If you have spent any time selling B2B in the last decade — particularly to enterprise buyers in the US, UK, EU, or Singapore — you have almost certainly seen the question on a procurement form: Are you ISO 27001 certified? For many Indian companies, that single question has been the difference between closing a deal and watching it stall.
ISO 27001 is the world's most widely recognised certification for information security management. It is not the only one, and not always the right one — but in 2026, it is the closest thing the global market has to a default expectation for any organisation that touches customer data.
This post is a ground-up explainer: what ISO 27001 actually is, what it asks of an organisation, who genuinely benefits from pursuing it, and why the demand for certification has accelerated heading into 2026.
What ISO 27001 Actually Is
ISO 27001 is an international standard, jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its formal name is ISO/IEC 27001 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.
The current version, published in October 2022, is called ISO/IEC 27001:2022. The previous version, ISO 27001:2013, became invalid on 31 October 2025 — meaning that in 2026, every active certification globally is to the 2022 standard. There is no "ISO 27001:2026"; the 2022 edition is what every certification body now audits against.
A single sentence captures the standard's purpose: ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
Three things in that sentence matter.
First, it is a standard, not a law. No government forces compliance. Adoption is driven by markets, contracts, and tenders, not by regulators.
Second, it is about a management system, not a checklist of technical controls. ISO 27001 cares less about which firewall you use and more about whether you have a sustainable, documented, risk-based process for deciding what to protect and how.
Third, it requires continual improvement. Certification is not a one-time event. Organisations are audited annually and recertified every three years; the bar moves with your risk environment.
The Heart of the Standard: The ISMS
The Information Security Management System is the central concept in ISO 27001. Strip away the documentation, the audits, and the controls, and what the standard is really asking is this:
Does your organisation have a deliberate, documented, top-down approach to information security — one that is owned by leadership, driven by risk, and reviewed regularly?
An ISMS is the framework through which an organisation:
- Identifies what information assets it has
- Assesses the risks to those assets
- Decides which risks to accept, mitigate, transfer, or avoid
- Implements controls to address the risks it chose to mitigate
- Monitors whether those controls are working
- Improves the system based on what it learns
The ISMS is a living thing. It is meant to evolve as your business, your threat landscape, and your customer obligations change.
How the Standard Is Structured
ISO 27001:2022 is organised into two parts: the main clauses (Clauses 4 through 10) and Annex A (the control reference set).
The main clauses — what your management system must do
Clauses 4 through 10 specify the requirements for the ISMS itself. They cover:
- Clause 4 — Context of the organisation: Understanding your internal and external environment, your stakeholders, and the scope of your ISMS.
- Clause 5 — Leadership: Commitment from top management, the information security policy, and assignment of roles.
- Clause 6 — Planning: Risk assessment, risk treatment, security objectives, and (new in 2022) the planning of changes.
- Clause 7 — Support: Resources, competence, awareness, communication, and documented information.
- Clause 8 — Operation: Operational planning and control, risk assessment in practice, risk treatment in practice.
- Clause 9 — Performance evaluation: Monitoring, internal audits, and management review.
- Clause 10 — Improvement: Nonconformities, corrective actions, and continual improvement.
If you are new to management system standards, the structure may feel abstract. The simplest way to read it: Clauses 4–6 are about setting up the ISMS, Clauses 7–8 are about running it, and Clauses 9–10 are about checking and improving it. This is the classic Plan-Do-Check-Act cycle in ISO clothing.
Annex A — the control reference set
Annex A is the catalogue of information security controls organisations can choose from to treat the risks identified in their ISMS. The 2022 edition restructured Annex A significantly. Where ISO 27001:2013 had 114 controls organised into 14 categories, the 2022 edition has 93 controls organised into 4 themes:
| Theme | Controls | Examples |
|---|---|---|
| Organisational | 37 | Policies, roles, supplier management, threat intelligence, cloud security |
| People | 8 | Screening, training, disciplinary processes, remote working |
| Physical | 14 | Secure areas, equipment, physical security monitoring |
| Technological | 34 | Access control, cryptography, secure development, monitoring, web filtering, DLP |
Eleven of those 93 controls are entirely new in the 2022 edition, reflecting how the threat landscape has changed since 2013. The new controls cover threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
These are not optional in the sense that you must consider every one of them. You document your decisions about each control in a required artefact called the Statement of Applicability (SoA) — which states, for every Annex A control, whether you have implemented it, and if not, why not.
