01What ISO 27001 is
- An ISMS standard — a system for managing security, not a checklist of controls
- Process-oriented: requires risk assessment, treatment plans, continuous improvement
- Annex A includes 93 reference controls (down from 114 in the 2013 version) you may select from
- Certifiable by accredited bodies (BSI, DNV, TUV, BSI India, etc.)
- 3-year cycle: initial certification audit, surveillance audits years 2 and 3, recertification at year 4
02Required documents
ISO 27001 requires specific documented information:
- ISMS scope statement — which parts of the org are in scope
- Information security policy
- Risk assessment methodology
- Risk assessment report
- Risk treatment plan
- Statement of Applicability (SoA) — for each Annex A control: applicable yes/no, justification, implementation status
- Internal audit programme
- Management review records
- Corrective action records
- Various procedure documents — incident response, access management, change management, etc.
03The 2022 control structure
Annex A controls in 27001:2022 are organized into 4 themes (down from 14 in 2013):
- Organisational (37 controls) — policies, roles, supplier relationships, threat intelligence
- People (8 controls) — screening, training, NDA, disciplinary process
- Physical (14 controls) — perimeters, equipment, secure disposal
- Technological (34 controls) — access management, crypto, logging, web filtering, secure coding
11 new controls added in 2022 reflect cloud + supply chain reality: Threat Intelligence (5.7), Information Security for Cloud Services (5.23), ICT Readiness for Business Continuity (5.30), Configuration Management (8.9), Web Filtering (8.23), Secure Coding (8.28), and others.
04Statement of Applicability
For every Annex A control, the SoA documents:
- Whether it applies (yes/no)
- Justification for the decision
- Implementation reference (which procedure / system delivers it)
- Implementation status (planned, partially implemented, fully implemented)
Auditors use the SoA as their map. A weak SoA — vague justifications, untraceable implementations — fails certification. A clean SoA accelerates audit dramatically.
05Implementation timeline
For a 50–200 employee Indian company with no prior ISMS:
- Months 1–2: scope, policy, governance setup. Form the steering committee
- Months 3–4: risk assessment methodology + initial assessment
- Months 5–7: control gap analysis; implement missing controls
- Months 8–9: internal audit and management review
- Months 10–11: Stage 1 audit (documentation review)
- Months 11–12: Stage 2 audit (operational verification)
- Month 12–13: certificate issued (pending CB internal review)
06Common gaps — Indian implementations
- Risk assessment depth. Auditors want detailed risk identification + treatment, not generic "data may be lost"
- Internal audit coverage. Must cover all Annex A controls applicable; many programmes only audit a subset
- Management review evidence. Quarterly meetings with documented inputs and outputs; agenda items prescribed by the standard
- Supplier security. Annex A controls 5.19–5.23 require structured third-party assessment; often done informally
- Incident response evidence. Auditors want to see real incidents handled per procedure, not just the procedure itself
- Asset inventory completeness. Information assets, not just IT — including people, processes, locations
07Choosing a certification body
Not all certification bodies (CBs) are equal. Considerations:
- Accreditation: ensure CB is accredited by an IAF-recognised body (NABCB in India)
- Sector experience: SaaS, banking, manufacturing — pick a CB that's audited your sector
- Auditor language: ensure auditors can communicate in English (or local language) with your team
- Timing: some CBs have 3-month booking lead times
- Cost: varies significantly by CB tier and org size
08What auditors actually check
Stage 1 — documentation review
- Scope statement is clear
- Policies exist, signed by top management
- SoA is complete and traceable
- Risk methodology is documented and applied
- Procedures referenced in SoA exist
Stage 2 — operational verification
- Sample of records — recent risk assessment, recent management review, recent incidents
- Interview control owners — do they know their control?
- Trace evidence for selected controls — pick a couple of access reviews, change tickets, and verify execution
- Walk through 2–3 procedures from start to finish
- Inspect physical security if in-scope
09Surveillance audits — keeping the certificate
Annual surveillance audits (lighter than the initial) catch drift. Common surveillance findings:
- Internal audit not completed on schedule
- Risk treatment plan not updated after a known incident
- Management review not held
- New systems brought into scope without ISMS update
- Asset inventory not updated for departures/new hires
"Major nonconformity" in a surveillance audit can trigger certificate suspension. Treat surveillance like a real audit.
10ISO 27001 vs SOC 2
- Selling primarily to US enterprises: SOC 2 first — often required by procurement
- Selling primarily to EU / global / non-US: ISO 27001 first
- Selling to both: pursue ISO 27001 first (broader coverage), then add SOC 2 mapping (significant overlap means much less marginal work)
11Maintaining the ISMS year-round
- Risk assessment refresh — at least annually; whenever scope changes significantly
- Policy review — annual review even if no changes
- Internal audit — typically twice a year; cover all controls over the cycle
- Management review — quarterly with prescribed agenda
- Incident metrics — count, severity, MTTR; presented at management review
- Vendor risk assessments — for new vendors and annual for existing
From ISMS gap to ISO 27001 certified
A 30-minute consultation. We scope your ISMS, map the Annex A control gaps, and give you a realistic 90-day plan to get Stage 1-ready — whether you're starting fresh or rescuing a stalled programme.