ISO 27001 certification in 2026 helps Indian businesses meet DPDP Act standards, win enterprise contracts, and reduce cyber risk. Implementation roadmap inside.
ISO 27001: Information Security Management
ISO 27001:2022 is the international standard that turns information security from a set of good intentions into a documented, audited, and independently verified management system. For an Indian business in 2026, the question is no longer whether to pursue it — it is whether you can afford to lose enterprise bids, face Data Protection Board scrutiny, or pay inflated cyber-insurance premiums while you wait. This article gives you the complete picture: what the standard requires, how to implement it, what it costs, and exactly where it intersects with the Digital Personal Data Protection Act, 2023.
What ISO 27001 Actually Covers — and What It Does Not
ISO 27001 is published by the International Organization for Standardization and the International Electrotechnical Commission. The current, only certifiable version is ISO/IEC 27001:2022. The migration deadline for existing 2013 certificates expired in October 2025, so any certificate still referencing ISO 27001:2013 should have been withdrawn or renewed by now.
The standard has two distinct layers that you must understand before scoping your project.
Clauses 4–10 — the management system requirements. These are non-negotiable and apply to every certified organisation regardless of size, sector, or geography. They cover: understanding your organisation's context and interested parties; demonstrating top-management leadership and commitment; defining measurable security objectives; planning and operating controls; evaluating performance through monitoring, audit, and review; and driving continual improvement. You cannot exclude any of these clauses.
Annex A — the controls catalogue. This is a library of 93 controls, reorganised in the 2022 revision from the earlier 14-clause, 114-control structure into four attribute-based themes:
- Organisational (37 controls): policies, roles and responsibilities, asset inventory, threat intelligence, supplier and cloud-service management, incident management, business continuity
- People (8 controls): pre-employment screening, terms and conditions, awareness, training, disciplinary process, remote and hybrid working
- Physical (14 controls): secure perimeters, entry controls, securing offices and server rooms, clear-desk and clear-screen practices, cabling security, equipment disposal
- Technological (34 controls): privileged access, authentication, cryptography, network security, data masking, data leakage prevention, vulnerability management, backup, secure development, configuration management, web filtering, monitoring
You are not required to implement every control. You must implement the controls that your risk assessment identifies as necessary — and for every control you exclude, you must document a justification in the Statement of Applicability (SoA).
What the 2022 Revision Changed — and Why Your Documentation May Be Outdated
If your organisation is migrating from a 2013 certificate, or if you are relying on documentation drafted before 2023, you need to address these concrete changes before your next audit.
Eleven controls are entirely new in the 2022 edition. The ones most frequently missed by Indian organisations in transition are:
- 5.7 — Threat intelligence: you must actively gather, analyse, and act on information about threats relevant to your assets and sector.
- 5.23 — Information security for use of cloud services: this applies to any use of IaaS, PaaS, or SaaS — not only to running your own cloud infrastructure. If your entire workload runs on AWS Mumbai or Azure India Central, this control is applicable to your governance of that relationship.
- 8.9 — Configuration management: formal configuration baselines, change control, and hardening standards for systems in scope.
- 8.12 — Data leakage prevention: technical controls to detect and prevent unauthorised exfiltration of sensitive data.
- 8.28 — Secure coding: applicable to any organisation that writes software, including in-house tools — not only software vendors.
If your SoA still references the old Annex A numbering (e.g., A.12.1.1, A.9.2.3), your documentation is non-conformant with the current standard. Auditors will raise this as a finding at Stage 1.
Why 2026 Is the Inflection Point for Indian Businesses
Four structural forces have converged this year to move ISO 27001 from a marketing asset to a commercial prerequisite.
The DPDP Act, 2023 is operational. The Digital Personal Data Protection Act, 2023 requires every Data Fiduciary to implement reasonable security safeguards to prevent personal data breaches. The Act does not mandate ISO 27001 by name, but the Data Protection Board has the power to impose penalties of up to Rs. 250 crore where a security failure leads to a personal data breach. When the Board investigates, the first question is: what documented, tested, independently audited security framework did you operate under? A current ISO 27001 certificate is the most defensible answer available. Saying "we had a firewall and an antivirus" is not.
