no longer just a competitive advantage. Clients demand it, regulators reference it, and global contracts increasingly require it. This guide walks you through every stage of the certification journey, from the initial gap assessment to the day your certificate is issued.

1. What Is ISO 27001 and Why Does It Matter?

ISO/IEC 27001 is published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). The current version is ISO/IEC 27001:2022, which replaced the 2013 edition and introduced an updated Annex A control set aligned with ISO/IEC 27002:2022.

The standard specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). An ISMS is not a piece of software — it is a systematic framework of policies, processes, and controls that an organisation uses to manage information security risks.

Why Indian organisations are pursuing ISO 27001 in 2025

Client and contractual requirements: Global enterprises — particularly in the US, UK, EU, and GCC — routinely require their Indian IT, BPO, and service vendors to hold ISO 27001 certification before signing contracts.
Regulatory alignment: RBI, SEBI, IRDAI, and MeitY all reference ISO 27001 in their cybersecurity frameworks as an accepted standard for demonstrating security controls.
DPDPA 2023 readiness: An ISO 27001 ISMS provides a strong foundation for complying with the Digital Personal Data Protection Act 2023, particularly around organisational and technical safeguards.
Tender eligibility: Many government and enterprise tenders now require ISO 27001 as a mandatory qualification criterion.
Cyber insurance: Insurers offer lower premiums and broader coverage to organisations with a certified ISMS.

✓ 2022 vs 2013 — Which Version to Certify Against?

Certify against ISO/IEC 27001:2022. The transition deadline for organisations certified under the 2013 version was October 2025. New certifications issued from 2024 onwards must be against the 2022 version. The key change is the Annex A controls — reduced from 114 controls across 14 domains to 93 controls across 4 themes (Organisational, People, Physical, and Technological).

2. Understanding the ISMS Scope

Before any technical work begins, your organisation must define the scope of the ISMS — the boundaries within which the standard will be applied and the certificate will be valid.

Scope can be defined by:

Organisational boundaries (a specific legal entity, business unit, or department)
Physical boundaries (a specific office, data centre, or geographic location)
Service boundaries (a specific product, service line, or process)

For example, an IT company might scope its ISMS to cover "the development and support of software products delivered from its Bengaluru development centre." A fintech might scope it to cover "the processing and storage of payment data across its production environment."

ⓘ Scope Strategy

A narrower scope is faster and cheaper to certify but may not satisfy clients who want assurance across your entire organisation. A broader scope provides stronger assurance but requires more effort. Get scope advice from a qualified consultant before starting — a poorly defined scope is one of the most common reasons for certification delays.

3. The 10 Steps to ISO 27001 Certification

The certification journey follows a consistent sequence. Most Indian organisations take between 6 and 18 months from initiation to certification, depending on scope size, existing security maturity, and the pace of internal implementation.

Gap Assessment

Measure your current state against ISO 27001:2022 requirements and the 93 Annex A controls. Identify which clauses and controls are already met, partially met, or not met. The output is a gap report and a prioritised remediation roadmap.

Typical duration: 1–3 weeks
Who does it: Internal team or external consultant
Output: Gap report, risk register baseline, remediation roadmap

Management Commitment and Project Initiation

ISO 27001 requires visible leadership commitment. The Board or senior management must formally approve the ISMS project, assign an ISMS owner (typically the CISO or an equivalent role), allocate budget, and communicate the initiative across the organisation.

Output: Board resolution or management mandate, ISMS project charter, budget approval

Define ISMS Scope and Context

Formally document the scope of the ISMS (Clause 4.3). Identify internal and external issues relevant to information security (Clause 4.1) and map interested parties and their requirements (Clause 4.2). This forms the foundation of your Statement of Applicability.

Output: Scope document, context of the organisation document, interested parties register

Information Security Risk Assessment

This is the most critical step in the entire process. Identify all information assets within scope, assess the threats and vulnerabilities applicable to each asset, evaluate the likelihood and impact of each risk, and assign a risk level. The standard requires a documented, repeatable risk assessment methodology.

Typical duration: 2–6 weeks depending on asset inventory size
Output: Asset register, risk register, risk treatment plan
Common methodology: ISO 27005, NIST SP 800-30, or a customised likelihood × impact matrix

Risk Treatment and Statement of Applicability (SoA)

For each identified risk, decide whether to treat it (implement a control), tolerate it (accept the risk), transfer it (insurance or contract), or terminate it (discontinue the risky activity). The Statement of Applicability documents all 93 Annex A controls, states whether each is applicable to your scope, and justifies inclusions and exclusions.

