ISO 27001 — Information Security Management System
Enterprise clients — especially overseas — often will not sign a contract without ISO 27001. It proves your business has a systematic approach to protecting information. For IT, SaaS, BPO, and anyone handling client data, this is the certification that opens enterprise-level deals.
ISO/IEC 27001:2022
Current version
93
Annex A controls in 4 themes
NABCB
Accredits CBs in India
Your company is implementing ISO 27001 and you need to understand your role. ISO 27001 protects the confidentiality, integrity, and availability of information. Follow security policies, complete security awareness training, and report any security incident — however minor.
Mandatory
Annual security awareness training
Reported
Every security incident or anomaly
Followed
Acceptable use and access control policies
Quick reference. ISO/IEC 27001:2022. Annex A: 93 controls in 4 themes (Organisational 37, People 8, Physical 14, Technological 34). 11 new controls vs 2013. SoA mandatory. Transition from 2013 required by October 2025. NABCB for India. UKAS/DAkkS/ANAB for overseas clients.
2022
Current version
93
Controls (114 in 2013)
Oct 2025
2013 transition deadline
ISO/IEC 27001 is jointly published by ISO and IEC. The 2022 revision reorganised Annex A from 14 domains and 114 controls to 4 themes and 93 controls, adding 11 new controls addressing cloud security, threat intelligence, and data masking.
2005
First published
2022
Current version
11
New controls in 2022
Required by enterprise clients, especially overseasRequired for government IT contractsProves systematic protection, not just tools
What’s on this page
01 —What it isUnderstanding ISO 27001
Proof that your business has a documented, audited system to protect information.
ISO 27001 is an international standard for an Information Security Management System (ISMS). It requires your organisation to identify information assets, assess how they are at risk, implement controls to protect them, and prove the system works through records and independent audits.
The critical distinction: an ISMS covers people, processes, and technology together. The certificate tells a client: "This organisation has a documented system ensuring security tools are used correctly, monitored continuously, and improved when gaps are found."
The current version is ISO/IEC 27001:2022 with 93 controls in 4 themes. Certificates under the 2013 version were required to transition to 2022 by October 2025.
ISO 27001 and India's DPDP Act 2023 are separate obligations. The DPDP Act is Indian law — organisations collecting personal data of Indian citizens must comply. ISO 27001 is a voluntary management system standard. Implementing ISO 27001 controls will help satisfy many DPDP technical safeguards — but a certificate does not automatically mean DPDP compliance. Both must be addressed independently.
👥 Illustrative case — details changed for confidentiality
The business
Software services company Bangalore · 85 employees, serving clients in UK and US
The trigger
A UK financial services client required ISO 27001 as a mandatory condition in their RFP.
The challenge
Building the Statement of Applicability took longer than expected because there was no central inventory of information assets. Access controls were inconsistent across teams and systems.
Where Clicarity came in
Project tracking was done in Clicarity with role-based access. Each project was split into modules, with team members assigned only to their modules. When the ISMS consultant asked for access control evidence, Clicarity's role-based model was documented as a concrete example of minimum privilege in practice.
The result
ISO 27001 achieved. RFP won.
Clicarity was one of the systems where access control was enforced by design — not just described in a policy. That distinction mattered to the auditor.
02 —Who needs itIs it right for you?
Do you actually need it? Honest answer.
✓ You need it
IT services and software outsourcing companies
SaaS and product companies with enterprise or overseas clients
BPO and KPO businesses handling client data
Companies bidding on government IT contracts
Healthcare IT, fintech, and businesses handling sensitive data
∼ Worth considering
Businesses handling personal data of EU or UK citizens
E-commerce platforms handling payment or personal data
Cloud service providers
— Not immediately needed
Pure manufacturing with no significant client data handling
Small retail businesses with minimal digital data
03 —What it requiresWhat is checked
What an ISO 27001 auditor checks — documentation, systems, and people.
1
ISMS scope document
Written definition of which systems, locations, data types, and processes are inside your ISMS.
