api4soc2 .com
All services Book audit call
Compliance · ISO 27001:2022

ISO/IEC 27001:2022 Certification Consulting in Bangalore

ISO/IEC 27001:2022 certification consulting from Bengaluru — ISMS scoping, Annex A 93-control implementation, internal audit, and Stage 1 / Stage 2 audit support. Fixed price in INR. Recognised across India, EU, UK, Japan and the GCC.

Timeline
14 weeks
From (INR)
₹5,50,000
Delivered from
Bengaluru
Empanelment
CERT-In
ISO 27001 certification BangaloreISO 27001:2022 consultant IndiaISMS implementation BengaluruISO 27001 Annex A 93 controlsISO 27001 Stage 1 Stage 2 auditISO 27001 transition 2013 to 2022

ISO 27001 is the certification that Indian enterprise procurement teams understand. SOC 2 is what the US procurement teams want; ISO is what the rest of the world’s procurement function has been trained on for two decades. If your Bangalore company sells primarily into Indian banks, NBFCs, listed enterprises, public-sector undertakings, or any European buyer, ISO 27001:2022 is the more useful certification to pursue first. It is recognised under the Indian government’s GeM marketplace, RBI’s outsourcing guidelines, IRDAI’s information-security framework for insurance vendors, and the EU’s public-procurement regulations. The certificate is issued by an accredited certification body and is, unlike SOC 2, a binary outcome — you either have a current certificate or you do not.

This page covers what ISO 27001:2022 actually certifies (which is not what most marketing copy claims), how the 2013-to-2022 transition affects your ISMS, what the 93-control Annex A looks like in practice, the fourteen-week roadmap from kickoff to certification, how to choose a certification body without overpaying, and the joint engagement model for clients who want both ISO 27001 and SOC 2 from a single team in a single evidence cycle.

What ISO 27001:2022 actually certifies

ISO/IEC 27001:2022, formally titled Information security, cybersecurity and privacy protection — Information security management systems — Requirements, is an international standard published jointly by ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission). It specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). The certificate, when issued, attests that an organisation operates an ISMS that conforms to the requirements of the standard within a defined scope.

Three things ISO 27001 is not:

  • Not a product certification. ISO 27001 certifies the management system, not the software. Saying "our product is ISO 27001 certified" is technically incorrect (and procurement teams who know the standard will gently correct you). The correct statement is "our company is ISO 27001 certified within a scope that includes the development and operation of [product]."
  • Not a one-off project. The certificate is valid for three years but is conditional on annual surveillance audits. If you skip a surveillance, the certificate is suspended. If you skip recertification, it expires. ISO 27001 is a continuous-operation discipline, not a milestone.
  • Not a guarantee that your security is good. ISO 27001 certifies that you have a system for managing information security; it does not certify that the system produces high-security outcomes. A weak organisation with a credibly-operating ISMS can be certified. The discipline of running the ISMS, however, almost always raises the security bar over time.

Who in Bangalore needs ISO 27001

ISO 27001 demand in India breaks into five distinct buyer categories, and the right answer for each is different.

1. Domestic-focused B2B SaaS and IT services

If your buyers are Indian banks, NBFCs, mutual funds, insurance companies, or public-sector undertakings, ISO 27001 is the procurement-team-recognised certification. RBI’s "Master Direction on Outsourcing" expects critical IT vendors to maintain it. IRDAI’s Information and Cyber Security Guidelines for the insurance sector call it out by name. The Government e-Marketplace (GeM) gives ISO 27001 holders an explicit advantage in technology procurement scoring. For these buyers, ISO is the floor; SOC 2 is interesting but secondary.

2. Bangalore engineering centres of MNCs

If your Bangalore office is the engineering or back-office centre of a US/EU parent, the parent’s global certificate often does not cover the India operations. The parent’s auditor wants the India scope inside their certificate but cannot do the field work in Bengaluru economically. We get added to their engagement letter as the India implementation partner. Roughly 25% of our ISO 27001 work follows this pattern.

3. EU-facing exporters

If your buyers are German automotive, French banking, or any UK enterprise that has been ISO-trained for twenty years, ISO 27001 is what they want to see. SOC 2 reports are accepted but treated as a US-flavoured analogue rather than the canonical answer.

4. ITeS, BPO, and KPO operators

The Indian outsourcing industry was built on ISO certifications, and the procurement model continues that pattern. ISO 27001 here is paired with ISO 9001 (quality), ISO 22301 (BCMS), and increasingly ISO 27701 (privacy). We deliver the integrated management system as a single engagement.

