20 June 2026·9 min read·compliance

ISO 27001:2022 for Indian Startups: How to Get Certified

ISO 27001:2022 brings 93 controls, 4 themes, and 11 new controls. The complete certification journey for Indian startups — gap assessment to certificate.

Bachao.AI Research Team

Cybersecurity Research

See if your business is DPDP Act compliant

Free scan · No credit card required

Check DPDP Compliance

Compliance risk for Indian SMBs

Non-compliance with the DPDP Act 2023 carries penalties up to ₹250 crore. This post explains what's at stake and what action to take.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS). For Indian startups, it is no longer a nice-to-have — enterprise customers, government tenders, and DPDP Act compliance all increasingly expect it. The 2022 revision reduced the control count from 114 to 93, reorganised them into four themes, and added 11 new controls targeting modern threats: cloud security, threat intelligence, data masking, and more. This guide explains what changed, what the certification journey looks like, and what it realistically costs a startup in time and effort.

93Total controls in ISO 27001:2022 — down from 114 in 2013 (ISO.org 2022)

11New controls introduced in the 2022 revision covering cloud, threat intel, and data masking (ISO.org 2022)

What Changed in the 2022 Revision

The International Organization for Standardization published ISO/IEC 27001:2022 in October 2022. The previous version (ISO 27001:2013) had 114 controls across 14 clauses. The 2022 revision restructured Annex A into four themes and trimmed overlapping controls. No controls were deleted entirely — most were merged or consolidated.

The Four Control Themes

Theme	Controls	What It Covers
Organisational	37	Policies, roles, supplier management, threat intelligence
People	8	Screening, training, remote working, responsibilities
Physical	14	Physical security, equipment, media handling
Technological	34	Access control, cryptography, cloud security, data masking, SIEM, vulnerability management

The 11 New Controls

These are brand-new additions with no direct 2013 equivalent:

New Control	Ref	Why It Matters
Threat intelligence	5.7	Collect and act on threat data proactively
Information security for cloud services	5.23	Explicit cloud governance — critical for SaaS
ICT readiness for business continuity	5.30	Formalises DR at the technology layer
Physical security monitoring	7.4	CCTV, alarms, perimeter controls
Configuration management	8.9	Baseline configs for systems and software
Information deletion	8.10	Secure erasure procedures — aligns with DPDP data minimisation
Data masking	8.11	Mask PII in non-production environments
Data leakage prevention	8.12	DLP tooling and processes
Monitoring activities	8.16	Anomaly detection and SIEM use
Web filtering	8.23	Control outbound web access
Secure coding	8.28	Integrate security into software development

ℹ️

INFO

Existing ISO 27001:2013 certified organisations had until 31 October 2025 to transition to the 2022 standard. If you are starting fresh today, you certify directly against ISO 27001:2022.

Why Indian Startups Need It Now

Enterprise Sales Gating

Large Indian enterprises — banks, insurance companies, PSUs, large tech firms — now include ISO 27001 certification as a mandatory vendor checkbox in procurement. Without it, your startup is filtered out before a demo.

DPDP Act 2023 Alignment

India's Digital Personal Data Protection Act 2023 mandates that Data Fiduciaries implement "reasonable security safeguards." ISO 27001's ISMS framework is widely accepted as the de facto evidence of such safeguards. The standard's new data masking (8.11) and information deletion (8.10) controls map directly to DPDP's data minimisation and erasure principles. For a deeper look at DPDP obligations, see our DPDP compliance guide.

Government Tenders and CERT-In Alignment

Central and state government tenders for IT services increasingly reference ISO 27001. CERT-In's empanelment criteria for security auditors also treat ISO 27001 as a prerequisite capability signal.

⚠️

WARNING

ISO 27001 certification does not by itself satisfy the CERT-In audit requirement for regulated sectors. Audits in banking, insurance, and critical infrastructure must be conducted with a CERT-In empanelled partner. ISO 27001 and CERT-In empanelled audits are complementary, not interchangeable.