Enterprise procurement now uses it as a gate. BFSI companies, hospitals and health-tech platforms, and central government PSUs — including NIC-empanelled vendors — routinely list "valid ISO 27001 certificate issued by a NABCB or IAF-accredited body" as a bid eligibility criterion, not a scoring criterion. You cannot compensate with a lower price or superior capability if you do not meet eligibility.
Cyber-insurance underwriters are repricing risk. After several high-profile Indian data breaches, underwriters have tightened their criteria. Organisations with a current ISO 27001 certificate, documented business continuity tests, and evidence of regular vulnerability assessments receive meaningful premium discounts — commonly in the range of 10–20% at renewal. For a mid-size company paying Rs. 10 lakhs annually in cyber-insurance, that is a Rs. 1–2 lakh saving every year for the life of the certificate.
RBI and SEBI frameworks align with it. RBI's Cyber Security Framework for banks and Urban Co-operative Banks, and SEBI's Cyber Security and Cyber Resilience Framework (CSCRF, updated in 2024), both require controls that map almost directly to ISO 27001:2022 Annex A. A single ISMS implementation creates documented evidence usable across multiple regulatory submissions — reducing the cost of compliance with each successive framework.
Your 8-Step ISMS Implementation Roadmap
Follow this sequence. Each step feeds the next; skipping or shortcutting any one creates gaps that surface as audit findings.
Step 1 — Define scope precisely. The scope statement must name the organisational units, physical locations, and systems included in the ISMS. "Our entire company" is rarely the right answer — it inflates audit cost and complexity. A well-defined scope for a B2B SaaS company might read: "The development, operation, and support of [Product Name] hosted on AWS Mumbai, from the registered office at [address]."
Step 2 — Conduct a gap assessment. Before building anything, assess where you stand against all of Clauses 4–10 and the 93 Annex A controls. A thorough gap assessment for a 100–200-person organisation takes 2–3 weeks and typically surfaces 50–80 gaps. This output becomes your project plan.
Step 3 — Build and execute a formal risk assessment. ISO 27001 requires a documented methodology (Clause 6.1.2). You must identify assets, identify threats and vulnerabilities for each, evaluate likelihood and impact using a consistent scale, calculate risk scores, and decide whether to treat, tolerate, transfer, or terminate each risk. A risk register with fewer than 30 entries for any technology company is almost certainly incomplete. Auditors will probe this.
Step 4 — Draft the Statement of Applicability. For all 93 Annex A controls, document: applicable (yes or no), the justification for that decision, whether it has been implemented, and a cross-reference to the policy or procedure that evidences implementation. The SoA must be version-controlled. More on this in the next section.
Step 5 — Draft and approve a policy hierarchy. You need: an overarching Information Security Policy signed by the MD or CEO, and supporting policies for access control, cryptography, acceptable use, clear-desk/clear-screen, mobile and remote working, supplier security, and incident management. Every policy must carry an owner name, an issue date, a review date, and an approval signature or digital record.
Step 6 — Implement controls and train staff. This is the longest phase — typically 3–6 months. Technical controls include: multi-factor authentication on all systems in scope, centralised log management, regular vulnerability scanning (at least quarterly), endpoint protection, encrypted backups with tested restoration, and network segmentation. Human controls include mandatory security awareness training with attendance records and, where feasible, phishing simulation exercises.
Step 7 — Complete internal audit and management review. Clause 9.2 requires an internal audit before you go to your certification body. Use an auditor who did not own the system they are auditing — independence is required. The management review (Clause 9.3) must be a formal session where top management reviews audit findings, security objectives, risk treatment status, and resource needs. Minutes signed by the MD or CEO are mandatory evidence.
Step 8 — Engage an accredited certification body. Stage 1 is a documentation review: the auditor checks your scope, SoA, risk assessment, and key policies. You will receive a report. Address every finding before Stage 2. Stage 2 is the implementation audit: auditors will test whether your controls are actually operating — not just documented. They will request log samples, ask staff awareness questions, check access review records, and inspect physical controls. Major non-conformities must be closed within 90 days before a certificate is issued.
The Statement of Applicability: Getting It Right
The SoA is the single document auditors scrutinise most closely in an ISO 27001 audit. It is also the document most frequently maintained badly.
A well-structured SoA for ISO 27001:2022 will have at least six columns for each of the 93 controls: control reference, control title, applicable (yes/no), justification for inclusion or exclusion, implementation status, and reference to the evidencing document or procedure.
The SoA must be updated whenever:
- You add a new business unit, physical office, or country of operation to the ISMS scope
- You onboard a new cloud service or change your primary hosting provider
- You acquire another company and inherit its systems
- A previously excluded control becomes relevant due to a new threat or a change in your business model
- You identify a gap in the risk register that maps to a previously excluded control
The most common SoA mistake in Indian Stage 2 audits is marking cloud-service controls (5.23) as "not applicable" on the grounds that the company does not run its own data centre — when the entire product stack runs on a cloud provider. These controls govern your governance and contractual management of the cloud provider. If you use the cloud, they apply.
A second common error is marking data masking (8.11) and data leakage prevention (8.12) as excluded because "we are a small company." Both controls are directly relevant to DPDP Act obligations. Excluding them without a documented risk-based justification creates a dual exposure: an audit finding and a regulatory gap.
Worked Example: What Implementation Actually Costs for a 150-Person SaaS Company
Consider a Pune-based B2B SaaS company with 150 employees, scoped to its product hosted on AWS Mumbai and its registered office.
| Cost Item | Indicative Range (Rs.) |
|---|---|
| Gap assessment and project management | 2,50,000 – 4,00,000 |
| Policy drafting and SoA construction | 1,50,000 – 2,50,000 |
| Technical controls (SIEM, DLP, MFA rollout, vulnerability scanner) | 3,00,000 – 8,00,000 |
| Security awareness training platform (annual licence) | 60,000 – 1,20,000 |
| Internal audit (independent auditor) | 80,000 – 1,50,000 |
| Stage 1 + Stage 2 certification audit (NABCB-accredited body) | 2,00,000 – 3,50,000 |
| Total first-year investment | Rs. 10,40,000 – Rs. 20,70,000 |
| Annual surveillance audit (Year 2 and Year 3) | 1,20,000 – 2,00,000 |
| Recertification audit (Year 3) | 2,00,000 – 3,00,000 |
Against this, run two calculations. First: a single enterprise contract that requires ISO 27001 and generates Rs. 50 lakh in annual recurring revenue pays back the entire three-year certification cycle many times over. Second: a data breach at a company of this size — including incident response, legal counsel, regulatory notification, and customer compensation — commonly runs to several crores. Certification is cheap insurance against both scenarios.
The hidden cost that most project plans omit: your internal resource. Implementing ISO 27001 properly requires one senior person — a CISO, IT manager, or compliance lead — spending roughly 50–60% of their time for six to nine months. At a fully-loaded monthly cost of Rs. 1,20,000, that is Rs. 3,60,000–6,48,000 in real opportunity cost that no consultant invoice will ever show you. Budget for it explicitly, or the project will stall.
DPDP Act and ISO 27001: Where They Overlap
The DPDP Act, 2023 and ISO 27001:2022 are not the same thing — but they address much of the same risk surface. Here is where a certified ISMS creates directly usable compliance evidence.
| DPDP Act Obligation | Relevant ISO 27001:2022 Controls |
|---|---|
| Reasonable security safeguards to prevent breach | Entire Annex A; risk assessment under Clause 6.1.2 |
| Personal data breach notification to Data Protection Board | 5.24 — Incident management planning; 5.25 — Incident assessment |
| Security obligations in contracts with Data Processors | 5.19, 5.20, 5.21 — Supplier and vendor security |
| Data retention and secure deletion | 8.10 — Information deletion |
| Access control to personal data | 5.15, 5.16, 5.18, 8.2, 8.3 — Identity and access management |
| Data minimisation and purpose limitation | 8.11 — Data masking; 5.34 — Privacy and protection of PII |
A critical distinction: ISO 27001 certification does not satisfy your DPDP Act obligations on its own. You still need a compliant privacy notice, a consent mechanism for personal data collection, a grievance officer, and a data breach notification process calibrated to the timelines the Act prescribes. What the ISMS gives you is the operational infrastructure that all of those legal obligations depend on — the access controls, the incident logs, the supplier contracts, the deletion procedures.
Common Mistakes That Fail Indian ISO 27001 Audits
These are the patterns that most consistently generate major non-conformities at Stage 2, based on the way the standard is audited in practice.
Treating the risk register as a one-time deliverable. Auditors will ask: when was the risk register last reviewed, who owns it, and what changed since your last review? If the answer is "a consultant built it 14 months ago," expect a major finding against Clause 6.1.2 and Clause 10.2 (continual improvement).
Undocumented scope expansion. You certified one office. You added a second office and onboarded a cloud-based payroll processor. Neither appears in the scope statement or the SoA. A surveillance audit will catch this — and the finding will be major because it means your certificate does not reflect what you actually do.
Access reviews that exist only in policy. Control 5.18 requires periodic review of access rights. The policy saying "access rights are reviewed every six months" is not evidence. The auditor needs the review logs, the tickets raised to revoke ex-employee access, the approval records, and the dates. If you cannot produce these for the last two review cycles, you have a finding.
Supplier agreements without security annexures. Control 5.20 requires that agreements with suppliers who access, process, or store your information assets contain specific security obligations. A standard non-disclosure agreement does not satisfy this. Your cloud provider, outsourced IT support firm, and payroll processor all need amended or supplemented agreements — and you need evidence that you assessed their security posture before onboarding them.
Choosing an uncredited certification body. An ISO 27001 certificate issued by a certification body that is not accredited under NABCB (National Accreditation Board for Certification Bodies, India) or a member body of the International Accreditation Forum (IAF) will not be accepted by most BFSI or government buyers. Before signing an engagement letter, verify the body's accreditation scope on nabcb.in under the ISO/IEC 27001 scheme. The certificate you receive must carry the NABCB or IAF mark on its face.
Thin management review minutes. Top management must personally review ISMS performance (Clause 9.3). A one-line email approval does not satisfy this requirement. Minutes must show that the MD or CEO specifically reviewed: audit findings and their status, risk treatment plan progress, security objective performance, resource adequacy, and any changes in context that affect the ISMS. Without this, the auditor will question whether top management is genuinely committed — which is a Clause 5.1 finding.
Key Takeaways
- ISO 27001:2022 is the only certifiable version — documentation referencing the 2013 Annex A structure must be updated before your next audit or recertification.
- The DPDP Act's reasonable security safeguards obligation makes your ISMS the primary evidence of legal due diligence; a penalty of up to Rs. 250 crore for security failures makes this non-negotiable for any entity handling personal data at scale.
- The Statement of Applicability is a living document, not a one-time filing — update it whenever scope, systems, or risk materially changes, or face a major non-conformity at surveillance.
- Budget Rs. 10–21 lakhs for first-year implementation in a mid-size organisation, plus 3–6 months of a senior person's time — the hidden internal resource cost is the item most project plans get wrong.
- Access reviews, supplier security clauses, and management review minutes are the three areas where Indian organisations most consistently produce documentation that does not survive audit scrutiny.
- NABCB or IAF accreditation of your certification body is non-negotiable — verify it on nabcb.in before signing, not after you receive the certificate.
- ISO 27001 alone does not satisfy the DPDP Act — you still need privacy notices, consent mechanisms, and breach notification procedures, but a certified ISMS is the operational foundation that makes all of those legally defensible.
