ISO 27001 · IRDAI 2026 Guidelines
ISO 27001 Under IRDAI's
2026 Cyber Guidelines
On 6 April 2026, IRDAI replaced its 2023 cybersecurity guidelines with a sharper rulebook: DPDP compliance mandated, six-hour incident reporting, 347-control audits by CERT-In-empanelled firms — and one provision every vendor to the insurance sector should read twice: a valid ISO 27001 certificate covering the service scope can waive periodic vendor audits.
Why this page exists: the revision is three months old and almost nobody has mapped it to the ISMS. This is the auditor's-chair version — what changed, what an ISO 27001 program already evidences, and what it doesn't.
Maps the IRDAI 2026 guidelines to ISO 27001:2022 · Auditor-led · Last reviewed July 2026
IRDAI's Information and Cyber Security Guidelines, 2026 apply to insurers, Foreign Reinsurance Branches, and intermediaries — and they make an ISO 27001-shaped program the practical backbone of compliance while adding obligations no ISMS generates on its own. For insurers, the work is mapping: the Annexure III audit — 347 controls scored by CERT-In-empanelled firms on NIST CSF function codes — consumes exactly the evidence a well-run ISMS produces. For vendors to the sector, the 2026 revision quietly changed the commercial math: a valid ISO 27001 certificate whose scope covers the services you provide can now spare you the annual customer-audit treadmill. Either way, the details live in the scope statements, the reporting clocks, and the DPDP overlay — which is what this page walks through, requirement by requirement.
What Changed
The 2026 Requirements, Mapped to the ISMS
| Requirement | What it says | ISO 27001:2022 home |
|---|---|---|
| DPDP compliance mandated | The guidelines fold India's DPDP Act obligations into insurers' security compliance. | Clause 4 context + A.5.31 (legal/regulatory requirements), A.5.34 (privacy & PII) — plus DPDP-specific duties outside the ISMS |
| 6-hour incident reporting | Cyber incidents reported to CERT-In within six hours of detection, with copies to IRDAI and relevant regulators. | A.5.24–A.5.26 (incident planning, assessment, response) + A.6.8 (event reporting) — with the clock-speed drilled into runbooks |
| CERT-In-empanelled audits, 347 controls | The Annexure III auditor's report scores compliance across 347 controls organized on NIST CSF function codes (Identify/Protect/Detect/Respond/Recover) plus IRDAI-specific categories. | The ISMS evidence base feeds most Annexure III lines; clause 9 (monitoring, internal audit) keeps it current between external audits |
| Regular VAPT by empanelled auditors | Periodic penetration testing performed by CERT-In-empanelled firms, with findings remediated. | A.8.8 (technical vulnerability management) + A.8.29 (security testing in development) |
| Third-party / vendor oversight | Structured vendor security assessment — with the ISO 27001 waiver described below. | A.5.19–A.5.23 (supplier relationships, ICT supply chain, cloud) |
Mapping is indicative and for planning. IRDAI compliance is assessed against the guidelines themselves via the Annexure III audit; consult the issued text for legal positions.
The Waiver, Done Right
Turning One Certificate Into Zero Customer Audits
- Vendors: write the certificate scope around the services insurers actually consume — service, locations, platforms. "Head office ISMS" scopes fail the waiver test.
- Vendors: keep a waiver pack ready — certificate copy, scope statement, SoA summary, surveillance-audit confirmation, and the self-certification letter the guidelines expect.
- Insurers: verify, don't collect — check the certificate against IAF CertSearch and the CB's accreditation, confirm the scope covers the outsourced service, and diarize expiry/surveillance dates.
- Both: the waiver covers periodic audits, not accountability — incident flows, SLAs, and DPDP processor duties still need contractual teeth.
IRDAI 2026 × ISO 27001 — Common Questions
The revision, the waiver, and the reporting clock — answered.
What are IRDAI's Information and Cyber Security Guidelines, 2026?
Issued on 6 April 2026, they are IRDAI's revised cybersecurity rulebook for the insurance sector, replacing the 2023 guidelines. They apply to insurers, Foreign Reinsurance Branches, and insurance intermediaries. Headline changes: DPDP Act compliance is mandated as part of security obligations, cyber incidents must be reported to CERT-In within six hours (copy to IRDAI), compliance is scored by CERT-In-empanelled auditors against the 347-control Annexure III report structured on NIST CSF functions, and vendor oversight is formalized — including an ISO 27001-based audit waiver.
What is the ISO 27001 vendor-audit waiver in the 2026 guidelines?
The provision insurers and their vendors should both know: if a vendor holds a valid ISO 27001 certification covering the scope of the services provided, the insurer may waive periodic vendor audits — subject to the vendor's self-certification and submission of valid certificate copies. For vendors selling into the insurance sector (TPAs, SaaS providers, BPOs, ITeS), a correctly scoped ISO 27001 certificate is now a direct substitute for repeated customer audits — provided the certificate's scope statement actually covers the services delivered.
Does ISO 27001 certification make an insurer compliant with the IRDAI guidelines?
No — and treating it that way is the classic mistake. The guidelines are assessed via the Annexure III audit by CERT-In-empanelled firms against IRDAI's own 347 controls, and they include obligations an ISMS does not generate by itself (DPDP duties, IRDAI reporting flows, sector-specific categories like Work From Remote Location and the IGDM Rules). What ISO 27001 does: it builds and evidences the security machinery most Annexure III lines score, so the audit becomes a mapping exercise instead of a scramble.
We are a vendor to insurers. How should our ISO 27001 scope be written?
So that the services you deliver to the insurer sit unambiguously inside the certificate's scope statement. The waiver turns on "covering the scope of the services provided" — a certificate scoped to your head-office ISMS while the insurer's workload runs from a different delivery center or cloud environment will not survive scrutiny. State the service, the locations, and the platforms; keep the scope statement current at surveillance audits; and be ready to share the certificate and Statement of Applicability on request.
How do the 6-hour reporting requirements interact with an ISMS?
The six-hour CERT-In clock (with copies to IRDAI) is faster than most incident-response procedures assume, and it also exists independently under CERT-In's 2022 directions. Inside the ISMS, that means A.5.24–A.5.26 procedures with detection-to-classification-to-notification timelines rehearsed against the clock, an on-call reporting owner, pre-drafted notification templates, and log retention that supports rapid triage (A.8.15). Auditors — IRDAI's and yours — increasingly ask for evidence of a drill, not just a procedure.
What should insurers and intermediaries do first?
Run a delta assessment of the 2026 guidelines against your current posture: map existing ISMS evidence to the Annexure III control lines, inventory vendors and collect/verify their ISO 27001 certificates against service scopes (activating the waiver where legitimate), rehearse the 6-hour reporting flow, and fold DPDP obligations into the compliance calendar ahead of enforcement. We run this as a combined ISO 27001 × IRDAI gap engagement — one assessment, both instruments.
Related reading: the ISO 27001 hub, ISO 27001 under SEBI's CSCRF, the DPDP Act hub, the certification process, and certification costs in India.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours