ISO 27001:2022 replaced ISO 27001:2013 on October 31, 2025 — any certificate bearing the 2013 version is invalid for procurement, compliance, or contractual purposes from that date. The 2022 revision restructured the control annex from 114 controls in 14 domains to 93 controls in 4 themes, adding 11 controls covering threat intelligence, cloud security, data masking, and physical security monitoring. In Mangalore, IT companies, BPOs, fintech firms, and healthcare data processors require ISO 27001:2022 for enterprise banking contracts, EU GDPR supply chain compliance, and government data processing agreements.
A Mangalore software firm that held ISO 27001:2013 through October 31, 2025 now holds an expired certificate — regardless of whether it passed its last surveillance audit in perfect condition. The version withdrawal is not based on audit performance; it is a mandatory standard lifecycle event. Every enterprise client contract, banking sector SLA, and government data processing agreement that references “ISO 27001 certification” now means ISO 27001:2022 specifically. Operating with the 2013 version is not a minor discrepancy — it is a contract breach trigger. Suntew Business Solutions coordinates new ISO 27001:2022 certifications and 2013-to-2022 transition audits for businesses in Mangalore, Udupi, and coastal Karnataka.
Call Us⚠ QUICK SELF-CHECK — Is Your ISO 27001 Certificate Still Valid? Check the Version Right Now
→ Does your certificate say ISO/IEC 27001:2013? It expired October 31, 2025. It is currently invalid for all procurement and contractual purposes.
→ Did your client recently query the version of your ISO 27001 certificate? This is the reason. Enterprise buyers, banks, and government agencies are systematically checking for 2022 version compliance.
→ Are you bidding for a new contract and unsure if your existing certificate satisfies the requirement? If the contract was issued after October 2025, assume ISO 27001:2022 is required.
→ Did you complete a surveillance audit under ISO 27001:2013 in early 2025 and assume your certificate was extended? Surveillance audits do not extend version validity — the 2013 standard was withdrawn regardless of audit status.
| Element | ISO 27001:2013 (Withdrawn) | ISO 27001:2022 (Current) |
|---|---|---|
| Withdrawal date | Withdrawn October 31, 2025 | Current — mandatory from November 2025 |
| Control annex structure | 114 controls in 14 domains (Annex A) | 93 controls in 4 themes (Annex A) |
| New controls added | — | 11 new controls including: threat intelligence, cloud security, data masking, physical security monitoring, secure coding, web filtering, configuration management |
| Statement of Applicability | References 114 controls | References 93 controls — SoA must be completely rewritten |
| Attribution controls | Not explicitly addressed | Explicit controls for ICT supply chain and third-party data handling |
| Transition deadline | All transition audits completed by Oct 31, 2025 | Any remaining 2013 certifications are invalid |
Covers policies, roles, responsibilities, threat intelligence, information security in project management, supplier relationships, incident management, business continuity, and legal compliance. For Mangalore IT companies, the new Threat Intelligence control (5.7) and ICT Supply Chain Security controls (5.19–5.22) are the most material additions — requiring structured processes for monitoring threat landscapes and managing security risks introduced by cloud providers, software vendors, and subcontractors.
Covers screening, terms of employment, information security awareness, training, disciplinary processes, remote working, and confidentiality agreements. Mangalore BPOs and software development firms with remote or hybrid workforces need explicit documented controls for remote working (6.7) and end-user device policies — an area that was loosely covered under the 2013 standard’s physical security domains but is now a standalone requirement.
Covers physical security perimeters, entry controls, offices and facilities, physical security monitoring (new), clear desk and clear screen policies, equipment security, and secure disposal. The new Physical Security Monitoring control (7.4) requires documented surveillance or monitoring processes for secure areas — directly relevant to Mangalore data centres, server rooms, and BPO processing floors handling sensitive client data.
Covers user endpoint devices, privileged access, information access restriction, authentication, cryptography, network security, web filtering (new), secure coding (new), security testing, data masking (new), data leakage prevention (new), monitoring, log management, clock synchronisation, and vulnerability management. The four new technological controls — web filtering, secure coding, data masking, and data leakage prevention — require IT companies and data processors to demonstrate specific technical implementations, not just policy documents.
| Business Type | Why ISO 27001:2022 Is Required | Key Contracts / Regulations |
|---|---|---|
| Software development companies | Enterprise banking and fintech clients require it as vendor pre-qualification; EU clients require it for GDPR supply chain compliance | Banking sector SLAs, EU GDPR Article 28 processor requirements |
| BPOs and KPOs | Financial services and healthcare BPO clients audit for ISO 27001 compliance before and during contracts | BFSI sector vendor requirements, IRDAI cybersecurity guidelines |
| Fintech companies | RBI Master Direction on IT Governance references ISO 27001 as an accepted framework for information security management | RBI IT Governance Framework, CERT-In compliance |
| Healthcare data processors | Digital health companies processing patient data need documented ISMS — ISO 27001 is the accepted standard | DPDP Act 2023, ABDM health data privacy requirements |
| Cloud service providers | Mangalore-region cloud infrastructure providers need ISO 27001 for enterprise client acquisition | Enterprise SLAs, government cloud procurement requirements |
| Government IT contractors | Karnataka e-Governance projects increasingly require ISO 27001 from IT service vendors | Karnataka IT procurement guidelines, MeitY empanelment criteria |
ISO 27001 begins with defining the Information Security Management System (ISMS) scope — which assets, locations, processes, and third parties are included. Scope decisions directly impact the number of controls required, the size of the Stage 2 audit, and the CB’s fee. For a Mangalore software company with a development team, a client portal, and cloud infrastructure, the scope definition determines whether the CB audits 2 locations or 4, and 50 controls or 80. Suntew conducts the scope workshop with technical and management leadership as the first engagement step.