5. Government tenders

Central and state government RFPs in technology categories increasingly require ISO 27001 as a pre-qualification criterion. The certificate is not a guarantee of winning, but its absence is a guarantee of being filtered out.

If your buyers are exclusively US enterprises and you are not selling into India or Europe, you can skip ISO 27001 and go directly to SOC 2 Type II. For everyone else, ISO is at least the starting point.

The 2013 → 2022 transition window

ISO 27001:2013 was the previous version of the standard, in force from October 2013 to October 2022. The 2022 revision was a major restructuring of Annex A, motivated primarily by the cloud-first reality that the 2013 control set was struggling to address. As of 2026, the transition deadline (31 October 2025) has passed — every active ISO 27001 certificate must now be against the 2022 version of the standard.

If your existing certificate was on the 2013 version, your certification body would have transitioned you at your most recent surveillance audit. The transition typically required (a) a Statement of Applicability update mapping the new 93-control Annex A to your scope, (b) implementation of the 11 net-new controls, (c) an updated risk-treatment plan, and (d) sometimes a transition audit. If your CB skipped any of these and quietly issued you a 2022-version certificate, you are at risk of a non-conformity at your next audit. We have seen this twice in 2026 with Bangalore clients who were inherited from another consultant.

The 11 new controls in ISO 27001:2022

  • A.5.7 Threat intelligence — gather and analyse information on information security threats relevant to your operations
  • A.5.23 Information security for use of cloud services — define controls for acquisition, use, management and exit from cloud services
  • A.5.30 ICT readiness for business continuity — plan and prepare ICT readiness in line with business continuity objectives
  • A.7.4 Physical security monitoring — continuous monitoring of premises for unauthorised access
  • A.8.9 Configuration management — establish and maintain configurations including baselines for hardware, software, services and networks
  • A.8.10 Information deletion — secure deletion of information when no longer required
  • A.8.11 Data masking — apply data masking aligned with your access control policy
  • A.8.12 Data leakage prevention — apply DLP measures to systems, networks, and devices that process, store or transmit sensitive data
  • A.8.16 Monitoring activities — monitor networks, systems, and applications for anomalous behaviour
  • A.8.23 Web filtering — manage access to external websites to reduce malware exposure
  • A.8.28 Secure coding — apply secure-coding principles to software development

Eight of the eleven are technological controls — which is why a meaningful portion of the transition work for cloud-native Bangalore companies has been technical implementation rather than documentation. We build SOAR and SIEM integrations as part of the transition where they are missing.

ISMS scoping — get this right or pay later

The single most important decision in an ISO 27001 engagement is the ISMS scope statement. The scope defines what your certificate covers — which products, which services, which legal entities, which physical locations, which data centres, which cloud regions, which job functions. Get the scope right and the engagement is methodical; get it wrong and you are paying to re-scope at every surveillance audit.

Three patterns we see most often in Bangalore engagements:

The over-broad scope

Founder says "let’s certify everything." Six months later they realise the call-centre operation in Pune they acquired is now in scope and the auditor wants evidence from there too. Cost goes up. Lesson: scope what is auditable today, expand later.

The under-broad scope

Scope is written as "the engineering team in Bengaluru." Sales operations in Mumbai handle production-data screenshots in their CRM and are technically out-of-scope but obviously in the data flow. Buyer asks "why doesn’t the certificate cover Mumbai?" Lesson: include any function that touches in-scope data, even if you wish you didn’t.

The misaligned scope

Scope says "our SaaS product." Buyer asks for evidence of how the customer-success team handles support tickets. Auditor was not contracted to review that team. Lesson: align scope with buyer questions — write it after a survey of what your top three buyers actually ask about, not before.

We spend the first week of every ISO engagement on scope. The output is a one-page document that goes into your ISMS as the foundational artifact and is referenced in every subsequent document. The certification body reviews it at Stage 1; getting it precisely right early eliminates the most common cause of late-stage rework.

Annex A: 93 controls in 4 themes

Annex A of ISO 27001:2022 lists 93 controls grouped into 4 themes — a substantial restructuring from the 14 domains of 2013. The new themes are:

A.5 Organisational controls (37 controls)

Policies, roles, responsibilities, threat intelligence, supplier relationships, cloud services, business continuity, legal and contractual obligations. The largest theme, covering the management-system layer of the ISMS.

A.6 People controls (8 controls)

Background screening, terms and conditions of employment, awareness training, disciplinary processes, remote working, confidentiality agreements. The smallest theme but consistently the source of the most operational pain because it touches HR.

