ISO 27001:2022 is an international information security standard that provides a structured six-phase implementation roadmap: gap assessment, risk assessment, ISMS documentation, controls implementation, internal audit, and external certification. For Indian organisations, this roadmap leads to a certified Information Security Management System (ISMS) — one that satisfies enterprise procurement requirements, DPDP Act 2023 "reasonable security safeguards" obligations, and RBI IT Framework expectations simultaneously. Most Indian startups complete the journey in six to twelve months from a low baseline. This guide covers every phase — from gap assessment to receiving your certificate — with the specific documentation, decisions, and common pitfalls your team needs to know before you begin.
Why ISO 27001 Certification Is Now a Business Requirement for Indian Companies
Indian enterprises increasingly require ISO 27001 certification as a vendor prerequisite before signing contracts. Sectors under regulatory scrutiny — banking, fintech, healthcare, and defence supply chains — either demand it outright or use it as a shortlisting criterion. Beyond procurement, the Digital Personal Data Protection Act (DPDP) 2023 expects organisations to implement "reasonable security safeguards," and an ISO 27001-certified ISMS is the most defensible evidence that your organisation meets that standard. The DPDP compliance page covers how the two frameworks align.
Certification is also a forcing function. Startups that go through the ISO 27001 process discover configuration drift, undocumented access privileges, and asset inventories that nobody maintained. The audit is uncomfortable precisely because it is thorough — and that thoroughness is the point.
The cost of a single breach now exceeds the total investment most startups would spend on a fully certified ISMS. The ROI case is not complicated.
What Changed from ISO 27001:2013 to 2022
The 2022 revision reorganised the standard significantly. Annex A collapsed 14 security domains and 114 controls into 4 themes and 93 controls. Nothing was dropped from a security standpoint — controls were consolidated — and 11 new controls were added to address modern threats, including threat intelligence, cloud service security, data masking, web filtering, and secure coding.
| Theme | Controls | Representative Areas |
|---|---|---|
| Organizational | 37 | Information security policies, supplier relationships, incident management, business continuity |
| People | 8 | Personnel screening, training, remote work security, disciplinary process |
| Physical | 14 | Physical entry controls, equipment maintenance, clean desk, secure disposal |
| Technological | 34 | Endpoint protection, web filtering, data masking, threat intelligence, vulnerability management |
The Six-Phase ISO 27001 Certification Roadmap for India
Phase 1 — Gap Assessment
A gap assessment maps your current security controls against ISO 27001:2022 Annex A. The output is a prioritised list of missing or incomplete controls, estimated remediation effort, and a realistic timeline to readiness. This phase typically takes two to four weeks. Do not skip it — teams that jump straight to documentation consistently underestimate scope and stall mid-project when implementation takes far longer than planned.
Run a free VAPT scan as a productive companion to your gap assessment — it gives you empirical data on your technical exposure before you begin designing your ISMS, and the findings feed directly into your risk register.
Phase 2 — Risk Assessment and Treatment
ISO 27001 is risk-based. You must identify your information assets, assess threats and vulnerabilities against each, assign likelihood and impact scores, and produce a risk register. The risk treatment plan then documents your decision for each identified risk: mitigate, accept, transfer, or avoid.
The risk methodology does not have to be complex, but it must be consistent and documented. Choose a scoring scale, apply it uniformly across all assets, and maintain version history so auditors can see the register evolving over time.
