Key Takeaways
- ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Certification is by an accredited certification body, not by ISO itself.
- Two-stage external audit: Stage 1 (documentation review), Stage 2 (implementation audit, typically 4 to 8 weeks later). Recertification every 3 years with annual surveillance.
- Realistic timeline for Indian SMBs is 4 to 9 months from kickoff to certificate; mid-size enterprises 6 to 12 months; large enterprises 9 to 18 months.
- Cost in India: ISMS implementation INR 8 to 30 lakh, certification body fees INR 3 to 8 lakh per audit cycle. Compare three accredited bodies before selecting.
- Common failure causes: scope poorly defined, risk assessment shallow, top management not engaged, internal audit skipped, evidence not retained, Statement of Applicability incomplete.
What ISO/IEC 27001:2022 Is
ISO/IEC 27001:2022 is the international standard that specifies requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). The 2022 revision replaced the 2013 edition; organisations on the older edition had a 3-year transition window that closed in 2025.
The standard has two parts. The main body (clauses 4 to 10) sets out ISMS requirements: context, leadership, planning, support, operation, performance evaluation, improvement. Annex A is a reference list of 93 security controls grouped into 4 themes (organisational, people, physical, technological).
Certification confirms that an accredited certification body has audited the ISMS and found it conformant. The certificate has 3-year validity with annual surveillance audits. Indian businesses pursue ISO 27001 mainly because customers and regulators expect it as evidence of security maturity.
Phase 1: Scope, Gap Assessment, Project Setup
Define the ISMS scope precisely: which legal entities, which locations, which products or services, which data classes. A tight scope is easier to certify and cheaper to maintain. A broad scope (entire organisation) is more impressive on the certificate but multiplies effort.
Run a gap assessment against the full standard (clauses 4-10 plus Annex A). The output is a list of gaps with owners and target dates. Most Indian organisations starting from a low base have 60 to 100 gaps; mature security programmes have 15 to 30.
Establish project governance: project sponsor (usually the CISO or designated executive), project manager, working group across IT, security, HR, legal, procurement, facilities. Senior management commitment is non-negotiable; an ISMS without it never certifies.
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Phase 2: Risk Assessment and Treatment
ISO 27001 is risk-based. You document threats and vulnerabilities relevant to the scope, calculate inherent risk, identify controls (from Annex A or elsewhere) that reduce risk, calculate residual risk, and decide whether to accept, treat, transfer or avoid each risk.
The Statement of Applicability (SoA) lists every Annex A control with a status (applicable / not applicable) and justification. The SoA is the central document the auditor reviews. An incomplete SoA is the most common Stage 1 finding.
The Risk Treatment Plan lists the controls being implemented, owners, target dates and acceptance criteria. It connects risk assessment to operational delivery and is reviewed at management review meetings.
Phase 3: Control Implementation and Documentation
Implement the controls identified in the SoA. Document the policies, procedures, work instructions and records expected by the standard. Mandatory documents include the information security policy, risk assessment methodology, SoA, risk treatment plan, internal audit programme, management review minutes, corrective action records.
Indian organisations often underestimate the documentation burden. The auditor expects records demonstrating that controls are operating, not just that policies exist. Examples: access review records, training attendance, supplier evaluation evidence, change management approval logs, incident records.
Phase 4: Internal Audit and Management Review
The standard requires internal audits before external certification. The auditor must be independent of the area being audited. Internal audit findings (non-conformities, observations, opportunities for improvement) are recorded and tracked to closure.
Management review is a formal meeting (typically held twice in the first year) where leadership reviews ISMS performance, internal audit results, risk treatment progress, KPI trends and corrective actions. Minutes are evidence the auditor expects.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Phase 5: Stage 1 and Stage 2 External Audit
Stage 1 is a documentation and readiness review. The certification auditor checks that the ISMS is documented, the SoA is complete, internal audit and management review have happened, and key records exist. Stage 1 typically runs 1 to 3 days for SMBs.
Stage 2 is the implementation audit. Auditors interview staff, sample evidence, walk the controls, test that the documented system matches reality. Typically 3 to 10 days depending on scope. Non-conformities are raised as minor or major; major non-conformities must be closed before certification.
After successful Stage 2, the certification body issues the certificate (3-year validity). Annual surveillance audits in years 2 and 3 verify the ISMS is being maintained. Recertification audit in year 4 starts the next 3-year cycle.
Cost, Certification Bodies and Common Pitfalls
Indian-market pricing in 2026: implementation effort INR 8 to 30 lakh depending on organisation size (in-house effort plus consultant support); certification body fees INR 3 to 8 lakh per audit cycle for SMBs and small enterprises. Multi-site or multi-entity scopes increase fees proportionally.
Major accredited certification bodies operating in India: BSI, BV (Bureau Veritas), DNV, Intertek, LRQA, SGS, TÜV Rheinland, TÜV SÜD, plus several regional bodies. Compare at least three on price, accreditation (look for IAS or UKAS or equivalent), auditor expertise in your sector, and timeline availability.
Common pitfalls: scope too broad early on, risk assessment treated as compliance paperwork, SoA missing controls or weak justifications, internal audit done by the same people who built the system, management review without executive attendance, evidence not retained.
Frequently Asked Questions
How long does ISO 27001 certification take?
Indian SMBs: 4 to 9 months. Mid-size enterprises: 6 to 12 months. Large enterprises with broad scope: 9 to 18 months. Pace is set by scope, current maturity, and how quickly senior management can act on remediation.
What does ISO 27001 cost?
Implementation effort INR 8 to 30 lakh including consultant support. Certification body fees INR 3 to 8 lakh per audit cycle. Recurring annual surveillance fees similar to Stage 2 levels. The cost is small relative to one customer questionnaire failed for lack of certification.
Who can issue ISO 27001 certificates?
Only accredited certification bodies. ISO does not issue certificates directly. Major bodies operating in India include BSI, DNV, Bureau Veritas, Intertek, LRQA, SGS, TÜV. Verify accreditation through IAS, UKAS or equivalent for international recognition.
Do we need ISO 27001 or SOC 2?
Depends on customer geography. US-heavy customer base typically demands SOC 2 first. India, Europe, Middle East, Asia-Pacific typically lean to ISO 27001. Many mature SaaS companies achieve both. See our comparison blog for detail.
What is the difference between ISO 27001:2013 and 2022?
Annex A was restructured (114 controls down to 93, grouped into 4 themes). Some new controls added (threat intelligence, ICT readiness, data masking, secure development, etc.). The clause 4-10 management system requirements are broadly similar. Transition window for 2013-certified organisations closed in 2025.
Can Codesecure help with ISO 27001?
Yes. Codesecure delivers gap assessment, ISMS design, control implementation, internal audit and pre-certification audit for Indian organisations. ISO/IEC 27001:2022 certified delivery with named ISO 27001 Lead Auditor consultants.
Get To ISO 27001 Without Six Months Of Rework
Codesecure delivers ISO 27001:2022 programmes for Indian SMBs, fintechs, SaaS, healthcare and enterprise customers. Named LA consultants, fixed-price proposals, predictable timeline, free post-cert support window.