Who Actually Needs ISO 27001
ISO 27001 is voluntary, which makes "who needs it" a market question rather than a legal one. In practice, the strongest drivers are:
B2B SaaS companies selling to enterprise buyers. Most large enterprise procurement teams either require ISO 27001 outright or treat it as significantly streamlining the security review. For Indian SaaS companies selling globally, certification often shortens sales cycles by weeks.
IT services and BPO companies serving international clients. Indian IT services firms have historically been the largest population of ISO 27001-certified organisations in the country. Client contracts frequently mandate it, particularly for engagements involving customer data.
Companies pursuing global expansion. If you are expanding into the EU, UK, or Singapore, ISO 27001 is the most universally recognised credential you can put on your security posture. It does not replace local laws (DPDPA, GDPR, PDPA), but it signals operational maturity in a way local compliance certificates often cannot.
Companies storing or processing customer data at scale. Once you cross a certain threshold of customer data — particularly if any of it is sensitive — the cost of not having ISO 27001 starts to show up in lost deals, longer security questionnaires, and expensive bespoke audits.
Companies preparing to raise capital. Increasingly, due diligence by institutional investors (particularly in growth and late-stage rounds) includes a security maturity assessment. ISO 27001 certification is a clean, defensible answer.
Government and BFSI suppliers. Many Indian government tenders and BFSI procurement processes either require ISO 27001 or weight it heavily in evaluation.
It is worth being honest about who does not need it. A pre-revenue startup with no customers, a five-person consultancy that does not handle client data, or a business whose customers are not asking for it — none of these should rush into ISO 27001. The certification has real cost, and pursuing it without a clear commercial driver is one of the more common ways to waste a year of management attention.
Why ISO 27001 Matters More in 2026
Several forces have converged to push ISO 27001 from "nice to have" to "expected" for a much wider set of Indian organisations:
The 2022 edition is now the only valid version. With the October 2025 transition deadline behind us, the global certified population is uniformly on the 2022 edition. This has two effects: clients now ask specifically about ISO 27001:2022 (not just ISO 27001), and any organisation that previously held a 2013 certificate but missed the transition must restart from a full Stage 1 and Stage 2 audit, not a transition audit.
DPDPA enforcement is approaching. India's Digital Personal Data Protection Act becomes fully enforceable in May 2027. Many of its requirements — reasonable security safeguards, data breach response, vendor management — map cleanly onto ISO 27001 controls. Companies pursuing ISO 27001 in 2026 are effectively building a foundation that supports DPDPA readiness as well.
Procurement is getting stricter. Large enterprise buyers increasingly bake security expectations directly into contracts, with SLAs around incident response, vulnerability remediation, and supplier oversight. ISO 27001 is the most common reference framework these contracts cite.
Auditors now focus on outcomes, not paperwork. The 2022 edition, combined with three years of post-pandemic enforcement experience, has shifted the audit experience. Auditors increasingly look at metrics — patching cadence, access review frequency, incident detection times — rather than whether a policy document exists. This raises the bar for organisations that pursued certification in a more paper-driven era.
The threat landscape has changed. The new controls in the 2022 edition — threat intelligence, cloud security, secure coding, data leakage prevention — exist because the risks they address have become mainstream concerns. Organisations that built ISMSs against the 2013 edition have had to genuinely upgrade their security operations, not just their documentation.
For Indian MSMEs in particular, the combination of DPDPA timelines, enterprise procurement pressure, and global expansion ambitions has made 2026 the year many organisations finally commit to certification.
Certified vs Aligned: A Common Confusion
A point worth clarifying, because it trips up many first-time buyers: there is a meaningful difference between being ISO 27001 certified and being ISO 27001 aligned.