A.7 Physical controls (14 controls)

Physical security perimeters, entry, secure offices, equipment placement, clear desk, equipment disposal, cabling, maintenance, off-site asset use. For cloud-native Bangalore companies, most of A.7 is satisfied by inheriting the cloud provider’s controls plus your office-physical practice.

A.8 Technological controls (34 controls)

Access control, authentication, cryptography, secure configuration, capacity management, malware protection, vulnerability management, monitoring, network security, secure development, change management, incident management. The bulk of the technical implementation work.

For each control, the engagement produces (a) the policy document, (b) the procedure or runbook, (c) the operational evidence showing the control is operating, and (d) the entry in the Statement of Applicability that references all of the above. The CB’s Stage 2 auditor samples the evidence; the four-document chain is what they trace.

The fourteen-week roadmap to certification

Below is the standard engagement plan for a 50–250 headcount Bangalore SaaS or BFSI company seeking initial ISO 27001:2022 certification.

Weeks 0–1 · ISMS scope and gap analysis

Two-day workshop, scope statement drafting, gap matrix against ISO 27001 clauses 4–10 and Annex A’s 93 controls. Output: written gap report with severity, owner, and remediation date for each finding.

Weeks 2–5 · Documentation and policy development

Information Security Policy, ISMS Manual, 12 supporting policies (access control, cryptography, supplier security, secure development, incident response, business continuity, change management, asset management, data classification, acceptable use, mobile/remote working, privacy). Drafted by us, reviewed and adopted by your management.

Weeks 4–8 · Annex A control implementation

Technical control deployment for the 8–15 controls our gap analysis identified as missing. Common items: configuration baselines for AWS/Azure/GCP, secrets-management migration, log centralisation, MFA roll-out completion, vendor-onboarding workflow, secure-coding practice rollout, data-deletion procedures, web-filtering policy.

Week 9 · Risk assessment and Statement of Applicability

Formal asset inventory, threat-and-vulnerability identification, risk register, risk treatment plan, Statement of Applicability covering all 93 Annex A controls. The SoA is the document the CB scrutinises most heavily.

Week 10 · Internal audit

We run your first internal audit covering all clauses and a sample of Annex A controls. Output: internal audit report with findings, recommendations, and corrective-action plan. Mandatory under clause 9.2.

Week 11 · Management review

Half-day session with your senior management to review the ISMS, the internal audit findings, the risk register, and any non-conformities. Mandatory under clause 9.3. We chair, write the minutes, and embed them in your ISMS.

Weeks 12–13 · Stage 1 audit

Certification body conducts the documentation review, on-site or remote, typically 1–2 days. Findings closed in real-time with our support.

Week 14 · Stage 2 audit

Operational audit — 3–5 days for most Bangalore engagements. We attend with you, prepare control owners for interviews, and respond to auditor requests in real-time. Certificate issued by the CB on completion.

If you are doing ISO + SOC 2 jointly

The combined engagement extends by roughly 2 weeks (16 total) but produces both a Stage 2-passed ISO 27001 certificate and a Type II SOC 2 report from a single evidence-collection cycle. Combined pricing is ₹22,00,000 — about ₹8,50,000 cheaper than running them sequentially.

Risk assessment & Statement of Applicability

The risk assessment is the analytical backbone of your ISMS. ISO 27001 does not prescribe a methodology — you can use ISO 27005, NIST 800-30, FAIR, or your own — but you must document and consistently apply whatever you choose. Most Bangalore engagements use a simplified ISO 27005 approach: identify assets, identify threats and vulnerabilities, assess likelihood and impact on a 1–5 scale, calculate inherent risk, document treatments (mitigate, transfer, accept, avoid), assess residual risk, and re-evaluate annually.

The output is the Statement of Applicability (SoA) — a master document that lists every Annex A control, marks each as included or excluded, references the implementing policy/procedure, and (for excluded controls) provides a documented justification. The SoA is the document the CB reviews most carefully at Stage 1; getting it right is non-negotiable. Cloud-native Bangalore companies typically end up with a SoA that includes 80–88 of the 93 controls, with exclusions concentrated in physical security (where cloud inheritance covers most of the requirement).

Choosing a certification body

The CB you choose affects your certificate’s recognition in the market, the quality of your audit, and your annual cost. We recommend choosing based on (a) accreditation under a recognised national accreditation body, (b) recognition in your buyer markets, (c) auditor availability in Bengaluru, and (d) cost.