Output: Risk Treatment Plan (RTP), Statement of Applicability (SoA) — a mandatory certification document

Implement Controls and ISMS Documentation

Implement the security controls selected in your risk treatment plan and produce the mandatory documentation required by the standard. This is typically the longest phase of the project.

Mandatory policies: Information Security Policy, Acceptable Use Policy, Access Control Policy, Incident Management Policy, Business Continuity Policy, Supplier Security Policy
Mandatory records: Risk register, SoA, asset register, training records, audit logs, incident records, internal audit results, management review minutes
Technical controls: Access management, encryption, vulnerability management, patch management, logging and monitoring, backup and recovery, physical security

Staff Awareness and Training

ISO 27001 requires all personnel whose work affects information security to be competent and aware. This means documented training, not just a policy email. Conduct organisation-wide security awareness sessions, role-specific training for IT and security teams, and phishing simulation exercises.

Output: Training plan, training completion records, awareness programme calendar

Internal Audit

Conduct a full internal audit of the ISMS against all ISO 27001:2022 clauses before the external certification audit. The internal audit must be conducted by someone independent of the area being audited. Identify non-conformities, assign corrective actions, and verify closure.

Typical duration: 1–2 weeks
Output: Internal audit report, non-conformity register, corrective action records

Management Review

Senior management must formally review the ISMS before the certification audit. The review agenda must cover ISMS performance, audit results, risk treatment status, incidents, corrective actions, and continual improvement opportunities. Minutes must be documented.

Output: Management review meeting minutes — mandatory evidence for Stage 2 audit

Certification Audit (Stage 1 + Stage 2)

Engage an accredited certification body (CB) to conduct the two-stage external audit. Stage 1 is a documentation review; Stage 2 is a full on-site (or remote) audit of ISMS implementation. Successful completion results in the issuance of your ISO 27001:2022 certificate, valid for 3 years subject to annual surveillance audits.

Stage 1 duration: 1–2 days
Stage 2 duration: 2–5 days depending on scope
Output: Certificate valid for 3 years, surveillance audits in Year 1 and Year 2, recertification audit in Year 3

4. The Certification Audit in Detail

Understanding exactly what happens during the certification audit reduces anxiety and helps your team prepare effectively.

Stage 1 — Documentation Review

The auditor reviews your ISMS documentation remotely or on-site without assessing implementation. They check that mandatory documents exist, are complete, and are consistent with each other. The auditor will confirm whether your organisation is ready to proceed to Stage 2 and may raise "observations" — minor issues to address before Stage 2.

Key documents reviewed at Stage 1:

ISMS scope document
Information Security Policy
Risk assessment methodology and results
Statement of Applicability (SoA)
Risk Treatment Plan
Internal audit report and corrective actions
Management review minutes

Stage 2 — Implementation Audit

This is the full certification audit. The auditor assesses whether your documented controls are actually implemented and effective. They interview staff, review evidence (logs, tickets, training records, access control lists), and test controls against the requirements.

Non-conformities raised at Stage 2:

Major non-conformity: A systemic failure or absence of a required control. Must be resolved and evidence submitted before the certificate can be issued.
Minor non-conformity: An isolated gap or weakness. A corrective action plan must be submitted; the certificate may be issued subject to verification at the next surveillance audit.
Observation/opportunity for improvement: Not a non-conformity but noted for continuous improvement.

The certification audit is not a surprise examination — it is a structured review of evidence you have already gathered. Organisations that treat documentation and record-keeping as a continuous activity, not a pre-audit sprint, consistently perform better.

Siri Law LLP — GRC Practice

5. Choosing an Accredited Certification Body in India

Your certificate is only as credible as the certification body that issues it. Always use a certification body accredited by a member of the International Accreditation Forum (IAF) Multilateral Recognition Arrangement (MLA). In India, the Quality Council of India (QCI) through its National Accreditation Board for Certification Bodies (NABCB) accredits certification bodies for ISO 27001.

Well-known accredited certification bodies operating in India include:

Certification Body	Accreditation	Notes
BSI Group	UKAS (UK)	One of the largest CBs globally; widely recognised by international clients.
Bureau Veritas	COFRAC (France) / multiple	Strong presence in India; recognised across sectors.
TUV SUD	DAkkS (Germany)	Particularly recognised in automotive, manufacturing, and engineering sectors.
TUV Rheinland	DAkkS (Germany)	Strong in IT and telecom sectors.
DNV	NAB (Norway) / multiple	Strong in energy, maritime, and infrastructure.
KPMG Assurance	NABCB (India)	Recognised by Indian regulators; useful for RBI/SEBI regulated entities.
Intertek	Multiple IAF MLA members	Broad sector coverage; competitive pricing.

⚠ Avoid Non-Accredited Certificates

A number of organisations in India offer ISO 27001 certificates through non-accredited or self-accredited bodies. These certificates are not recognised by international clients, global enterprises, or regulators. Always verify accreditation on the IAF CertSearch database at iaf.nu/certsearch before engaging a certification body.

6. Key ISO 27001:2022 Annex A Controls — What Has Changed

The 2022 revision introduced 11 new controls that were not present in the 2013 edition. These reflect the evolution of the threat landscape and the shift to cloud, remote working, and supply chain risks.

Control	Theme	Why It Matters in 2025
5.7 Threat intelligence	Organisational	Organisations must now collect and analyse threat intelligence. Ad hoc awareness is not sufficient.
5.23 Information security for use of cloud services	Organisational	Directly addresses cloud procurement, shared responsibility, and data residency — critical for India-based cloud users.
5.30 ICT readiness for business continuity	Organisational	Expands BCP requirements to specifically address ICT systems recovery and resilience.
7.4 Physical security monitoring	Physical	Requires continuous monitoring of physical security — CCTV, access logs, perimeter alerts.
8.9 Configuration management	Technological	Formal configuration baselines and change management for all in-scope systems.
8.10 Information deletion	Technological	Secure deletion of data at end of life — relevant for DPDPA storage limitation obligations.
8.11 Data masking	Technological	Masking of sensitive data in non-production environments — commonly missed in testing/dev teams.
8.12 Data leakage prevention	Technological	DLP tools or equivalent controls to prevent unauthorised exfiltration.
8.16 Monitoring activities	Technological	Formalises monitoring requirements — SIEM, anomaly detection, log review processes.
8.23 Web filtering	Technological	Controls to block access to malicious or unauthorised websites.
8.28 Secure coding	Technological	Secure development lifecycle requirements — OWASP alignment, code review, SAST/DAST.

7. How Long and How Much Does It Cost?

Timeline

Organisation Type	Typical Timeline	Key Variable
Small IT/SaaS company (50–200 staff, narrow scope)	4–8 months	Existing security maturity and documentation quality
Mid-sized IT services firm (200–1000 staff)	8–14 months	Number of locations, complexity of asset inventory
Large enterprise or NBFC/bank (1000+ staff)	12–18 months	Scope breadth, number of business units, regulatory overlay
Healthcare or critical infrastructure operator	12–24 months	Legacy systems, OT/IT convergence, regulatory requirements

Indicative Cost Ranges (India, 2025)

Cost Element	Small Org	Mid-Sized Org	Large Org
Gap assessment & consulting	₹3–8L	₹8–20L	₹20–60L+
Certification body audit fees	₹2–5L	₹5–12L	₹12–30L+
Technical controls & tooling	₹2–10L	₹10–40L	₹40L–1Cr+
Internal resource cost	Significant — plan for 20–30% of ISMS Manager's time	Significant — dedicated ISMS team often needed	Dedicated team + external support

These are indicative ranges only. Costs vary significantly based on existing maturity, scope complexity, location, and the certification body selected.

8. ISO 27001 and Regulatory Compliance in India

One of the most important benefits of ISO 27001 for Indian organisations is the degree to which it satisfies or aligns with domestic regulatory requirements.

Regulation / Framework	ISO 27001 Alignment
DPDPA 2023 (Data Fiduciary obligations)	Strong alignment. ISMS policies on data protection, access control, incident management, and vendor management directly address DPDPA safeguard obligations.
CERT-In Directions 2022	Good alignment. ISO 27001 incident management controls, log retention practices, and NTP synchronisation map to CERT-In obligations. Does not replace CERT-In reporting obligations.
RBI IT Framework / Master Directions	RBI explicitly recognises ISO 27001 as an accepted standard. Certified NBFCs and banks can use their ISMS documentation to satisfy significant portions of RBI IT audit requirements.
SEBI CSCRF 2024	ISO 27001 is listed as an acceptable framework for demonstrating cybersecurity controls. Intermediaries pursuing SEBI compliance benefit significantly from prior ISO 27001 work.
IRDAI Cybersecurity Guidelines	IRDAI references ISO 27001 as a benchmark. Insurers and intermediaries with ISO 27001 certification have a demonstrable compliance posture.
MeitY / IT Act & SPDI Rules	ISO 27001 controls for data protection, access management, and incident response align closely with SPDI Rules obligations for body corporates handling sensitive personal data.

