ISO 27001 · India Regulatory Map
Which Indian Regulators
Expect ISO 27001?
Six regimes, one table. SEBI mandates certification outright for market institutions; IRDAI turned a vendor's certificate into an audit waiver; RBI, CERT-In, and DPDP treat the ISMS as the evidence backbone without ever naming the standard. Each row links the full crosswalk.
The pattern worth noticing: Indian regulators are converging on ISO 27001 as the reference architecture — by mandate (SEBI), by incentive (IRDAI), or by resemblance (RBI, CERT-In, DPDP). One well-scoped ISMS serves all six rows.
Auditor-maintained regulatory map · Primary sources on every deep page · Last reviewed July 2026
The Map
Regulator by Regulator, Verdict by Verdict
| Regime | Who it covers | Where ISO 27001 stands | Verdict |
|---|---|---|---|
| SEBI — CSCRF (2024) | Securities market: MIIs, Qualified REs, mid/small/self-certification REs (incl. brokers, AMCs, RTAs) | MANDATES ISO 27001 certification for MIIs and Qualified REs (guideline PR.IP.S16); scope must include PDC/DR/NDR/SOC/colocation with third-party flow-down. | Mandate |
| IRDAI — Info & Cyber Security Guidelines (2026) | Insurers, Foreign Reinsurance Branches, intermediaries — and every vendor selling to them | No certification mandate for insurers — but vendors holding valid ISO 27001 covering the service scope can have periodic customer audits WAIVED. DPDP mandated; 6-hr reporting; 347-control CERT-In-empanelled audits. | Waiver lever |
| RBI — CSF for Banks + Master Direction IT Governance (eff. Apr 2024) | Banks, NBFCs (layered), payment-system participants | No certification mandate; expectations (board-owned policy, SOC, VAPT, vendor risk, 2–6-hr reporting) map densely onto the ISMS — certification is the evidence backbone. | Evidence |
| CERT-In — Directions under s.70B(6) (2022) | Virtually every organization operating in India | No certification anywhere in the directions; operational duties (6-hr reporting, 180-day in-country logs, NTP sync) map one-to-one onto Annex A controls. | Operational overlay |
| MeitY — DPDP Act 2023 + Rules | Every Data Fiduciary processing Indian digital personal data | No certification mandate; the ISMS is the strongest answer to Section 8(5) "reasonable security safeguards" (top penalty tier) — and covers none of the consent/rights/DPO duties. | Half-coverage |
| UIDAI — Aadhaar ecosystem (AUAs/KUAs) | Authentication and e-KYC user agencies | UIDAI's compliance regime for AUAs/KUAs includes ISO 27001 certification expectations alongside audits by empanelled auditors — verify the current circulars for your agency class before relying on this row. | Sector mandate* |
*Verify frequently-amended sector circulars against the regulator's current instruments. This map is planning guidance, not legal advice.
India Regulatory Map — Common Questions
Mandates, evidence, and the one-ISMS architecture.
Is ISO 27001 mandatory in India?
Not universally — there is no economy-wide law requiring it. It becomes mandatory (or decisive) sector by sector: SEBI's CSCRF requires certification for MIIs and Qualified REs; UIDAI's Aadhaar ecosystem expects it of AUAs/KUAs; IRDAI's 2026 guidelines make a vendor's certificate a waiver lever for customer audits; and RBI, CERT-In, and DPDP treat the ISMS as the evidence backbone without naming the standard. The table above is the current map.
Which single regulator matters most for us?
Follow your license and your customers. Securities-market entities start with SEBI CSCRF (the only outright certification mandate on the map); anyone selling to insurers starts with the IRDAI waiver; banks/NBFCs with RBI; everyone else's floor is CERT-In + DPDP, which apply regardless of sector. Most organizations answer to two or three rows at once — which is precisely why one ISMS with regulator-specific overlays beats parallel compliance programs.
Can one ISO 27001 certification serve all of these regulators?
Yes — if the scope is written for it. The certificate must cover the facilities and services each regulator cares about (CSCRF is explicit: PDC, DR, NDR, SOC, colocation; IRDAI's waiver turns on the service scope). One correctly scoped ISMS, one Statement of Applicability, with per-regulator mappings maintained as overlays — that is the architecture we implement, and each deep-dive page linked above carries the relevant crosswalk table.
How current is this map?
Reviewed July 2026, and maintained as regulators move — the most recent material changes being IRDAI's revised guidelines (April 2026) and SEBI's CSCRF FAQs (June 2025). Rows marked with an asterisk flag regimes where circular-level detail changes frequently; verify against the regulator's current instruments before relying on them for a compliance position.
Deep pages: SEBI CSCRF · IRDAI 2026 · RBI · CERT-In · DPDP — plus the ISO 27001 hub and costs in India.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours