What does ISO 27001 certification cost in India?

ISO 27001 certification in India typically costs ₹3–8 lakhs for consulting plus certification audit, depending on company size. MYITMANAGER delivers end-to-end ISO 27001 implementation with full ownership — from gap assessment to certification — at transparent pricing.

Who needs DPDP Act compliance in India?

Every organisation that processes personal data of Indian citizens must comply with India's Digital Personal Data Protection (DPDP) Act. This includes startups, SaaS companies, fintech, healthcare, and e-commerce businesses. Non-compliance penalties can reach ₹250 crore.

What is a vCISO and does my company need one?

A vCISO (Virtual CISO) provides strategic cybersecurity leadership without the cost of a full-time hire. MYITMANAGER's vCISO service delivers board-ready risk reporting, compliance roadmaps, and security program ownership for Indian companies at a fraction of in-house cost.

What do RBI Cybersecurity Guidelines 2026 require for banks and NBFCs?

RBI's 2026 cybersecurity guidelines require banks and NBFCs to implement annual VAPT by CERT-In empanelled firms, adopt a formal ISMS, conduct third-party risk assessments, and maintain incident response plans. MYITMANAGER helps financial institutions achieve full RBI compliance end-to-end.

Is ISO 27001 mandatory in India?

ISO 27001 is not mandated by a single Indian law, but it is effectively required for IT and ITES companies bidding on government contracts, enterprise B2B sales, and export-oriented businesses. SEBI and RBI increasingly reference it in vendor risk frameworks.

How long does ISO 27001 certification take in India?

Typically 4-9 months for a first-time certification: 1-2 months for gap analysis and scoping, 2-4 months for ISMS implementation, and 1-2 months for Stage 1 + Stage 2 audit. Smaller organisations with a mature security posture can compress this to 12 weeks.

How much does ISO 27001 certification cost in India?

Total cost ranges from Rs 4 lakh (small startup, minimal scope) to Rs 35 lakh (mid-sized enterprise, multi-site). Consulting fees: Rs 1-7 lakh. Certification body audit fees: Rs 1.5-4 lakh. Annual surveillance audit: Rs 0.8-1.5 lakh.

What is the difference between ISO 27001:2013 and ISO 27001:2022?

ISO 27001:2022 restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes (Organisational, People, Physical, Technological). It added 11 new controls including Threat Intelligence (5.7), Cloud Security (5.23), and Secure Coding (8.28). All ISO 27001:2013 certificates expired on 31 October 2025.

Do I need to implement all 93 Annex A controls?

No. You select controls based on your risk assessment and document decisions in a Statement of Applicability (SoA). Typical Indian SaaS companies implement 60-75 controls; you justify excluding the remainder with a documented rationale.

Which certification body should I choose in India?

Choose an IAF-accredited body whose accreditation is recognised by your target customers. Popular choices in India include BSI, Bureau Veritas, TUV SUD, DNV, and KPMG Global Services. Verify accreditation at the Quality Council of India (QCI) / National Accreditation Board for Certification Bodies (NABCB) website.

What is a Statement of Applicability (SoA)?

The SoA is a mandatory ISO 27001 document listing all 93 Annex A controls, stating whether each is applicable or excluded, the reason for inclusion/exclusion, and implementation status. Auditors treat the SoA as the backbone of your ISMS.

How does ISO 27001 relate to the DPDP Act 2023?

ISO 27001 is the strongest operational framework for DPDP Act compliance. Annex A controls map directly to DPDP obligations: A.5.12 (classification) maps to data categorisation; A.5.33 (protection of records) maps to retention; A.6.8 (information security event reporting) maps to breach notification under Section 8(6).

