Crewtec is a Bangalore-based IT Security and GRC audit firm. We help Indian enterprises build governance frameworks, achieve ISO 27001 certification, govern AI, conduct VAPT, and meet regulatory compliance โ ISO 27001 Lead Auditors, iValue Technology partner.
Governance, Security & Compliance (GRC) is the framework that ties together how your organisation makes security decisions, protects its systems, and meets regulatory obligations. Without GRC, security is reactive, compliance is a scramble, and audits are stressful.
Governance
Security strategy, AI governance, risk management, and CISO-level leadership.
Security
ISO 27001, penetration testing, gap assessments, and security training.
Compliance
DPDPA 2023, SOC 2 readiness, ISO 22301, RBI, SEBI, PCI-DSS compliance programmes.
Every service is built around answering a question your leadership, auditors, or clients are already asking.
ISO 42001 AI Management System design, implementation, and audit readiness for Indian enterprises deploying AI.
AI Governance & ISO 42001 โFractional Chief Information Security Officer service โ strategy, board reporting, risk management, and compliance oversight on a monthly retainer.
Virtual CISO โIT and information security risk programme design โ risk registers, risk appetite frameworks, board reporting, and third-party risk management.
Enterprise Risk Management โEnd-to-end ISO 27001 consulting โ gap assessment, ISMS design, implementation, and certification audit support for Indian enterprises.
ISO 27001 Consulting โStructured cybersecurity gap assessment against ISO 27001, NIST, or your regulatory framework โ delivered in 2 weeks with a prioritised remediation roadmap.
Cybersecurity Gap Assessment โVulnerability Assessment and Penetration Testing (VAPT) โ web applications, APIs, networks, cloud, and mobile. CVSS-scored reports following OWASP and CERT-In published guidelines.
Penetration Testing & VAPT โSecurity awareness training, phishing simulations, and e-learning programmes โ aligned with ISO 27001 Annex A and Indian regulatory requirements.
Security Awareness Training โCloud security posture assessment for AWS, Azure, and GCP โ covering misconfigurations, access controls, data exposure, and compliance against CSA Cloud Controls Matrix.
Cloud Security Assessment โNetwork infrastructure security audit โ firewalls, routers, switches, wireless, and network architecture review against CERT-In Baseline Requirements and ISO 27001.
Network Security Audit โDigital Personal Data Protection Act 2023 readiness assessment, gap analysis, and compliance programme for Indian businesses processing personal data.
DPDPA 2023 Compliance โSOC 2 Type II readiness for Indian IT and SaaS companies. We design and implement the controls, policies, and evidence trails that a US CPA firm needs to issue your SOC 2 report.
SOC 2 Readiness โISO 22301 BCM programme design, BIA, business continuity planning, DR testing, and certification audit support for Indian enterprises.
Business Continuity Management (ISO 22301) โRegulatory compliance consulting for Indian enterprises โ RBI Cyber Security Framework, SEBI CSCRF, PCI DSS, CERT-In, and multi-framework compliance programmes.
Regulatory Compliance Consulting โEvery Indian company deploying AI faces a question it cannot ignore much longer: who is accountable when the AI gets it wrong? DPDPA 2023 creates liability for automated decisions affecting personal data. RBI and SEBI are developing AI governance guidelines. Enterprise clients are adding AI risk to vendor questionnaires.
ISO/IEC 42001 is the international standard for AI Management Systems โ published in December 2023. Crewtec helps you build an auditable AI governance framework before it becomes a regulatory requirement.
Does DPDPA 2023 regulate AI decisions?
Yes โ DPDPA covers automated processing of personal data. If your AI makes decisions about individuals (credit, hiring, health), you need documented governance and impact assessments.
What is the difference between AI governance and cybersecurity?
Cybersecurity protects your systems from external threats. AI governance ensures your AI systems are used responsibly โ with appropriate human oversight, bias controls, and transparency.
Who in India is building AI governance frameworks?
RBI, SEBI, and MeitY are all developing AI guidance. ISO 42001 gives you a framework that satisfies all of them โ and signals readiness to international clients.
