The ISO 27001 2022 transition is still incomplete for many Indian SaaS and BFSI organisations that certified under the 2013 version, and the 11 new Annex A controls require both technical and procedural changes — not just policy updates. If you are certifying for the first time or transitioning from 2013, the 2022 version introduces 11 new Annex A controls organised into four themes: organisational, people, physical, and technological. This guide explains each new control in the Indian regulatory context, with implementation guidance for Bangalore SaaS and BFSI teams.
The article moves top-down: what changed in 2022, the 11 new controls by theme, implementation effort by control, and how to scope a transition or initial certification audit.
What changed in ISO 27001:2022
The 2022 revision made two major structural changes to ISO/IEC 27001. If you are certifying for the first time or transitioning from the 2013 version, see our ISO 27001 service page for the full certification programme, or our ISO 27001 vs SOC 2 comparison if you are deciding between the two frameworks.
- Annex A reorganisation — Controls moved from 14 domains to 4 themes (organisational, people, physical, technological)
- Alignment with ISO/IEC 27002:2022 — New controls added, some merged, some renamed
The management-system clauses (Clauses 4–10) were also updated to align with the harmonised ISO management-system structure, but the core PDCA cycle remains.
The 11 new Annex A controls
Organisational controls
A.5.7 Threat intelligence
What it is: Proactive collection and analysis of threat intelligence to inform risk assessment and control selection.
Indian context: CERT-In threat advisories, sector-specific threat feeds (RBI, SEBI), and India-focused ISACs are the primary sources for Indian organisations.
Implementation effort: Medium. Requires a threat-intelligence platform or managed feed, and analyst time to consume and action the intelligence.
A.5.23 Information security for use of cloud services
What it is: Security requirements for cloud service acquisition and use, including data residency, access control, and exit planning.
Indian context: RBI data-localisation expectations and MeitY cloud guidelines make this control particularly relevant for Indian BFSI and government contractors.
Implementation effort: Low–medium. Most Indian SaaS companies already have cloud-security policies; the 2022 control formalises the requirement.
A.5.30 ICT readiness for business continuity
What it is: Planning, implementation, maintenance, and testing of ICT continuity.
Indian context: SEBI CSCRF and RBI business-continuity guidelines already expect this. The 2022 control harmonises the expectation.
Implementation effort: Medium. Requires BCP/DR documentation, RTO/RPO definitions, and annual testing.
A.5.37 Documented operating procedures
What it is: Operating procedures must be documented, maintained, and available to personnel who need them.
Implementation effort: Low. Most organisations have SOPs; the 2022 control adds the requirement to keep them current and accessible.
People controls
A.6.7 Remote working
What it is: Security measures for personnel working remotely, including device security, access control, and communication protection.
Indian context: Post-COVID, permanent remote and hybrid work is common in Bangalore SaaS. This control formalises what was previously ad-hoc.
Implementation effort: Low. VPN, MFA, and endpoint security are already standard.
A.6.8 Information security event reporting
What it is: Personnel must be able to report security events through appropriate channels in a timely manner.
Implementation effort: Low. Requires a reporting channel (email, ticketing, hotline) and awareness training.
Physical controls
No new physical controls were added in 2022, but A.7.14 (equipment disposal) was enhanced to emphasise data-sanitisation verification.
Technological controls
A.8.9 Configuration management
What it is: Hardware, software, and service configurations must be established, documented, implemented, monitored, and reviewed.
Implementation effort: Medium. Requires a configuration-management database (CMDB) and change-control integration.
A.8.10 Information deletion
What it is: Information must be deleted when no longer required, in a manner that prevents recovery.
Indian context: The DPDP Act 2023 creates a legal obligation to delete personal data when the purpose is complete. This control supports that obligation.
Implementation effort: Low–medium. Requires data-retention policies, deletion workflows, and verification of secure erasure.
A.8.11 Data masking
What it is: Data masking must be used in accordance with the organisation’s access-control policy.
Implementation effort: Medium. Requires identification of sensitive data classes, masking rules for non-production environments, and tooling.