The Certification Journey

graph TD
    A[Gap Assessment] --> B[ISMS Design]
    B --> C[Risk Assessment and Treatment Plan]
    C --> D[Control Implementation]
    D --> E[Internal Audit]
    E --> F{Findings?}
    F -- Yes --> G[Remediation]
    G --> E
    F -- No --> H[Stage 1 Audit — Documentation Review]
    H --> I{Pass?}
    I -- No --> J[Close Nonconformities]
    J --> H
    I -- Yes --> K[Stage 2 Audit — On-site or Remote]
    K --> L{Major NCs?}
    L -- Yes --> M[Corrective Action Plan]
    M --> K
    L -- No --> N[Certificate Issued]
    N --> O[Surveillance Audit Year 1]
    O --> P[Surveillance Audit Year 2]
    P --> Q[Recertification Audit Year 3]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style J fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style L fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style M fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style N fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style O fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style P fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style Q fill:#1e3d2f,stroke:#10B981,color:#e2e8f0

Phase 1 — Gap Assessment (2–4 weeks)

Before writing a single policy, map your current state against all 93 Annex A controls and the 10 clauses of the main standard. Most early-stage startups find they have informal practices that partially cover 30–50% of controls. The gap assessment tells you exactly where to focus effort and prevents over-engineering.

Produce a gap assessment report with: scope definition, asset inventory, identified gaps, and a remediation roadmap.

Phase 2 — ISMS Design and Risk Assessment (4–8 weeks)

The ISMS is the management framework that governs how you identify, assess, and treat information security risks. Key outputs at this stage:

Information Security Policy — top-level commitment statement signed by leadership
Risk Assessment Methodology — how you score likelihood and impact
Statement of Applicability (SoA) — lists all 93 controls, marks which apply and why, and documents exclusions with justification
Risk Treatment Plan — maps each unacceptable risk to one or more controls

The SoA is the single most important document in an ISO 27001 audit. Auditors use it as their anchor.

Phase 3 — Control Implementation (6–16 weeks)

This is the engineering and process work. For a tech startup, the heaviest lifts are typically:

Access control reviews (IAM, least privilege, MFA everywhere)
Asset inventory (cloud resources, endpoints, SaaS tools, data stores)
Supplier/vendor assessment process
Incident response procedure with defined escalation paths
Secure development lifecycle documentation (links directly to new control 8.28)
Business continuity and DR runbooks

Phase 4 — Internal Audit (2–3 weeks)

Before the external certification audit, you must run an internal audit — a structured evidence-gathering exercise that checks whether implemented controls are actually working. Internal auditors must be independent of the areas they audit; for a small startup, this often means cross-team or external consultants.

Internal audits surface nonconformities early, when fixing them is cheap.

Phase 5 — Stage 1 Audit (1–2 days)

The accredited certification body (CB) reviews your documentation: ISMS scope, policies, SoA, risk register, risk treatment plan, and internal audit results. Stage 1 is a desktop review — the auditor is checking whether you are ready for Stage 2. Minor issues (observations) are common; major nonconformities at Stage 1 delay the Stage 2 date.

Phase 6 — Stage 2 Audit (1–3 days)

Stage 2 is the on-site (or remote) audit where the auditor samples evidence of actual control operation. They will interview staff, inspect configurations, review logs, and test that documented procedures match reality. A startup with 20–50 people typically completes Stage 2 in one to two days.

Findings are classified as:

Observations — informational, no action required
Minor nonconformities — must be closed within 90 days, no delay to certificate
Major nonconformities — certificate withheld until the root cause is evidenced as fixed

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

Realistic Timeline and Effort for a Startup

Stage	Calendar Time	Internal Effort
Gap assessment	2–4 weeks	40–80 person-hours
ISMS design + risk assessment	4–8 weeks	80–160 person-hours
Control implementation	6–16 weeks	120–300 person-hours
Internal audit	2–3 weeks	30–60 person-hours
Stage 1 and Stage 2 audits	2–4 weeks	20–40 person-hours
Total	4–8 months	290–640 person-hours

A startup with an existing security posture (access controls, incident response basics, some documentation) lands at the lower end. A startup starting from scratch lands at the upper end. The certificate is valid for three years, with surveillance audits in years one and two.

The 2022 Control Themes — Distribution at a Glance

pie title ISO 27001:2022 — Controls by Theme
    "Organisational (37)" : 37
    "Technological (34)" : 34
    "Physical (14)" : 14
    "People (8)" : 8

The heavy weighting toward Organisational and Technological controls reflects the reality of modern threats: policy gaps and technology misconfigurations cause far more incidents than physical breaches or untrained staff.

How ISO 27001 Complements DPDP

The DPDP Act 2023 requires Data Fiduciaries to "implement appropriate technical and organisational measures" to protect personal data. ISO 27001 provides exactly that framework, with documented evidence. Specific overlaps:

Data masking (8.11) → DPDP data minimisation in non-production environments
Information deletion (8.10) → DPDP erasure and right-to-be-forgotten obligations
Supplier management controls (5.19–5.22) → DPDP Data Processor agreements and third-party due diligence
Incident response (5.26, 5.28) → DPDP breach notification obligations
Access control (8.2–8.6) → DPDP purpose limitation and need-to-know access

An organisation with a mature ISO 27001 ISMS can satisfy most DPDP "reasonable security safeguards" requirements without building a parallel compliance programme.