The five we work with most often in Bangalore

  • BSI Group — UKAS-accredited, strong recognition in UK and EU markets. Auditor availability in Bengaluru is good. Audit fees ~₹2,80,000–₹3,50,000 for a 100-person company.
  • TÜV SÜD South Asia — DAkkS-accredited (Germany), strong in EU and German automotive supply chains. Bangalore-based auditors. ~₹2,40,000–₹3,00,000.
  • Bureau Veritas (BV) — French-accredited, strong in EU and ASEAN. Multi-site discount available if you are running ISO 9001 / 22301 jointly. ~₹2,20,000–₹2,80,000.
  • DNV — Norwegian-accredited, very strong in maritime, energy, and oil-and-gas verticals. ~₹2,60,000–₹3,20,000.
  • LRQA (Lloyd’s Register Quality Assurance) — UKAS-accredited, strong in finance and BFSI. ~₹2,80,000–₹3,40,000.

Avoid CBs that are not accredited under a recognised national body. The cost saving is rarely worth the recognition risk — an unaccredited certificate may not satisfy your buyer’s procurement team. Always verify accreditation on the IAF Mark website or your CB’s national accreditation body before signing.

ISO 27001 pricing in INR

Tier 1 · Implementation
ISO 27001 Implementation
₹5,50,000+ GST + CB fees
  • 14-week engagement to Stage 2 readiness
  • ISMS scoping + gap analysis
  • Documentation and policy development
  • Annex A control implementation
  • Internal audit + management review
  • Stage 1 / Stage 2 audit attendance
Tier 2 · Joint Programme
ISO 27001 + SOC 2 Type II
₹22,00,000+ GST + CB fees
  • 16-week joint engagement
  • Single evidence-collection cycle
  • ISO 27001:2022 certificate
  • SOC 2 Type II report (CPA-signed)
  • Renewals from ₹13,50,000 combined
Tier 3 · Maintenance
Annual ISMS Maintenance
₹2,40,000+ GST per year
  • Annual internal audit
  • Management review preparation
  • Surveillance audit support
  • Risk register refresh
  • Policy updates for standard revisions

Certification body audit fees are paid directly to the CB and are not included in our pricing — typically ₹1,80,000–₹3,50,000 for the initial Stage 1 + Stage 2 audit and ₹70,000–₹1,40,000 for each annual surveillance. We negotiate the CB engagement on your behalf as part of the implementation work and can usually secure a 10–15% discount versus list price.

ISO 27001 vs SOC 2 — and doing both

The most common question we get from Bangalore CTOs is some variation of "ISO or SOC 2 — which one first?" The honest answer depends entirely on your buyer base. If your top ten buyers are mostly Indian banks, mostly EU enterprises, or a mix of both, do ISO first. If they are mostly US SaaS buyers, do SOC 2 first. If they are evenly mixed, do both jointly — the marginal cost of adding ISO to a SOC 2 engagement (or vice versa) is roughly half the standalone price, and the recognition coverage you get is global.

The mechanics of doing both jointly are detailed on our SOC 2 page. Briefly: we run a single discovery and scoping phase, a single evidence-collection cycle covering both audits’ control sets, a single internal audit (extended to cover both), and parallel CB and CPA fieldwork in the final fortnight. You receive both certifications, the report goes through one quality-control pass, and your team gives one set of management interviews.

If you are weighing ISO 27001 against any other framework, the answer is almost always to do ISO first. It is the foundational ISMS standard; everything else (SOC 2, HIPAA, PCI-DSS, DPDP, SEBI CSCRF) layers on top of an established ISMS more cheaply than building those frameworks from scratch.

To start an ISO 27001 engagement, the next step is a thirty-minute scoping call. You leave the call with a written ISMS scope draft, a fixed price in INR, and a kickoff date. Most engagements begin within ten business days of the call.