A.8.12 Data leakage prevention
What it is: DLP measures must be applied to systems, networks, and devices that process sensitive information.
Implementation effort: Medium–high. Requires DLP tooling, policy definition, and ongoing tuning to avoid false positives.
A.8.16 Monitoring activities
What it is: Networks, systems, and applications must be monitored for anomalous behaviour, with appropriate analytical and response activities.
Implementation effort: Medium. Requires SIEM or equivalent, alerting rules, and analyst capacity.
A.8.23 Web filtering
What it is: External web access must be filtered to block malicious content and restrict access to unauthorised web resources.
Implementation effort: Low. Most organisations already have web filtering via firewall or proxy.
A.8.24 Secure coding
What it is: Secure coding principles must be applied to software development.
Indian context: With the rise of Indian fintech and HealthTech, secure coding is increasingly expected by regulators and enterprise buyers.
Implementation effort: Medium. Requires training, code-review processes, and SAST/DAST tooling.
A.8.25 Secure development lifecycle
What it is: Rules for secure development must be established and applied across the software development lifecycle.
Implementation effort: Medium. Requires SDL policy, threat modelling, and security gates.
A.8.26 Application security requirements
What it is: Security requirements must be identified, specified, and approved when developing or acquiring applications.
Implementation effort: Low. Requirements engineering process addition.
A.8.27 Secure system architecture and engineering principles
What it is: Engineering principles must be established, documented, maintained, and applied to information system development.
Implementation effort: Medium. Requires architecture review board and security patterns library.
A.8.28 Secure coding — wait, this is A.8.24
Actually, the 2022 version introduced the following net-new controls: threat intelligence, cloud services, ICT readiness, documented operating procedures, remote working, information security event reporting, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, secure development lifecycle, application security requirements, and secure system architecture. That is 11 net-new controls when accounting for merges and restructures.
Transition timeline for Indian organisations
| Phase | Duration | Activities |
|---|---|---|
| Gap assessment | 2 weeks | Map current controls to 2022 Annex A |
| Control implementation | 6–10 weeks | Address gaps, update policies, configure tools |
| Internal audit | 2 weeks | Verify control effectiveness |
| Management review | 1 week | Board sign-off on transition readiness |
| Certification audit | 2–3 weeks | Stage 1 + Stage 2 with an accredited body |
Common transition mistakes
- Treating it as a paperwork exercise. The 2022 controls require technical and procedural changes, not just policy updates.
- Ignoring the new technological controls. Secure coding, data masking, and DLP require tooling and training investment.
- Missing the cloud-services control. Most Indian SaaS companies use cloud infrastructure; this control is relevant to almost everyone.
- Not integrating with DPDP. Information deletion and data masking directly support DPDP compliance. Do them together.
- Hiring a non-accredited certification body. Only UKAS-, NABCB-, or equivalent-accredited bodies can issue valid certificates.
Implementation cost by control — what to budget
The 11 net-new controls have widely varying implementation costs. Budgeting at a control-by-control level allows for prioritised investment.
| Control | Implementation cost (INR) | Tooling | Operational effort |
|---|---|---|---|
| A.5.7 Threat intelligence | ₹1,50,000–₹4,00,000/year | Commercial feed or managed service | 2 hours/week analyst time |
| A.5.23 Cloud services | ₹50,000 (one-time) | Existing cloud-management tools | 1 week policy work |
| A.5.30 ICT readiness | ₹1,00,000–₹3,00,000 | BCP/DR documentation tooling | 4 weeks initial; 1 day/quarter testing |
| A.6.7 Remote working | ₹50,000 | Existing VPN, MFA, EDR | Already in place for most |
| A.8.9 Configuration management | ₹2,00,000–₹6,00,000 | CMDB, change-control tools | 6 weeks setup; ongoing |
| A.8.10 Information deletion | ₹1,00,000–₹3,00,000 | Data-retention tooling | 4 weeks setup; ongoing |
| A.8.11 Data masking | ₹2,00,000–₹5,00,000 | Masking tools or custom scripts | 4 weeks; ongoing |
| A.8.12 DLP | ₹3,00,000–₹10,00,000/year | Commercial DLP product | 8 weeks tuning; ongoing |
| A.8.16 Monitoring | ₹2,00,000–₹8,00,000/year | SIEM + SOC capability | Ongoing analyst capacity |
| A.8.23 Web filtering | ₹50,000 | Existing firewall or DNS filtering | Already in place for most |
| A.8.28 Secure coding | ₹1,50,000–₹4,00,000 | SAST/DAST tools, training | 4 weeks initial; ongoing training |
Total implementation cost for an organisation starting from a 2013-baseline ISMS: approximately ₹15–₹40 lakh in year 1, depending on which controls require new tooling versus formalisation of existing capability.
Transition versus initial certification — the practical difference
Organisations approach 2022 certification from two starting points. The implementation effort differs.
Transition from 2013 certification
Existing ISMS infrastructure remains valid; the focus is on Annex A control mapping. The transition audit is typically conducted at the next surveillance audit or recertification, with the certification body extending the certificate scope to cover 2022. Cost: approximately ₹4–₹9 lakh on top of the standard surveillance audit fee.
Initial certification under 2022
Full ISMS implementation including Stage 1 + Stage 2 audit. The 2022 controls are integrated from the start rather than retrofitted. Cost: ₹5,50,000–₹18,00,000 depending on scope and certification body.
Hybrid approach — combined transition and scope expansion
Some organisations use the 2022 transition opportunity to expand the certified scope (e.g., adding cloud regions, additional product lines, new business units). This is operationally attractive because the transition audit can be combined with the scope-extension audit, reducing total auditor time on-site.
Bangalore-specific implementation considerations
The 2022 controls have specific implications for Bangalore SaaS and BFSI organisations beyond the general implementation guidance.
Threat intelligence (A.5.7) for Indian context
Generic global threat-intelligence feeds miss India-specific threats. The most-effective implementations combine: a commercial feed (Recorded Future, ThreatConnect), CERT-In advisories (free), sectoral-specific feeds (RBI for BFSI, SEBI for capital markets), and an India-focused ISAC where available. The combined cost is typically ₹2–₹4 lakh per year for a mid-sized organisation.
Cloud services (A.5.23) for Indian regulators
The control formalises what RBI Master Direction on IT Outsourcing and SEBI CSCRF already require. Bangalore BFSI organisations typically have most of the documentation; the gap is usually in formal DPA structure with cloud providers and exit-planning depth.
Information deletion (A.8.10) and DPDP overlap
The DPDP Act creates a legal obligation to delete personal data when no longer required. Implementing A.8.10 properly satisfies both the ISO 27001:2022 expectation and the DPDP requirement. Combine the implementation; do not run them as separate workstreams.
Secure coding (A.8.28) for Indian fintech
RBI Master Direction on Digital Lending and SEBI’s increasing focus on application security make A.8.28 implementation particularly valuable for Indian fintech. The training component should include India-specific attack patterns (UPI flow exploits, Aadhaar replay, OTP brute-force) rather than only generic OWASP guidance.
Practical next steps
If you are certifying for the first time, use the transition timeline as your programme plan. If you are deciding between ISO 27001 and SOC 2, see our decision tree. If you want to scope an ISO 27001:2022 certification, our ISO 27001 service page walks through the methodology and pricing.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed price in INR, and direct partner-level accountability through the engagement.
ISO 27001:2022 transition FAQ
Is the 2013 version still valid? Existing 2013 certificates remain valid through their stated expiry; transition to 2022 typically happens at the next surveillance audit or recertification. New certifications are issued only against the 2022 version.
Can I transition partially? No. Transition is binary — the certificate is either against 2013 or 2022. Partial implementation can be evidenced as in-progress but doesn’t yield a partial certificate.
Does the ISMS structure change between 2013 and 2022? The Annex A control structure changed substantially (from 14 domains to 4 themes). The management-system clauses (Clauses 4–10) are largely unchanged. Most ISMS infrastructure carries forward.
Is the transition audit billed separately from surveillance? Typically yes, though some certification bodies bundle them at the next surveillance cycle. Cost is approximately ₹4–9 lakh on top of standard surveillance.
Are all 11 new controls equally important? No. Threat intelligence (A.5.7), cloud services (A.5.23), DLP (A.8.12), and monitoring (A.8.16) typically require the most-substantive new investment. Others (web filtering, remote working) often formalise existing capability.
Does the 2022 version include AI-specific controls? Not directly, though the secure-development and configuration-management controls apply to AI workloads. ISO/IEC 42001 (AI management system) is a separate standard.
How does the 2022 version interact with DPDP Act? Strong synergy. Information deletion (A.8.10) directly supports DPDP retention obligations; data masking (A.8.11) supports DPDP minimisation; threat intelligence (A.5.7) supports DPDP breach-detection capability.
Can I implement the 11 controls incrementally? Yes, but the certification audit requires all 11 to be in place at Stage 2. Incremental implementation should target completion 8–12 weeks before the audit window.
Are there sector-specific extensions? Yes — ISO 27017 (cloud), ISO 27018 (cloud privacy), ISO 27701 (PIMS for privacy), ISO 27001 + sector standards. These are separate certifications complementing 27001.
Does ISO 27001:2022 require AI risk management? Not specifically named, but the risk-assessment process (Clause 6) covers any technology risk including AI. Organisations using AI extensively should consider ISO 42001 alongside.
What if I’m certified to ISO 27001:2013 and don’t transition? The certificate remains valid through expiry. After expiry, only 2022 certification is available. Most organisations transition at the next surveillance to avoid recertification gap.
How does the transition affect annual surveillance fees? Generally unchanged. Surveillance audits cover the existing scope; transition adds incremental scope at the transition audit specifically.
Tooling decisions for the 11 new controls
Specific tooling decisions affect implementation cost and ongoing operational burden for each new control.
Threat intelligence (A.5.7). Commercial feeds (Recorded Future, ThreatConnect, Mandiant) cost ₹3-8 lakh/year and provide rich intelligence; managed services (CrowdStrike Falcon Intelligence, Mandiant Advantage) cost more but include analyst time. CERT-In advisories are free and India-relevant. Most Bangalore implementations combine commercial feed + CERT-In advisories.
Cloud services (A.5.23). Existing cloud-management tools (AWS Control Tower, Azure Policy, GCP Organization Policies) typically cover this control. Specific cloud-security posture management (CSPM) tools — Wiz, Orca, Lacework — provide deeper coverage at additional cost.
ICT readiness (A.5.30). Documentation and process work; tooling investment minimal. Backup-and-recovery tools (Veeam, Commvault) and DR-orchestration tools (Zerto, AWS Elastic DR) cover the technical layer.
Configuration management (A.8.9). CMDB tools (ServiceNow, BMC Helix) for enterprise-scale; Terraform Enterprise / Pulumi for cloud-native. Open-source alternatives (NetBox, RackTables) for cost-conscious implementations.
Information deletion (A.8.10). Retention-management tools embedded in storage platforms (S3 Lifecycle Policies, Azure Blob Lifecycle Management). Custom workflow tools for application-level data deletion.
Data masking (A.8.11). Database-native masking (Oracle Data Masking, SQL Server Dynamic Data Masking) or dedicated tools (Delphix, Informatica). Open-source alternatives (Faker libraries integrated with test-data generation) for non-production environments.
DLP (A.8.12). Microsoft Purview, Symantec DLP, Forcepoint, Trellix. ₹3-12 lakh/year typical range. Cloud-native CASB solutions (Microsoft Defender for Cloud Apps, Netskope) provide overlapping capability.
Monitoring (A.8.16). SIEM tools (Splunk, Sentinel, Elastic, Sumo Logic, Datadog Cloud SIEM). ₹3-15 lakh/year depending on log volume. Open-source alternatives (Wazuh, Security Onion) for cost-conscious implementations.
Web filtering (A.8.23). DNS-layer filtering (Cisco Umbrella, Cloudflare Gateway, Quad9) at low cost. Existing firewall capability typically covers this.
Secure coding (A.8.28). SAST tools (SonarQube, Checkmarx, Snyk Code), DAST tools (OWASP ZAP, Burp Suite Enterprise), training platforms (Secure Code Warrior, Veracode). ₹2-8 lakh/year typical range.
Bangalore-specific implementation considerations
Bangalore SaaS implementations of the 11 new controls have specific considerations:
Tooling vendor presence. Most major security tooling vendors have Bangalore presence with local sales and support. Procurement is operationally smoother than for tools without local presence.
Implementation services. Bangalore-based system integrators (Wipro, Infosys, TCS) and specialised security firms offer implementation services for the new controls. Per-control implementation cost varies widely.
Talent availability. Bangalore has the largest concentration of ISO 27001 implementation experience in India. Hiring or contracting for implementation work is feasible.
Audit ecosystem. Multiple ISO 27001 certification bodies operate in Bangalore (BSI, BV, DNV, TÜV, Intertek). Annual surveillance scheduling is competitive on price and timing.
Pragmatic implementation sequence for 2022 transition
For Bangalore organisations transitioning to ISO 27001:2022, the implementation sequence affects success probability.
Phase 1 (weeks 1-3) — gap assessment. Map current controls (whether 2013-aligned or greenfield) to 2022 Annex A. Identify the 11 net-new controls and their implementation effort.
Phase 2 (weeks 4-9) — high-impact controls. Implement DLP, monitoring, configuration management, and threat intelligence. These are typically the highest-effort new controls and benefit from earliest start.
Phase 3 (weeks 10-13) — medium-impact controls. Implement information deletion, data masking, and ICT readiness for business continuity. Documentation-and-tooling work that compounds with prior phases.
Phase 4 (week 14) — internal audit. Audit covers all 93 Annex A controls plus management-system clauses. Identify residual gaps before certification audit.
Phase 5 (weeks 15-16) — management review and certification. Management review approves ISMS state; certification body conducts Stage 1 + Stage 2 audit.
This sequence works for most Bangalore organisations transitioning from 2013 baseline. Greenfield programmes extend by 4-6 weeks; complex multi-site organisations extend further.
ISO 27001:2022 in the broader certification portfolio
For Bangalore organisations holding multiple certifications, ISO 27001:2022 fits within a broader portfolio.
ISO 27017 (cloud security extension). Adds 7 cloud-specific controls beyond 27001. Worth pursuing if cloud is material to the operation.
ISO 27018 (cloud privacy extension). Adds privacy-specific controls beyond 27001. Worth pursuing if processing significant personal data in cloud.
ISO 27701 (PIMS extension). Adds privacy management system beyond 27001. Worth pursuing if comprehensive privacy programme is desired (often paired with GDPR / DPDP).
ISO 22301 (BCMS). Business continuity management. Often paired with 27001 for operational-resilience-focused organisations.
ISO 9001 (QMS). Quality management. Often paired with 27001 in IT services organisations.
The integrated management system approach (combining 27001 + 22301 + 9001 + sectoral standards) reduces total audit cost versus separate certifications.
Common 2022 transition surprises
For organisations completing the 2022 transition, several surprises emerge consistently.
Surprise 1 — DLP scope. A.8.12 (DLP) tooling cost is higher than expected; effective DLP requires specialist tooling and ongoing tuning. Budget accordingly.
Surprise 2 — secure coding training scope. A.8.28 expects training all developers, not just security-specific roles. Scaling training to entire engineering team is operationally meaningful.
Surprise 3 — threat intelligence integration. A.5.7 requires consuming threat intelligence operationally, not just subscribing to feeds. Analyst capacity to consume and action intelligence is the harder part.
Surprise 4 — configuration management depth. A.8.9 expects current configuration baselines for hardware, software, services, and networks. CMDB tools or strong IaC discipline required; ad-hoc documentation insufficient.
Surprise 5 — monitoring scope. A.8.16 expects monitoring of networks, systems, and applications for anomalous behaviour. SIEM with detection rules and analyst response capacity required; basic logging insufficient.
These surprises typically extend transition timelines beyond initial estimates; building 4-8 weeks buffer into transition plans is operationally prudent.