E.g. "ISMS scope covers all systems used in software development, client data processing, and infrastructure at our Bangalore office."Most common gap: Scope written at implementation and never updated when new systems or locations were added.
2
Information asset register and risk assessment
Register of all significant information assets with a formal risk assessment.
E.g. Client database: threat = unauthorised access, vulnerability = shared credentials, impact = high. Control: individual accounts with MFA.
3
Statement of Applicability (SoA)
Lists all 93 Annex A controls with: applicable or not, implemented or not, and justification for exclusions.
E.g. A.8.1 User endpoint devices: applicable, implemented via MDM. Each control assessed and documented.Most common gap: SoA completed at implementation and never updated when scope or risk changed.
4
Information security policies
Written policies covering: acceptable use, access control, information classification, incident response, business continuity.
5
Risk treatment plan
Documents how each identified risk is addressed: accepted, transferred, avoided, or treated.
All security incidents recorded — including near-misses and minor events.
E.g. Phishing email nearly clicked. Logged as near-miss. Response: org-wide alert sent, domain blocked.Most common gap: Only major breaches recorded. ISO 27001 expects near-misses and minor anomalies too.
7
Security awareness training records
All staff trained in the last 12 months. Attendance records kept.
E.g. Annual security awareness session. Attendance register signed.
8
Internal ISMS audit and management review
Annual internal audit and formal management review with documented outputs.
Most common gap: Audit done but report not kept, or management review had no recorded decisions.
What inspectors really check
They ask for your Statement of Applicability first — it maps your entire ISMS. Then sample controls: "Show me access control logs for the last 3 months." "Show me the last security awareness training register." "Show me the last incident log entry and its corrective action."
Gap analysis checklist — tick what you already have
ISMS scope document written, approved, and kept current
Reflects current systems, locations, and data flows.
Information asset register completed
All significant assets documented.
Risk assessment documented with threats, vulnerabilities, and impacts
Drives every control decision.
Statement of Applicability completed and kept current
All 93 controls assessed. Updated when scope or risk changes.
Core security policies written and approved
Acceptable use, access control, incident response at minimum.
Security awareness training for all staff in last 12 months
Attendance records maintained.
Security incident register including near-misses
All events logged with investigation and corrective action.
ISO 27001 is certified by NABCB-accredited certification bodies in India. Internationally recognised CBs are also widely used for businesses with overseas clients.
NABCB vs international accreditation: For domestic Indian clients and government contracts, NABCB-accredited CBs are standard. For UK or European clients, UKAS or DAkkS-accredited CBs may be preferred. Ask your client before selecting a CB.
NABCB — Find accredited ISMS CBs
Verify CB accreditation for ISO 27001. Check ISMS scope.
Write a precise scope document: which systems, data, locations, and processes.
Step 2
Asset register & risk assessment
List significant information assets. Assess threats, vulnerabilities, and impacts.
Step 3
Statement of Applicability
Assess all 93 Annex A controls. Document applicability, implementation, exclusions.
Step 4
Implement controls & policies
Write and deploy security policies. Implement technical controls for significant risks.
Step 5
Internal audit
Audit the ISMS. Document findings and corrective actions.
Certification
CB Stage 1 & 2
Stage 1: document review. Stage 2: on-site audit.
▶Where to begin: Use the checklist in Section 3 to assess your readiness before contacting any CB.
Timeline
Confirm with your CB
Varies significantly by ISMS scope size and complexity.
Certificate validity
3 years (confirm with CB)
Annual surveillance audits. Re-certification at Year 3.
2013 version
Transition by Oct 2025
Certificates under 2013 required transition to 2022.
Cost
Get 3 quotes
Depends on scope, user count, and locations.
The Statement of Applicability is the hardest document to maintain correctly. Written once and never updated is one of the most common ISO 27001 major nonconformances.
06 —Find certified companiesHow to verify
How to find and verify certified organisations.
ISO 27001 is widely held across India's IT services, BPO, fintech, and healthcare IT sectors. To verify whether a specific organisation is currently certified, use the IAF global register or request the certificate and verify the issuing CB at nabcb.qci.org.in.
