ISO 27001:2022 is the framework every Indian startup claims to want and few actually finish. Founders procure the certificate thinking it is a marketing checkbox; six months in, the reality of the ISMS surfaces and the project stalls. Certification bodies report that a meaningful percentage of ISO 27001 attempts in the Indian mid-market take longer than planned or fail their first Stage 2 audit. Not because the standard is unreasonable, but because teams underestimate what an operating Information Security Management System demands.
This is the no-BS guide. It assumes you are a fifteen- to two-hundred-person Indian startup, probably B2B SaaS, probably cloud-native, and probably pursuing ISO 27001 because a European or large Indian enterprise buyer asked for it. It covers what the standard actually requires, what the 2022 revision changed, the Annex A controls that matter most, and how to sequence work so you pass Stage 2 without a scramble.
What the standard actually requires
ISO 27001:2022 has two parts. Clauses 4 through 10 describe the ISMS: context, leadership, planning, support, operation, performance evaluation, improvement. Annex A lists 93 controls across four themes: organizational, people, physical, technological. Clauses are mandatory; controls are applied based on risk and documented in the Statement of Applicability.
What most startups miss: the certificate is for the ISMS, not for the controls. You can implement all 93 Annex A controls and still fail certification if your risk assessment is not documented, your leadership review does not happen, your internal audit cycle is absent, or your improvement process is not operating. The ISMS is the product.
What changed in the 2022 revision
The 2013 version listed 114 controls in 14 categories. The 2022 revision consolidated to 93 controls in 4 themes. Eleven controls are new, including explicit coverage of threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
If your certificate is still on 2013, you have until 31 October 2026 to transition. Most Indian certification bodies will only issue new certificates on the 2022 standard; transitions during surveillance audits are typical.
The realistic timeline for a first certificate
| Phase | Duration | Output |
|---|---|---|
| Scoping and gap analysis | 4 to 6 weeks | Scope statement, gap report, remediation plan |
| ISMS establishment | 8 to 12 weeks | Risk assessment, SoA, policy library, control implementation |
| Operational evidence | 8 to 12 weeks | Controls running, internal audit, management review |
| Stage 1 audit | 1 to 2 weeks | Documentation review by certification body |
| Remediation | 2 to 6 weeks | Address Stage 1 findings |
| Stage 2 audit | 1 to 2 weeks | Evidence sampling |
| Certification decision | 2 to 4 weeks | Certificate issued |
Total calendar time from kickoff to certificate, realistically, is six to nine months. Shorter than that usually means you had a lot already in place. Longer than that usually means the ISMS never actually started operating.
Scoping: draw the line carefully
The scope statement is the sentence that appears on the certificate. It defines what customers and auditors see. For a B2B SaaS, a typical scope reads something like: “The design, development, and operation of the [Product Name] cloud platform and associated customer support services delivered from the India office.” Everything inside the scope is audited; everything outside is not.
Common scoping mistakes:
- Scoping the entire company when only one product is in market. This inflates audit cost and expands the ISMS to functions (marketing, finance) that do not need ISO 27001 rigor.
- Scoping too narrowly and excluding the office network or the corporate identity provider, then realizing customer data touches them anyway.
- Scoping the product but not the development process, which creates awkward gaps in change management controls.
The risk assessment is not a spreadsheet exercise
Clause 6.1.2 requires a documented risk assessment methodology and a risk register. Certification auditors will read both. A risk register of generic threats copied from a template (“malware infects endpoints”) will fail. What the standard actually wants:
- A methodology that defines how risks are identified, analyzed, evaluated, and treated. Typical: asset-based or scenario-based.
- A list of information assets or scenarios specific to your environment.
- Assessed likelihood and impact, with a rationale for each rating.
- A treatment decision: accept, mitigate, transfer, avoid.
- Owner, target date, and status for each treatment.
Expect somewhere between 30 and 100 risks on a first-pass register. Fewer usually means the team missed cloud, third-party, or insider risk categories. More usually means the team duplicated risks across assets.
The 15 Annex A controls that do disproportionate work
All 93 controls matter in context. These fifteen appear in nearly every ISO 27001 implementation we have run for Indian startups and are typically the heaviest lift.
- A.5.1 Policies for information security
- A.5.9 Inventory of information and other associated assets
- A.5.15 Access control
- A.5.23 Information security for use of cloud services (new in 2022)
- A.5.24 Information security incident management planning and preparation
- A.6.3 Information security awareness, education, and training
- A.8.1 User endpoint devices
- A.8.5 Secure authentication
- A.8.7 Protection against malware
- A.8.8 Management of technical vulnerabilities
- A.8.9 Configuration management (new in 2022)
- A.8.16 Monitoring activities (new in 2022)
- A.8.23 Web filtering (new in 2022)
- A.8.25 Secure development lifecycle
- A.8.28 Secure coding (new in 2022)
The policy library: what you actually need
ISO 27001 does not prescribe a list of policies, but practical implementations use a top-level Information Security Policy plus roughly fifteen to twenty topic-specific policies. The clauses mandate coverage of at least: access control, mobile devices, teleworking, cryptographic controls, clear desk and clear screen, acceptable use, backup, and secure development. Indian auditors typically also expect: information classification, supplier security, privacy, incident response, business continuity.
Management review and internal audit: the two things teams skip
Clause 9.3 requires management review at planned intervals. Clause 9.2 requires internal audit. Both must be documented and both must produce evidence. Teams that treat these as paperwork fail; teams that use them as actual governance find the ISMS improves.
A defensible rhythm: quarterly management review with the ISMS lead, CISO or CTO, and at least one business stakeholder, minuted with actions. Annual internal audit against the full set of Annex A controls and clauses 4 through 10, by someone independent of the audited areas. For a startup, the internal audit is often contracted externally because genuine independence is hard to find on a fifteen-person team.
Certification body selection
Not all certificates carry equal weight. Some buyers (particularly in regulated sectors) will only accept certificates issued by bodies accredited by NABCB in India, UKAS in the UK, or equivalent IAF MLA signatories. Before engaging a certification body, ask:
- Who is your accreditation body?
- How many auditor days are you quoting for Stage 1 and Stage 2, and why?
- Do you audit remotely for Indian clients?
- Which lead auditor will be assigned, and what is their experience in SaaS?
Avoid certification bodies that promise a fast, cheap certificate. An easy first-year audit often means a painful surveillance audit in year two, and a hard question from a buyer about certificate credibility.
Common failure modes
Documentation without operations
A beautifully written policy library that nobody follows will fail Stage 2. Auditors sample. If your access control policy says reviews are quarterly and your first review is the week before Stage 2, you have a nonconformity.
No evidence of improvement
ISO 27001 is built on Plan-Do-Check-Act. If your first management review minutes have zero actions and no follow-up, the audit team will push. Document real improvements; your ISMS should have changed between Stage 1 and Stage 2.
Scope creep during the audit
If the auditor spots data flowing outside your declared scope, expect a finding. Be honest in scoping; hiding systems causes more damage than including them.
Integration with SOC 2 and DPDP
An Indian SaaS running SOC 2 Type 2 already has roughly 70 percent of the Annex A controls in place. The marginal work for ISO 27001 is the ISMS itself: risk methodology, Statement of Applicability, management review cycle, internal audit program. If you do SOC 2 first and ISO 27001 second, your ISO 27001 project is typically four to six months rather than eight to twelve.
Related reading
- ISO 27001 Statement of Applicability β how to write
- ISO 27001 internal audit β practitioner’s checklist
- SOC 2 vs ISO 27001 vs DPDP β which first
- SOC 2 Type 2 roadmap β Indian SaaS
- DPDP compliance β complete guide
Work with RingSafe
RingSafe helps Indian startups implement ISO 27001:2022 without the consultant-ware bloat. Founder Manish Garg (Associate CISSP, CEH, CCNP Enterprise) and the team have run certifications with NABCB-accredited bodies and unified ISO 27001 with SOC 2 and DPDP programs to minimize duplication.
If you need a certificate on a tight timeline and want a partner that will tell you the truth about what is realistic, book a scoping call and we will map the fastest credible path to certification for your environment.