9. Common Reasons Organisations Fail or Delay Certification

Treating ISO 27001 as a documentation exercise. Auditors will verify that controls are actually implemented and effective, not just written down. A policy manual without evidence of implementation will result in non-conformities.
Poorly defined scope. A scope that is too broad collapses the project; one that is too narrow may not satisfy clients. Scope decisions should be made deliberately with legal and business input.
Inadequate risk assessment. The risk assessment is the foundation of the ISMS. A shallow or template-copied risk register that doesn’t reflect your actual assets and threats will fail Stage 2.
No management engagement. ISO 27001 requires evidence of leadership involvement at multiple points. An ISMS run entirely by IT with no Board or senior management input will not pass Clause 5 requirements.
Certifying against the 2013 version. From 2024, new certifications must be against ISO/IEC 27001:2022. Certifying against 2013 is no longer valid and will need transition immediately.
Choosing a non-accredited certification body. Certificates from non-accredited bodies are not recognised by international clients or regulators. Verify accreditation before engaging any CB.
Neglecting surveillance audits. The certificate requires annual surveillance audits in Year 1 and Year 2. Missing a surveillance audit results in certificate suspension.

10. How Siri Law LLP Supports ISO 27001 Certification

Siri Law LLP's GRC practice provides end-to-end support for organisations pursuing ISO 27001 certification. Our work combines legal expertise — ensuring your ISMS policies satisfy regulatory requirements under DPDPA, RBI, SEBI, and CERT-In — with practical compliance execution so you are not managing multiple consultants.

Service	What We Do
Gap Assessment	Full ISO 27001:2022 gap assessment with a prioritised remediation roadmap and effort estimate.
ISMS Design & Documentation	We draft all mandatory policies, procedures, and records required by the standard, tailored to your organisation and sector.
Risk Assessment Support	We facilitate your information security risk assessment and risk treatment planning, including the Statement of Applicability.
Pre-Audit Readiness Review	We conduct a mock Stage 1 and Stage 2 audit before you engage the certification body, identifying gaps before the real audit.
Regulatory Mapping	We map your ISMS controls to applicable Indian regulations (DPDPA, CERT-In, RBI, SEBI) so certification also advances your broader compliance posture.
Certification Body Selection	We advise on which accredited CB best suits your sector, client requirements, and budget.

To book a complimentary ISO 27001 readiness consultation, visit sirilawllp.com/contact or reach out directly. Our team responds within one business day.

Key Takeaways

ISO/IEC 27001:2022 is the current version — all new certifications must be against the 2022 edition, not the superseded 2013 version.
An ISMS is a management system, not software — it is a framework of policies, processes, and controls governing how your organisation manages information security risk.
The certification journey has 10 clear stages from gap assessment to certificate issuance — most Indian organisations take 6–18 months.
The Statement of Applicability (SoA) is a mandatory certification document — it must address all 93 Annex A controls with justified inclusions and exclusions.
Always use an IAF MLA-accredited certification body — verify at iaf.nu/certsearch before engaging.
ISO 27001 strongly aligns with DPDPA 2023, RBI, SEBI, IRDAI, and CERT-In requirements — certification advances your entire regulatory compliance posture simultaneously.
The 2022 revision introduced 11 new controls including cloud security, threat intelligence, data masking, DLP, and secure coding — ensure your ISMS addresses all of them.
Treat documentation, evidence collection, and training as continuous activities — not a pre-audit sprint.

Disclaimer: This article is published by Siri Law LLP for informational purposes only and does not constitute legal or certification advice. The information reflects the standard and regulatory framework as of March 2025. Requirements evolve — verify current requirements before taking action. For advice specific to your organisation, consult a qualified professional. © 2025 Siri Law LLP. All rights reserved.

Siri Law LLP

Cybersecurity & GRC Practice

Siri Law LLP’s Cybersecurity & GRC team has supported organisations across IT, fintech, healthcare, and financial services in achieving ISO 27001 certification and building regulatory-aligned information security management systems. We combine legal expertise with technical compliance execution across DPDPA, CERT-In, RBI, SEBI, and IRDAI frameworks.

Start Your ISO 27001 Journey Today

Our GRC team will assess your current security posture, define the right scope, and guide you through every stage — from gap assessment to the day your certificate is issued.

Book a Free Consultation →