How to verify: To confirm whether any organisation holds a current ISO 27001 certification, use the official register. Verify the issuing CB's accreditation at nabcb.qci.org.in.
Define your ISMS scope precisely — one page, this week
Write exactly which systems, data types, locations, and processes are in scope. Be specific. The scope determines the boundaries of everything that follows.
2
Build your information asset register and risk assessment
List every significant information asset. For each: threats, vulnerabilities, potential impact. This risk assessment drives every control decision.
3
Write your Statement of Applicability
Go through all 93 Annex A controls. For each: applicable? Implemented? Exclusion justification? This is the first document an auditor asks for.
Good records are the foundation. A process tracker builds them automatically.
Clicarity — Live Job Process Tracker & Bottleneck Identifier
Clicarity is a process tracker, not an information security tool. But its role-based access and activity records are exactly the kind of evidence ISO 27001 requires.
ISO 27001 requires access control evidence — proof that only authorised individuals accessed sensitive systems and data. Clicarity uses role-based access by design. Every action is timestamped and attributed to a named user. Each project or job module can be restricted to assigned team members. When a project splits into development modules, each module is accessible only to the team assigned to it — minimum privilege enforced by the system architecture, not by policy alone.
Role-based access ensures only authorised users can view or update specific jobs and data — the access control principle ISO 27001 Annex A requires in operational systems.
Every action is timestamped and attributed to a named user, creating the activity log that ISO 27001 auditors request when sampling access control evidence.
Project modules tracked as separate sub-jobs mean access can be restricted per module — developers on one module cannot see data from modules they are not assigned to.
Clicarity runs on enterprise-grade infrastructure (Oracle and AWS EC2). System availability and infrastructure documentation supports your ISMS resilience requirements.
📄 Job tracked in Clicarity
#PR-2094 — Client software project — 3 modules
Project created
✎Client name
▼Project type
▼Data classification
▼NDA confirmed
▼Access level assigned
→
Requirements & scoping
✎Requirements doc ref.
✎Data fields in scope
▼Assigned team
▼Client sign-off
→
Design & architecture
✎Design doc ref.
▼Security review done
▼Reviewer
▼Data flow mapped
▼ Job splits — each component tracked independently
#PR-2094-A
Module 1 — Auth & access
▼Developer
▼Code review done
▼Security checklist
#PR-2094-B
Module 2 — Core features
▼Developer
▼Code review done
▼Security checklist
#PR-2094-C
Module 3 — Reporting
▼Developer
▼Code review done
▼Security checklist
▲
Components rejoin as #PR-2094 — complete record of every branch, every data point, every sign-off preserved.
Security review & testing
▼Reviewer
▼Pen test done
#Vulnerabilities found
▼All resolved
▼Sign-off
→
UAT & client review
📅UAT date
✎Client rep
#Issues raised
▼All resolved
▼Client sign-off
→
Deployment & handover
📅Deploy date
▼Deployed by
▼Dev access revoked
▼Handover doc sent
Wastage tracked:▰ Access role-restricted — only assigned team can view each module▰ Security checklist completed at every development stage▰ Dev access revocation confirmed at deployment
ⓘ Fields and stage names are fully customisable. This illustrates a typical IT services company / ISO 27001 setup.
👥 Illustrative case — details changed for confidentiality
The business
Software services company Bangalore · 85 employees, serving clients in UK and US
The trigger
A UK financial services client required ISO 27001 as a mandatory condition in their RFP.
The challenge
Building the Statement of Applicability took longer than expected because there was no central inventory of information assets. Access controls were inconsistent across teams and systems.
Where Clicarity came in
Project tracking was done in Clicarity with role-based access. Each project was split into modules, with team members assigned only to their modules. When the ISMS consultant asked for access control evidence, Clicarity's role-based model was documented as a concrete example of minimum privilege in practice.
The result
ISO 27001 achieved. RFP won.
Clicarity was one of the systems where access control was enforced by design — not just described in a policy. That distinction mattered to the auditor.
Clicarity is a process tracking tool. It does not provide certification, consulting, or audit services.