ISO 27001 is the international standard for information security management. It's also the thing enterprise clients demand before they'll sign a contract with you. We pursued it as a 15-person fintech and got certified without a six-figure consultant engagement.

What ISO 27001 Actually Requires

The standard has 114 controls across 14 domains. The majority of them are not technical — they're about processes, documentation, and evidence. Can you show that you have a process for managing access requests? Do you have evidence that you ran that process in the last 6 months?

ISO 27001 is a compliance exercise, but done well, it forces you to actually fix the security debt you've been quietly ignoring.

Our Timeline

• Month 1-2: Gap assessment. We mapped our existing practices against the 114 controls. About 60% were already in place informally.
• Month 3-6: Documentation and formalisation. Writing policies, procedures, and work instructions nobody likes writing.
• Month 7-9: VAPT (Vulnerability Assessment and Penetration Testing). External firm tested our infrastructure and application layer.
• Month 10-11: Internal audit. Finding the gaps before the external auditors do.
• Month 12: Stage 1 and Stage 2 external audit. Certification received.

The Tools

We used a combination of Notion for policy documentation, Vanta for compliance monitoring and evidence collection, and our existing AWS Security Hub + GCP Security Command Center for technical controls. Total tooling cost: under ₹15L/year.

The process was harder than I expected. But every enterprise client conversation since has been significantly easier. It paid for itself in the first closed deal.