Certified means an accredited third-party certification body has audited your ISMS, found it conformant with the standard, and issued a certificate. This is a verifiable, time-bound credential you can show customers and put on your website.
Aligned (sometimes called "compliant" or "conformant") means you have implemented the standard's requirements internally but have not been formally audited. This is sometimes a deliberate intermediate step on the way to certification, and sometimes a euphemism for "we have read the standard."
Customers know the difference. If a procurement form asks for ISO 27001 certification and you respond with "we are aligned with ISO 27001," expect follow-up questions. Both are legitimate positions, but they should not be conflated.
What It Costs and How Long It Takes
Costs and timelines vary enormously by organisation size, complexity, and starting maturity, but rough Indian-market benchmarks for a first-time certification look like this:
Timeline: 6 to 12 months from kickoff to certification, with 9 months being typical for a 50-to-200-person organisation. Faster is possible but usually means cutting corners that show up later.
Direct costs include:
- The official ISO standards documents (which must be purchased)
- Consulting or implementation support, if used
- A GRC or compliance platform, if used
- Stage 1 audit (documentation review)
- Stage 2 audit (implementation review)
- Annual surveillance audits in years 2 and 3
- Recertification audit in year 3
Indirect costs include:
- Internal time from a project lead, IT, security, HR, and leadership
- Tooling that may need to be purchased to satisfy specific controls (logging, monitoring, DLP, etc.)
- Training and awareness programmes
For a 50-person Indian SaaS company, total first-year costs typically land somewhere between ₹8 lakh and ₹25 lakh depending on consulting choices and existing tooling. The annual maintenance cost in years 2 and 3 is much lower — usually 30 to 40% of year-one cost.
How to Get Started
If you are seriously considering ISO 27001 certification, the order of operations matters. The most effective sequence is roughly:
- Confirm the commercial driver. Be specific about why you are doing this. "Customer X is asking for it by Q3" is a strong driver. "It seems like a good idea" is not.
- Define a sensible scope. Scope is the single most consequential decision in an ISO 27001 project. Most first-timers either scope too broadly (covering the entire company when only one product is relevant) or too narrowly (in ways that customers will not accept).
- Run a gap analysis. Compare your current state to the 93 Annex A controls and the requirements of Clauses 4–10. This produces your remediation roadmap.
- Build the ISMS. Risk assessment, Statement of Applicability, policies, procedures, controls, evidence collection.
- Operate it for a meaningful period. Auditors want to see the system running, not just built. Three to six months of operational evidence is usually the minimum.
- Conduct an internal audit. A required step before external audit, and a chance to fix issues you would otherwise be cited for.
- Hold a management review. Another required step; leadership must formally review the ISMS.
- Engage a certification body. Stage 1 audit (documentation), then Stage 2 audit (implementation). On a clean Stage 2, you receive your certificate.
The most common reason ISO 27001 projects fail or stall is treating the ISMS as a documentation exercise rather than a management system. Auditors in 2026 are very good at distinguishing between the two.
A Closing Note
ISO 27001 is not magic. It does not, by itself, make an organisation secure. A poorly implemented ISMS — paper-heavy, leadership-light, disconnected from how the business actually operates — is a particularly expensive way to learn this lesson.
What ISO 27001 does do, when implemented well, is force an organisation to be honest about what information it holds, what could go wrong, and what it is choosing to do about it. That honesty, sustained over years, is what produces durable security maturity. The certificate is the artefact; the management discipline is the substance.
For most Indian organisations selling globally or preparing for DPDPA enforcement, 2026 is the year the question is no longer whether to pursue ISO 27001 but when and how. The earlier you start the project, the more time you have to do it as a real management system rather than a sprint to a certificate.
If you are planning an ISO 27001 implementation in 2026 — or if you previously held a 2013 certificate and need to chart a path back to certification under the 2022 edition — the next step is a focused scope definition and gap analysis. Both are jobs that pay back the time invested several times over later in the project.