ISO 27001 Certification India — Complete Implementation Guide 2026

June 24, 2026

Why ISO 27001 Certification Matters for Indian Companies in 2026

ISO 27001 is the world’s leading information security management standard — and for Indian IT, SaaS, BFSI, and healthcare companies, it has shifted from a nice-to-have to a commercial necessity. Enterprise buyers in the US, EU, and Middle East routinely demand ISO 27001 as a vendor qualification gate. SEBI’s CSCRF circular (2024) references ISO 27001 for regulated financial entities. And with the DPDP Act 2023 now operational, ISO 27001 provides the most defensible operational framework to demonstrate compliance.

Critically: all ISO 27001:2013 certificates expired on 31 October 2025. If your organisation holds or is pursuing certification, it must be to the ISO 27001:2022 edition. This guide covers everything you need to know — from scope to surveillance audit.

ISO 27001:2022 — What Changed from 2013

The 2022 revision is significant but manageable. The standard’s 10 clauses (the mandatory requirements) are largely unchanged. The major change is in Annex A — the control reference set:

Dimension	ISO 27001:2013	ISO 27001:2022
Total controls	114	93
Control domains/themes	14 domains	4 themes
New controls	—	11 new controls
Merged controls	—	57 merged
Certificate validity	Expired 31 Oct 2025	Current edition

The 11 new controls most relevant to Indian organisations are: Threat Intelligence (5.7), Information Security for Cloud Services (5.23), ICT Readiness for Business Continuity (5.30), Physical Security Monitoring (7.4), Configuration Management (8.9), Information Deletion (8.10), Data Masking (8.11), Data Leakage Prevention (8.12), Monitoring Activities (8.16), Web Filtering (8.23), and Secure Coding (8.28).

The 4 Annex A Themes and 93 Controls

ISO 27001:2022 organises its 93 controls into four themes. You are not required to implement all 93 — you select controls based on your risk assessment and document exclusions in the Statement of Applicability.

Theme 1: Organisational Controls (37 controls, A.5.x)

Covers policies, roles, responsibilities, supplier relationships, and incident management. Key controls for Indian SaaS companies: A.5.7 Threat Intelligence (new — requires a structured process to collect and act on threat feeds), A.5.19–A.5.22 Supplier Security (vendor due diligence, contracts, supply chain), and A.5.23 Cloud Service Security (new — governance of cloud platforms including AWS, Azure, GCP).

Theme 2: People Controls (8 controls, A.6.x)

Covers screening, terms of employment, security awareness, disciplinary processes, and remote working. A.6.3 Information Security Awareness, Education and Training is frequently cited as deficient in Indian SME audits. Annual security awareness training with documented completion records is the minimum bar.

Theme 3: Physical Controls (14 controls, A.7.x)

Covers physical perimeters, entry controls, CCTV, clean desk, equipment maintenance, and secure disposal. For cloud-native companies with no data centre, many physical controls apply to office premises. You must still address them — you cannot exclude A.7.x entirely without a documented risk justification.

Theme 4: Technological Controls (34 controls, A.8.x)

The most operationally intensive theme. Key controls: A.8.8 Management of Technical Vulnerabilities (patch management SLAs), A.8.15 Logging, A.8.16 Monitoring Activities (new — SIEM or equivalent), A.8.24 Use of Cryptography, A.8.28 Secure Coding (new — SSDLC requirements), and A.8.32 Change Management.

ISO 27001 Certification Timeline in India

Phase	Activity	Duration
Phase 1	Scope definition + Gap analysis	3–5 weeks
Phase 2	Risk assessment + Risk treatment plan	3–4 weeks
Phase 3	Control implementation + Documentation	6–12 weeks
Phase 4	Internal audit + Management review	2–3 weeks
Phase 5	Stage 1 Audit (documentation review)	1–2 weeks
Phase 6	Stage 2 Audit (on-site effectiveness)	1–2 weeks
Total	First certificate	4–9 months

After certification, you must maintain the ISMS with annual surveillance audits (Years 1 and 2) and a full recertification audit in Year 3. Surveillance audits typically cost 40–50% of the initial certification audit fee.

ISO 27001 Certification Cost in India (2026)

Organisation Size	Consulting + Implementation	Certification Audit	Total Year 1
Startup / less than 50 staff	Rs 1–3 lakh	Rs 1.5–2.5 lakh	Rs 4–6 lakh
Mid-market / 50–250 staff	Rs 4–10 lakh	Rs 2.5–5 lakh	Rs 8–15 lakh
Enterprise / 250+ staff	Rs 10–25 lakh	Rs 5–12 lakh	Rs 20–40 lakh

The 10 Mandatory ISO 27001 Clauses

Clause 4: Context of the organisation (internal/external issues, interested parties)
Clause 5: Leadership (top management commitment, security policy, roles)
Clause 6: Planning (risk assessment, risk treatment, SoA, security objectives)
Clause 7: Support (resources, competence, awareness, communication, documentation)
Clause 8: Operation (operational planning, risk treatment implementation)
Clause 9: Performance evaluation (monitoring, internal audit, management review)
Clause 10: Improvement (non-conformity, corrective action, continual improvement)

ISO 27001 vs DPDP Act — How They Align

DPDP Obligation	ISO 27001:2022 Control
Section 8(1) — Reasonable security safeguards	Annex A Theme 4 (Technological Controls)
Section 8(6) — Breach notification within 72 hours	A.5.26 Response to Information Security Incidents + A.6.8
Section 8(7) — Retain data only as long as necessary	A.5.33 Protection of Records, A.8.10 Information Deletion
Section 9 — Data Principal rights (access, correction, erasure)	A.5.31 Legal, Statutory, Regulatory and Contractual Requirements
Section 28 — Data Fiduciary obligations	A.5.19–A.5.22 Supplier/Third-Party Security

Common ISO 27001 Failure Points in Indian Audits

Incomplete Risk Assessment — Assets identified but threat-vulnerability pairs not mapped; risk ratings not documented or reviewed annually.
SoA not maintained — Statement of Applicability prepared for Stage 1 but not updated when controls change.
Awareness training not evidenced — Training conducted but completion records, quiz scores, and annual refresh dates not available.
Vendor contracts missing security clauses — Sub-processors and cloud providers not covered by formal information security agreements (A.5.20).
Internal audit independence — Internal auditors audit their own areas, violating Clause 9.2 independence requirements.
Management review not documented — Reviews happen informally; no formal minutes with decisions and actions recorded.

How to Choose a Certification Body in India

Only use an IAF-accredited certification body. In India, accreditation is granted by NABCB (National Accreditation Board for Certification Bodies) under the Quality Council of India. Verify accreditation at nabcb.qci.org.in before engaging any CB. Well-recognised bodies operating in India: BSI Group, Bureau Veritas, TUV SUD, DNV, Intertek, and KPMG Global Services.

ISO 27001 Fast-Track: Is It Possible?

Yes — organisations with a mature security posture (existing security team, documented policies, cloud-native with limited physical footprint) can achieve Stage 2 audit in 12–16 weeks with the right consultant. The prerequisites are: narrow scope, executive sponsor with decision authority, dedicated internal project owner (minimum 20% of one FTE), and no material non-conformities in the gap analysis.

Fast-track is not recommended if your gap analysis reveals more than 20 missing controls, you have multiple physical sites, or your risk assessment has never been formally conducted.

Ready to Start Your ISO 27001 Journey?

MYIT Manager delivers ISO 27001 implementation and audit-readiness for Indian companies — from gap analysis to certificate. Led by a CISM-certified ex-Bain IT Head with 20+ years of experience.

Talk to an ISO 27001 Expert

Related Compliance Guides

Related Services & Resources

Ready to Get Started?

Speak directly with Saurabh Gupta — CISM, CIPP/E, ex-Bain India IT Head.
No sales pitch. Just clarity on your compliance path.

Get a Free Assessment 📅 Schedule a Meeting

MYITMANAGER

Cyber Security & Risk Advisory

Digital Trust & Privacy

IT Compliance