Phase 3 — ISMS Design and Documentation
Clauses 6 through 10 of ISO 27001 require a specific set of documented information. The mandatory documents include:
- Information Security Policy
- Risk Assessment and Risk Treatment methodology
- Statement of Applicability — lists all 93 Annex A controls with justification for inclusion or exclusion
- Risk Treatment Plan with control implementation status
- Information Security Objectives
- Competence and training records
- Operational planning and control procedures
- Internal audit programme and audit reports
- Management review records
- Nonconformity and corrective action records
Phase 4 — Controls Implementation
Once your SoA is approved, you implement the controls you have committed to. For Indian startups, the controls that typically require the most effort are:
- Access control reviews and privilege lifecycle management (A.5.18, A.8.2, A.8.3)
- Supplier and third-party security management, including cloud providers (A.5.19 to A.5.23)
- Incident response procedures with tested runbooks and defined escalation paths (A.5.24 to A.5.28)
- Vulnerability management and documented patch cadence (A.8.8)
- Secure development lifecycle practices if you ship software (A.8.25 to A.8.31)
- Threat intelligence integration — one of the 11 new controls in 2022 (A.5.7)
Phase 5 — Internal Audit and Management Review
Before inviting an external auditor, you must complete at least one full internal audit cycle. Internal audit is not self-assessment — it must be performed by someone independent of the area being audited. Findings are documented as conformities, observations, or nonconformities. Nonconformities require root-cause analysis and documented corrective actions with target closure dates.
The management review follows the internal audit. Senior leadership — including the founder or CTO — formally reviews ISMS performance, audit results, risk register status, and security objectives. This session must be minuted. Auditors check that management is genuinely engaged, not just signing a document.
Phase 6 — External Certification Audit
External audits are conducted by accredited certification bodies. The audit runs in two stages.
Stage 1 — Document Review: The auditor reviews your ISMS documentation: policies, SoA, risk register, internal audit records, and management review minutes. This is typically one to two days on-site or remote. The auditor confirms your ISMS is sufficiently designed and that a Stage 2 audit is appropriate. Observations raised at Stage 1 should be addressed before Stage 2 begins.
Stage 2 — Certification Audit: The auditor verifies that your documented ISMS is actually operational. They interview staff at multiple levels, observe processes in practice, sample evidence for each applicable Annex A control, and check that your monitoring and measurement activities are producing usable data. Nonconformities found at Stage 2 — classified as major or minor — must be closed with evidence before the certificate is issued. Major nonconformities require a follow-up visit; minor nonconformities can usually be closed by submitting evidence remotely.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanMaintaining ISO 27001 Certification: What Indian SMBs Must Know
Certification is valid for three years, with annual surveillance audits in years one and two. Each surveillance audit checks that the ISMS remains operational, that previously identified nonconformities are closed, and that continual improvement activity is occurring. A recertification audit in year three restarts the three-year cycle.
The most common reason organisations lose certification is treating the ISMS as a project rather than an operating process. After the certificate arrives, some teams stop updating the risk register, let training records lapse, and skip internal audits. Surveillance auditors arrive the following year and find an ISMS that exists on paper but has not been maintained in practice. Suspension of certification follows.
Build ISMS maintenance into your regular operating calendar — quarterly risk register reviews, annual training refreshes, and scheduled internal audit cycles — rather than treating each surveillance audit as a scramble to reconstruct evidence.
ISO 27001 and India's Regulatory Landscape
ISO 27001 aligns well with India's evolving security requirements across multiple sectors. CERT-In's guidelines at cert-in.org.in expect organisations to maintain documented security frameworks with tested incident response capabilities — an operational ISMS directly satisfies this expectation. The Data Security Council of India (dsci.in) recognises ISO 27001 as a foundational standard in its security maturity assessment frameworks for Indian industry.
For fintech startups under RBI's IT Framework and healthcare companies preparing for DPDP compliance obligations, an ISO 27001 ISMS provides the governance backbone that sector-specific requirements build on. Bachao.AI, built by Dhisattva AI Pvt Ltd (a DPIIT Recognized Startup), provides automated VAPT scanning that generates the technical vulnerability evidence certification auditors specifically require under Annex A's vulnerability management and monitoring controls.
If your organisation is also preparing for DPDP compliance, the DPDP compliance page explains how an ISMS maps to the Act's data protection and accountability obligations — the two frameworks are complementary, not duplicative.