A complete inventory of information assets — hardware, software, people, data, processes, suppliers — is built and assessed for risk. ISO 27001:2022 requires a structured risk assessment methodology (not a specific one — but documented, consistent, and repeatable). Risks are evaluated and either mitigated (control applied), accepted, transferred (insurance), or avoided (activity stopped). The risk assessment drives which of the 93 controls are applicable and how they are implemented.
The SoA is the most critical ISO 27001 document. It lists all 93 controls from Annex A, states whether each is applicable or excluded, provides a justification for exclusions, and references where each applicable control is implemented. For organisations transitioning from ISO 27001:2013, the SoA must be completely rewritten — the 2013 SoA referencing 114 controls is not transferable. Suntew prepares the SoA with technical input from the client’s IT and security team, typically over 3–5 working sessions.
Applicable controls are implemented — either through policy documents, technical configurations, process changes, or training. The 11 new controls in ISO 27001:2022 require specific implementations: threat intelligence (a structured process for monitoring relevant threats), web filtering (a deployed and configured filtering system), secure coding (a documented SDLC with code review processes), and data masking (technical controls in development and testing environments). Suntew coordinates the technical implementation requirements with the client’s IT team and documents each control’s implementation evidence.
A full ISMS internal audit covers all 93 controls and all ISMS processes — including the risk assessment, SoA, treatment plan, incident management, business continuity, and supplier security management. Management Review covers: internal audit results, information security performance metrics, risk landscape changes, and resource requirements. Both are mandatory documented records that the external CB auditor will review in Stage 1.
The CB’s Stage 1 audit reviews documentation — ISMS scope, information security policy, risk assessment, SoA, and key records. Stage 2 is the on-site conformity assessment covering all controls in scope. For most Mangalore IT companies (30–100 employees), Stage 2 takes 2–3 audit days. Suntew is present throughout — managing the evidence trail and coordinating technical demonstrations (where the auditor tests controls against live systems). Certificate issued within 2–4 weeks of Stage 2 close.
📋 FIELD OBSERVATION — Software Development Firm, Mangalore — 2013 to 2022 Transition
A Mangalore-based software development firm with 22 employees held an ISO 27001:2013 certificate that expired October 31, 2025. A Mumbai-based banking client flagged the expired version and placed the contract renewal on hold. Suntew initiated a transition engagement: gap analysis between 2013 and 2022 control sets (11 new controls to be addressed), complete SoA rewrite, technical implementation of web filtering and data masking controls, and documentation of the secure coding process already in partial use. Total transition time from engagement to transition certification audit: 67 days. The banking contract was renewed within 3 weeks of the new 2022 certificate being issued. [Client name withheld — sector and timeline verified from Suntew engagement records, 2025–2026.]
Certification body fees are paid directly to the accredited CB — not to Suntew. Transition audit costs for existing ISO 27001:2013 holders are significantly lower than full recertification.
| Cost Component | Small IT (5–25 staff) | Mid IT (26–100 staff) | Large / Multi-site (100+ staff) |
|---|---|---|---|
| Suntew Consulting Fee | ₹25,000 – ₹40,000 | ₹40,000 – ₹55,000 | ₹55,000 – ₹65,000 |
| NABCB Cert Body Fee (paid to CB directly) | ₹30,000 – ₹55,000 | ₹55,000 – ₹80,000 | ₹80,000 – ₹1,00,000 |
| Annual Surveillance | ₹14,000 – ₹22,000/yr | ₹22,000 – ₹35,000/yr | ₹35,000 – ₹45,000/yr |
| 2013→2022 Transition Consulting | ₹18,000 – ₹28,000 | ₹28,000 – ₹40,000 | ₹40,000 – ₹55,000 |
| Transition CB Audit Fee | ₹20,000 – ₹35,000 | ₹35,000 – ₹55,000 | ₹55,000 – ₹80,000 |
Every month a Mangalore IT company operates with an expired ISO 27001:2013 certificate is a month where any client performing a supplier compliance review can trigger a contract hold. The transition from 2013 to 2022 is a defined, scoped engagement — not a full recertification from scratch. For most Mangalore IT companies, the transition takes 60–75 days and costs significantly less than full recertification. The risk of a contract suspension during those 60–75 days is a business decision. The risk of continuing on an expired certificate indefinitely is not.
Today, the world has become a global market. Intra nation and intercontinental trade have
Read More
What Do You Mean by ISO Certification? ISO technically stands for International
Read More
You may want to test ISO 2000, since the drop in read noise appears to take place between
Read More
Import and export permit the business of somebody to grow rapidly thereby increasing
Read More