ISO 27001 is the international standard for Information Security Management Systems (ISMS). For Indian enterprises, it has moved from a βnice to haveβ credential to a commercial and regulatory necessity β required by government procurement, enterprise vendor onboarding, and increasingly by RBI-regulated entitiesβ third-party risk programmes.
This guide covers everything you need to know: what ISO 27001 actually requires, how the certification process works in India, what it costs, and whether your organisation needs it now.
ISO 27001 (formally ISO/IEC 27001:2022) is a globally recognised standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System.
Unlike a checklist or a point-in-time audit, ISO 27001 is a systematic approach to managing sensitive information so that it remains secure. The standard covers people, processes, and technology β not just firewalls and antivirus.
The Management System (Clauses 4β10): ISO 27001 requires your organisation to:
Annex A Controls: ISO 27001:2022 includes 93 security controls across 4 themes:
Your organisation must document a Statement of Applicability (SoA) that lists which controls apply and justifies exclusions.
Central and state government procurement increasingly requires ISO 27001 for IT vendors and system integrators. PSUs, defence contractors, and large enterprise clients are adding ISO 27001 to vendor qualification requirements.
RBIβs IT Framework for Banks and SEBIβs Cyber Security and Cyber Resilience Framework both align with ISO 27001 controls. Many NBFCs and financial services companies obtain ISO 27001 as evidence of control compliance.
CERT-Inβs 2022 directive on cybersecurity incident reporting places obligations on βservice providers, intermediaries, data centres, body corporates and government organisations.β ISO 27001 provides the governance framework to meet these obligations systematically.
Indiaβs Digital Personal Data Protection Act 2023 will require organisations that process personal data to implement appropriate technical and organisational security measures. ISO 27001 is the most robust framework for demonstrating compliance.
Major Indian enterprises in BFSI, healthcare, and manufacturing now include ISO 27001 in vendor security questionnaires. Without it, you may be disqualified from procurement processes or subject to lengthy security reviews.
The honest answer: 12β20 weeks for most organisations, depending on your current security maturity.
Here is a typical timeline:
| Phase | Duration |
|---|---|
| Gap Assessment | 1β2 weeks |
| ISMS Design (policies, risk register, SoA) | 3β5 weeks |
| Implementation (rolling out controls) | 4β8 weeks |
| Internal Audit | 1β2 weeks |
| Stage 1 Audit (documentation review) | 1 week |
| Corrective actions | 1β2 weeks |
| Stage 2 Audit (implementation review) | 1β2 weeks |
| Certificate issued | Within 2 weeks of passing Stage 2 |
Crewtecβs structured programme compresses this to 12β16 weeks by parallelising phases and providing pre-built policy templates that are customised for your organisation rather than written from scratch.
Total ISO 27001 certification cost has two components:
1. Consulting fees (βΉ4β12 lakhs) Depends on organisation size, complexity, and current maturity. A 100-person IT services company with a reasonable security baseline will cost less than a 500-person manufacturing group with ICS/OT systems.
2. Certification body fees (βΉ1.5β4 lakhs) Paid to the accredited certification body (BSI, Bureau Veritas, TΓV SΓD, SGS, etc.) that conducts the Stage 1 and Stage 2 audits. Annual surveillance audit fees apply after certification.
Annual maintenance: ISO 27001 requires annual surveillance audits (years 1 and 2) and a full recertification audit every 3 years. Budget βΉ1β2 lakhs per year for surveillance audits and ongoing ISMS maintenance support.
Crewtec provides fixed-price quotes after the initial gap assessment β so you know the total consulting cost before you commit.
An ISO 27001 Lead Auditor benchmarks your current state against ISO 27001:2022 requirements and Annex A controls. The output is a risk-scored gap report that identifies what needs to be built, what can be adapted, and what can be excluded.
Design and document the ISMS foundations:
Roll out controls across the organisation β technical controls (access management, encryption, patch management), physical controls (server room security, visitor logs), and people controls (background verification, security training). This is the longest phase and where most organisations need the most support.
A pre-certification internal audit by a qualified auditor β essentially a dry run of the Stage 2 audit. It identifies remaining gaps and gives you the opportunity to correct them before the external certification body arrives.
The certification body reviews your ISMS documentation β policies, risk register, SoA, and supporting records. This is typically conducted remotely and takes 1β2 days. Any observations are documented and must be addressed before Stage 2.
The certification bodyβs auditors conduct an on-site review to verify that the controls documented in your ISMS are actually implemented. This involves interviewing staff, reviewing logs, and testing controls. Duration: 1β5 days depending on scope.
If Stage 2 passes (with any minor non-conformities addressed), the certification body issues your ISO 27001:2022 certificate, typically valid for 3 years subject to annual surveillance audits.
This is one of the most common questions we get. The short answer:
Choose ISO 27001 if:
Choose SOC 2 if:
Many Indian companies that serve both markets pursue ISO 27001 first (broader recognition), then add SOC 2 Type II (the controls overlap significantly, so the incremental effort is lower than doing SOC 2 from scratch).
You probably need ISO 27001 now if:
You should plan for ISO 27001 in 12β18 months if:
You may be able to wait if:
The best starting point is a Cybersecurity Gap Assessment β a 2-week exercise that benchmarks your current security controls against ISO 27001:2022 requirements and tells you exactly how far you are from certification, what it will cost, and how long it will take.
Crewtec offers a free 30-minute consultation before the assessment so you can ask questions and understand what the process involves before committing.
Crewtec is a Bangalore-based cybersecurity consultancy. Our ISO 27001 Lead Auditors have delivered 100+ certifications for Indian enterprises across BFSI, healthcare, IT, manufacturing, and retail. Book a free consultation β
Tags
Navigate to sections as you read.
Need Help?
Get personalised guidance on implementing strategies discussed in this article for your enterprise.
Book Free Consultation