💡

TIP

If you are pursuing both ISO 27001 and DPDP compliance, run them as a single integrated programme with one risk register, one asset inventory, and one set of policies. Maintaining two separate programmes doubles the documentation burden with minimal additional assurance.

Where Technical Security Fits In

ISO 27001 is a management-system standard — it defines what you must do, not how. Technical controls like vulnerability management (8.8), penetration testing (5.36), and secure coding (8.28) are required by the standard, but the evidence of implementation comes from your actual security tooling and testing results.

This is where automated vulnerability scanning becomes evidence, not just a tool. Running periodic automated VAPT against your infrastructure and applications — and being able to show the auditor your scan results, remediation history, and re-test outcomes — directly satisfies control 8.8 (management of technical vulnerabilities). Bachao.AI provides automated VAPT that generates audit-ready reports suitable for ISO 27001 evidence packages. You can start with a free VAPT scan to establish your current vulnerability baseline.

🛡️

SECURITY

Penetration testing is referenced in ISO 27001 under organisational control 5.36 — "Conformance with information security policies, rules, and standards." Auditors increasingly ask for evidence of periodic penetration testing, not just a policy stating it is done. Test results, remediation tickets, and re-test confirmations are the evidence that satisfies this control.

🎯Key Takeaway

ISO 27001:2022 is the most practical route to enterprise trust for Indian startups. The 2022 revision — with 93 controls across four themes and 11 new controls addressing cloud, threat intelligence, and data privacy — aligns more closely with real-world startup risk than the 2013 version ever did. Budget four to eight months, assign an internal owner, run your gap assessment first, and treat DPDP compliance as integrated work rather than a separate track.

Choosing a Certification Body

Accreditation matters. Your certification body must be accredited by a member of the International Accreditation Forum (IAF). In India, the National Accreditation Board for Certification Bodies (NABCB) accredits CBs. Well-regarded accredited CBs operating in India include Bureau Veritas, BSI Group, TÜV SÜD, and SGS. Verify NABCB accreditation before signing any engagement.

Reference: ISO/IEC 27001:2022 official page — iso.org | NABCB accredited certification bodies — nabcb.qci.org.in

Frequently Asked Questions

What is the difference between ISO 27001:2013 and ISO 27001:2022?

The 2022 revision restructured Annex A from 114 controls across 14 clauses into 93 controls across four themes — Organisational, People, Physical, and Technological. Eleven new controls were added covering cloud security, threat intelligence, data masking, data leakage prevention, secure coding, and more. The core clauses 4–10 of the main standard saw minor updates, with a new clause 6.3 on planning changes.

How long does ISO 27001 certification take for an Indian startup?

Realistically, four to eight months from gap assessment to certificate issuance. A startup with some existing controls and documentation can compress this to four to five months. Starting from scratch with no policies or asset inventory typically takes six to eight months.

Is ISO 27001 mandatory for Indian companies?

It is not legally mandated for most sectors. However, it is effectively mandatory for winning enterprise contracts, government tenders, and export clients — and it provides the clearest documented evidence of "reasonable security safeguards" as required by the DPDP Act 2023.

Can a startup self-certify against ISO 27001?

No. ISO 27001 certification requires an audit by an accredited third-party certification body. You can self-assess and implement the ISMS, but the certificate is only issued by an accredited CB. Self-declaration against ISO 27001 has no commercial or legal standing.

How does ISO 27001 relate to CERT-In requirements in India?

They are distinct frameworks. ISO 27001 is an international management-system standard. CERT-In empanelment is a government qualification for security audit firms. Many regulated sectors (banking, insurance, government IT) require vulnerability assessments and penetration tests conducted by CERT-In empanelled firms, regardless of whether the client organisation holds ISO 27001. The two complement each other — ISO 27001 governs your internal ISMS; a CERT-In empanelled partner delivers the mandated technical audit. Dhisattva AI Pvt Ltd works with CERT-In empanelled partners to deliver such audits when required.

What is the Statement of Applicability in ISO 27001?

The SoA is a required document that lists all 93 Annex A controls, states whether each is applicable to your organisation, provides justification for any exclusions, and references the evidence of implementation for applicable controls. It is the primary document auditors use during both Stage 1 and Stage 2 audits. Every ISO 27001 certification programme must produce and maintain an up-to-date SoA.