Indian enterprises face multiple overlapping frameworks. Understanding which apply โ and how they relate โ is the first step to compliance.
Who it applies to
All enterprises seeking certification
Information Security Management System โ the global standard
Who it applies to
All companies deploying AI
AI Management System โ governance, risk, transparency
Who it applies to
All companies processing Indian personal data
India's data protection law โ consent, rights, breach notification
Who it applies to
Banks, NBFCs, payment companies
Cybersecurity governance, SOC, VAPT, incident response
Who it applies to
Brokers, exchanges, mutual funds, depositories
Annual cyber audit, incident reporting, technical controls
Who it applies to
IT service providers, data centres, intermediaries
6-hour incident reporting, log retention, NTP synchronisation
Compliance requirements and risk profiles differ by sector โ so does our approach.
Every engagement follows a structured process โ so you always know what is happening and what comes next.
Understand
We start by mapping your regulatory requirements, business context, and risk appetite โ before recommending anything.
Assess
Structured assessment against your target framework โ ISO 27001, DPDPA, RBI, or a custom baseline.
Build
Design and implement the governance frameworks, policies, controls, and evidence needed to close the gaps.
Sustain
Ongoing advisory, audit support, and monitoring โ so compliance is a continuous programme, not a one-time project.
GRC stands for Governance, Risk, and Compliance. In cybersecurity, Governance covers who is accountable for security decisions; Risk covers how you identify and manage information security risks; and Compliance covers how you meet regulatory and contractual security obligations. Together, GRC provides a structured approach to managing cybersecurity across an organisation.
ISO 27001 is the standard for Information Security Management Systems โ it governs how you protect information from unauthorised access, breach, and loss. ISO 42001 is the standard for AI Management Systems โ it governs how you use artificial intelligence responsibly, with appropriate oversight, transparency, and risk controls. Companies deploying AI need both.
ISO 27001 is not legally mandatory for most Indian companies, but it is effectively required by the market. Government tenders, enterprise vendor onboarding, BFSI clients, and CERT-In empanelment all either require or strongly prefer it. For IT services companies selling to enterprise clients, ISO 27001 has become a commercial necessity.
The Digital Personal Data Protection Act 2023 is India's data protection law. It applies to every organisation that collects, processes, or stores personal data of Indian individuals โ regardless of where the organisation is based. This includes Indian companies, multinationals with Indian customers, and companies that process data collected in India.
A comprehensive cybersecurity gap assessment typically takes 2โ3 weeks from kickoff to final report. Smaller organisations or limited-scope assessments can be completed in 1โ2 weeks. The output is a risk-scored gap report with a prioritised remediation roadmap.
VAPT (Vulnerability Assessment and Penetration Testing) is a structured security test that identifies and exploits vulnerabilities in your systems. CERT-In guidelines require annual VAPT for IT infrastructure operators. RBI mandates it for banks and NBFCs. ISO 27001 Annex A requires vulnerability management. Enterprise clients and cyber insurers ask for recent VAPT reports.
A Virtual CISO (vCISO) provides the same services as a full-time Chief Information Security Officer โ security strategy, risk management, board reporting, compliance oversight, and incident response leadership โ but on a part-time retainer rather than as a full-time employee. It is suited to organisations that need senior security leadership but cannot justify the cost of a full-time CISO.
All client engagements are covered by a mutual NDA signed before any work begins. Assessment findings, reports, and client system details are never shared with third parties. Crewtec's own information security practices are aligned with ISO 27001 principles.
Practical guides for security, compliance, and governance decision-makers.
A practical guide to enterprise website security โ covering SSL, access controls, vulnerability management, and cybersecurity best practices for Indian businesses.
India's CERT-In released comprehensive cyber security audit policy guidelines on 25 July 2025. Here's what changed, what your organisation must do, and how to prepare.
Preparing for an ISO 27001 audit? This checklist covers what Stage 1 and Stage 2 auditors examine โ documentation, controls, evidence, and common reasons certifications are delayed.
Book a free 30-minute consultation. We will review your regulatory obligations, identify the most urgent gaps, and recommend where to start โ with no obligation.