Frequently asked

Frequently asked questions

For a Bangalore SaaS or BFSI company that already has documented security practices, our standard engagement is fourteen weeks from kickoff to Stage 2 audit completion — split into roughly six weeks of ISMS scoping and gap remediation, four weeks of Annex A control implementation, two weeks of internal audit and management review, and the certification body’s Stage 1 + Stage 2 audits run in parallel from week ten. For greenfield engagements where the team has never operated formal controls, expect 22–28 weeks. We publish the timeline in writing before kickoff and absorb our-side slippage at no extra cost.
The standard was revised on 25 October 2022. The biggest change is the Annex A control set, which was reorganised from 114 controls in 14 domains to 93 controls in 4 themes (Organisational, People, Physical, Technological) — and 11 entirely new controls were added covering threat intelligence, cloud security, ICT readiness for business continuity, secure development, data masking, and configuration management. The clause requirements (the management-system part, clauses 4–10) are largely unchanged. If you certified to ISO 27001:2013, you have until 31 October 2025 to transition — and as of 2026 that deadline has passed, so you are likely on the 2022 version already or scheduled for transition at your next surveillance audit.
Our engagements start at ₹5,50,000 for the consulting work and ₹1,80,000–₹3,50,000 for the certification body audit (paid separately to BSI, TÜV, BV, DNV, or LRQA depending on which CB you choose). Quotes vary widely — from ₹3 lakh to ₹25 lakh — because (a) some firms bundle the CB fee, others quote net, (b) Big-4 partners price the consulting in dollarised cost bases, and (c) some "ISO consultants" deliver only the documentation and skip the technical control work, which fails Stage 2. Always confirm what is in scope: documentation only, or documentation + technical control implementation + internal audit + Stage 1 / Stage 2 support.
No, and no firm except an accredited certification body can. Certification bodies (CBs) are organisations accredited by national accreditation bodies (UKAS in the UK, ANAB in the US, NABCB in India) to issue ISO certificates. We are an ISO 27001 consulting firm — we do the implementation, gap remediation, internal audit, and Stage 1/Stage 2 audit support, but we cannot issue the certificate. The CBs we most often work with on Bangalore engagements are BSI, TÜV SÜD, Bureau Veritas, DNV, and LRQA. We help you select the CB based on your buyer base — different CBs have stronger recognition in different markets.
It depends on your buyers. As a rule, European buyers prefer ISO 27001 because it is "their" standard (drafted by ISO/IEC, recognised under EU procurement rules), while US buyers prefer SOC 2 because it is what their procurement teams have been trained on. The smart move for Bangalore SaaS companies selling to both is to do both certifications jointly — the control overlap is roughly 80%, and we can run a single evidence-collection cycle covering both audits. Pricing is ₹22,00,000 combined vs ₹15,00,000 for Type II alone, so the marginal cost of adding ISO is about half the standalone price.
Yes — both are mandatory under clauses 9.2 and 9.3 of the standard, and both are on the Stage 1 audit checklist. We conduct your first internal audit before the certification body arrives, write the report, and prepare your management review minutes. After certification, you can either retain us as your annual internal auditor (₹1,80,000/year) or train an internal team member to take it over. For most Bangalore companies under 200 headcount, retaining us is cheaper than the fully-loaded cost of an internal hire.
Stage 1 is a documentation review by the certification body — typically 1–2 days, on-site or remote, where the CB’s lead auditor reviews your ISMS scope, policies, Statement of Applicability, internal audit reports, and risk treatment plan. The CB raises observations and (occasionally) minor non-conformities. Stage 2 is the operational audit — typically 3–5 days for a 100–500 person Bangalore company — where the auditor interviews control owners, samples evidence, and tests whether the ISMS is operating as designed. Major non-conformities at Stage 2 require remediation before certification can be issued. We attend both stages with you and have closed every Stage 2 we have supported in eleven years.
After Stage 2 certification, the CB conducts annual surveillance audits (typically 1–3 days) for two years, then a full recertification audit in year three. The certificate is valid for three years and the cycle repeats. Our maintenance retainer (₹2,40,000/year) covers internal audit, management review preparation, surveillance audit support, and remediation of any non-conformities. Most clients choose to keep us on retainer rather than rebuild internal capability.
Yes. Cloud-native organisations are now the majority of our ISO 27001 engagements. The standard does not require physical infrastructure — Annex A.7 (Physical controls) is largely satisfied by your cloud provider’s ISO 27001 certificate (which all major hyperscalers hold) plus your office-physical controls (badge access, visitor logs, lockable storage). We map your AWS / Azure / GCP shared-responsibility model into your ISMS scope and use the cloud provider’s SOC 2 / ISO 27001 reports as evidence for the inherited controls. ISO 27017 (cloud security) and ISO 27018 (cloud privacy) extensions can be added on top if your buyers ask for them.
A cleanly-scoped ISMS can absolutely achieve a certificate with zero major non-conformities and only a handful of observations. What is rarely achievable — and what some buyers naively ask for — is "no items on the Statement of Applicability marked as not-applicable." That is a misunderstanding of how ISO 27001 works. The Statement of Applicability is a deliberate document where you justify which Annex A controls apply to your scope; marking some as not-applicable is correct and required (e.g. an entirely cloud-native company correctly marks several physical controls as not-applicable to their scope). If a buyer demands zero non-applicable controls, we draft a one-page explanation for them; we have not yet seen one push back after reading it.
Ready to scope this engagement?

Book a thirty-minute scoping call.

Tell us your framework, your stack and the deadline. You leave the call with a written scope, a fixed price in INR, and a kick-off invite.

Book scoping call Email partners@api4soc2.com