Skip to main contentChat with us

ISO 27001 · India Regulatory Map

Which Indian Regulators
Expect ISO 27001?

Six regimes, one table. SEBI mandates certification outright for market institutions; IRDAI turned a vendor's certificate into an audit waiver; RBI, CERT-In, and DPDP treat the ISMS as the evidence backbone without ever naming the standard. Each row links the full crosswalk.

The pattern worth noticing: Indian regulators are converging on ISO 27001 as the reference architecture — by mandate (SEBI), by incentive (IRDAI), or by resemblance (RBI, CERT-In, DPDP). One well-scoped ISMS serves all six rows.

6regimes mapped, each with a deep page
1outright certification mandate (SEBI)
2026reviewed against current instruments

Auditor-maintained regulatory map · Primary sources on every deep page · Last reviewed July 2026

The Map

Regulator by Regulator, Verdict by Verdict

RegimeWho it coversWhere ISO 27001 standsVerdict
SEBI — CSCRF (2024)Securities market: MIIs, Qualified REs, mid/small/self-certification REs (incl. brokers, AMCs, RTAs)MANDATES ISO 27001 certification for MIIs and Qualified REs (guideline PR.IP.S16); scope must include PDC/DR/NDR/SOC/colocation with third-party flow-down.Mandate
IRDAI — Info & Cyber Security Guidelines (2026)Insurers, Foreign Reinsurance Branches, intermediaries — and every vendor selling to themNo certification mandate for insurers — but vendors holding valid ISO 27001 covering the service scope can have periodic customer audits WAIVED. DPDP mandated; 6-hr reporting; 347-control CERT-In-empanelled audits.Waiver lever
RBI — CSF for Banks + Master Direction IT Governance (eff. Apr 2024)Banks, NBFCs (layered), payment-system participantsNo certification mandate; expectations (board-owned policy, SOC, VAPT, vendor risk, 2–6-hr reporting) map densely onto the ISMS — certification is the evidence backbone.Evidence
CERT-In — Directions under s.70B(6) (2022)Virtually every organization operating in IndiaNo certification anywhere in the directions; operational duties (6-hr reporting, 180-day in-country logs, NTP sync) map one-to-one onto Annex A controls.Operational overlay
MeitY — DPDP Act 2023 + RulesEvery Data Fiduciary processing Indian digital personal dataNo certification mandate; the ISMS is the strongest answer to Section 8(5) "reasonable security safeguards" (top penalty tier) — and covers none of the consent/rights/DPO duties.Half-coverage
UIDAI — Aadhaar ecosystem (AUAs/KUAs)Authentication and e-KYC user agenciesUIDAI's compliance regime for AUAs/KUAs includes ISO 27001 certification expectations alongside audits by empanelled auditors — verify the current circulars for your agency class before relying on this row.Sector mandate*

*Verify frequently-amended sector circulars against the regulator's current instruments. This map is planning guidance, not legal advice.

India Regulatory Map — Common Questions

Mandates, evidence, and the one-ISMS architecture.

Is ISO 27001 mandatory in India?

Not universally — there is no economy-wide law requiring it. It becomes mandatory (or decisive) sector by sector: SEBI's CSCRF requires certification for MIIs and Qualified REs; UIDAI's Aadhaar ecosystem expects it of AUAs/KUAs; IRDAI's 2026 guidelines make a vendor's certificate a waiver lever for customer audits; and RBI, CERT-In, and DPDP treat the ISMS as the evidence backbone without naming the standard. The table above is the current map.

Which single regulator matters most for us?

Follow your license and your customers. Securities-market entities start with SEBI CSCRF (the only outright certification mandate on the map); anyone selling to insurers starts with the IRDAI waiver; banks/NBFCs with RBI; everyone else's floor is CERT-In + DPDP, which apply regardless of sector. Most organizations answer to two or three rows at once — which is precisely why one ISMS with regulator-specific overlays beats parallel compliance programs.

Can one ISO 27001 certification serve all of these regulators?

Yes — if the scope is written for it. The certificate must cover the facilities and services each regulator cares about (CSCRF is explicit: PDC, DR, NDR, SOC, colocation; IRDAI's waiver turns on the service scope). One correctly scoped ISMS, one Statement of Applicability, with per-regulator mappings maintained as overlays — that is the architecture we implement, and each deep-dive page linked above carries the relevant crosswalk table.

How current is this map?

Reviewed July 2026, and maintained as regulators move — the most recent material changes being IRDAI's revised guidelines (April 2026) and SEBI's CSCRF FAQs (June 2025). Rows marked with an asterisk flag regimes where circular-level detail changes frequently; verify against the regulator's current instruments before relying on them for a compliance position.

Deep pages: SEBI CSCRF · IRDAI 2026 · RBI · CERT-In · DPDP — plus the ISO 27001 hub and costs in India.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations