Compliance is not security — but compliance done right builds the governance structures, documentation discipline, and control implementations that make security sustainable. The challenge for Indian enterprises is that they often face multiple simultaneous compliance obligations — DPDPA 2023 because they process personal data, RBI IT Framework because they are a regulated NBFC or bank, ISO 27001 because enterprise clients demand it, and PCI-DSS because they process card payments.
This guide provides a practical roadmap for each framework — and critically, a unified controls mapping that shows where the same technical control satisfies multiple frameworks simultaneously, reducing total compliance effort by 40–60%.
1 Framework Selection Guide
Before investing in any compliance program, confirm which frameworks actually apply to your organization. Pursuing unnecessary certifications wastes significant budget and staff time.
ISO 27001
Who needs it:
Organizations wanting a globally recognized information security certification, enterprise clients requiring it as a vendor qualification, IT service providers, cloud service providers, and any organization wanting a structured ISMS foundation. ISO 27001 is the most broadly applicable framework — most Indian enterprises pursuing compliance start here. Certification requires an accredited third-party audit. Annual surveillance audits + 3-year recertification cycle.
SOC 2 Type II
Who needs it:
SaaS companies, managed service providers, cloud service providers, and IT outsourcing firms whose US or European enterprise clients require it as a vendor qualification. SOC 2 is an AICPA framework — issued by US CPA firms. Indian companies increasingly need SOC 2 Type II for US market access. The 6–12 month observation period and CPA audit make it the most time-intensive compliance program.
DPDPA 2023
Who needs it:
Every organization that processes digital personal data of Indian citizens — which means virtually every Indian business with a website, mobile app, employee database, or customer records system. The Digital Personal Data Protection Act 2023 is India's primary data protection law, similar to GDPR. Rules under the Act are expected to be notified in 2025–2026. Penalties up to ₹250 crore per violation. Non-compliance is not optional for any Indian enterprise.
RBI IT Framework
Who needs it:
Banks, NBFCs, payment aggregators, prepaid instrument issuers, and other RBI-regulated entities. The RBI Master Directions on IT Governance (2023) mandate specific controls for information security, cybersecurity, IT infrastructure, BCP/DR, and vendor management. Non-compliance with RBI directives carries regulatory sanction risk including license suspension. Applies to all RBI-regulated entities regardless of size.
SEBI Circular
Who needs it:
Market intermediaries registered with SEBI — stockbrokers, depositories, asset management companies, portfolio managers, investment advisors, and stock exchanges. SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF 2024) categorizes intermediaries into tiers (Market Infrastructure Institutions, Qualified REs, Mid-size REs, Small REs) with differentiated requirements. Compliance deadlines vary by category.
PCI-DSS v4.0
Who needs it:
Any organization that stores, processes, or transmits payment card data — merchants accepting Visa/Mastercard/RuPay, payment gateways, payment processors, and card-issuing banks. PCI-DSS v4.0 became mandatory in March 2024 (replacing v3.2.1). Compliance level (SAQ vs full QSA audit) depends on annual card transaction volume. Non-compliance results in fines from card brands and potential loss of card processing ability.
Framework Selection Decision Matrix
| Organization Type | Required Frameworks | Recommended Start |
|---|
| IT Services / MSP | ISO 27001, SOC 2 (for US clients), DPDPA | ISO 27001 first — builds foundation for SOC 2 |
| SaaS Company | SOC 2 Type II, ISO 27001, DPDPA | SOC 2 if US-focused, ISO 27001 if India/EU-focused |
| NBFC / Fintech | RBI IT Framework, DPDPA, ISO 27001, PCI-DSS (if card processing) | RBI IT Framework (regulatory mandate — most urgent) |
| E-commerce | DPDPA, PCI-DSS, ISO 27001 | DPDPA + PCI-DSS simultaneously (both customer-data focused) |
| Stockbroker / AMC | SEBI CSCRF, DPDPA, ISO 27001 | SEBI CSCRF first (regulatory deadline-driven) |
| Hospital / Healthcare | DPDPA, ISO 27001, state health data regulations | DPDPA (health data is sensitive data — highest penalty tier) |
2 ISO 27001 Implementation
ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS). Certification demonstrates that your organization has a systematic, audited approach to managing information security risks — not just ad-hoc controls.
ISO 27001 Implementation Timeline
Month 1–2
Gap Assessment & Project Initiation
Conduct an ISO 27001 gap assessment against all 93 controls in Annex A (2022 version). Document current state vs required state for each control. Establish the ISMS project team — appoint an Information Security Manager (ISM). Define the ISMS scope — which parts of the organization, which systems, which locations are in scope. Draft and obtain management sign-off on the Information Security Policy (top-level policy document required by clause 5.2).
Month 3–4
Risk Assessment & Statement of Applicability
Conduct formal information security risk assessment — identify assets, threats, vulnerabilities, and calculate risk scores. Select risk treatment options (accept, mitigate, transfer, avoid) for each identified risk. Produce the Statement of Applicability (SoA) — mandatory document listing all 93 Annex A controls with justification for inclusion or exclusion. The SoA is the most scrutinized document in an ISO 27001 audit.
Month 5–8
Control Implementation
Implement all applicable controls from the risk treatment plan and SoA. Key technical controls: Access control policy (A.5.15), Asset management (A.5.9), Patch management (A.8.8), Malware protection (A.8.7), Network security (A.8.20), Cryptography (A.8.24), Backup (A.8.13), Logging and monitoring (A.8.15), Vulnerability management (A.8.8), Supplier security (A.5.19). Document every control implementation — evidence collection is critical for audit.
Month 9–10
Internal Audit & Management Review
Conduct a full internal audit against all ISMS requirements (ISO 27001 clauses 4–10 + Annex A controls). Document all non-conformities and observations. Conduct formal management review meeting — review ISMS performance, audit results, risk treatment status, and resource requirements. Close all major non-conformities before applying for certification audit.
Month 11–12
Certification Audit (Stage 1 + Stage 2)
Stage 1 (document review): Accredited certification body reviews your ISMS documentation — policies, risk assessment, SoA, internal audit reports. Typically 1–2 days on-site or remote. Stage 2 (implementation audit): Auditors verify that documented controls are actually implemented and operating effectively. Typically 2–5 days on-site depending on scope. Successful completion results in ISO 27001 certificate valid for 3 years.
ISO 27001 — Critical Policy Documents Required
- Information Security Policy: Top-level policy signed by CEO/MD — commitment to security, high-level objectives, accountability structure
- Asset Management Policy: How assets are inventoried, classified, labelled, and handled throughout their lifecycle
- Access Control Policy: Principles for granting, reviewing, and revoking access — least privilege, need-to-know, separation of duties
- Cryptography Policy: When and how encryption must be used — data at rest, data in transit, key management procedures
- Physical Security Policy: Controls for physical access to facilities, server rooms, and equipment — visitor management, clean desk, equipment disposal
- Incident Management Policy: How information security incidents are reported, classified, investigated, and resolved — links to your IR plan
- Business Continuity Policy: Commitment to BC/DR, BIA process, recovery objectives — links to your DR documentation
- Supplier Security Policy: Security requirements for third-party vendors, cloud providers, and contractors — due diligence, contractual clauses, ongoing monitoring
✅ Pro Tip: The most common reason Indian organizations fail their ISO 27001 Stage 2 audit is not insufficient controls — it is insufficient evidence of controls operating over time. Auditors look for logs, reports, meeting minutes, access review records, and patch reports that prove controls have been running consistently, not just set up the week before the audit. Start collecting and archiving evidence from the day you implement each control — 6+ months of evidence is the gold standard for a Stage 2 audit.
3 SOC 2 Type II Readiness
SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) — it evaluates whether a service organization's controls effectively protect customer data across five Trust Services Criteria (TSC).
Trust Services Criteria Overview
| Criterion | Covers | Always Required? |
|---|
| CC — Common Criteria (Security) | Logical/physical access, change management, risk assessment, incident response, system monitoring | Yes — mandatory for all SOC 2 reports |
| A — Availability | System uptime, performance monitoring, DR, incident management, capacity planning | Optional — include if SLA uptime is customer commitment |
| C — Confidentiality | Protection of confidential information — encryption, DLP, access controls, NDA enforcement | Optional — include if you handle trade secrets or confidential business data |
| PI — Processing Integrity | Complete, accurate, timely, authorized processing — relevant for payment processors, data processors | Optional — include if data processing accuracy is a service commitment |
| P — Privacy | Collection, use, retention, disclosure, disposal of personal information — aligns with DPDPA/GDPR | Optional — include if processing significant personal data |
SOC 2 Type I vs Type II
- SOC 2 Type I: Point-in-time assessment — controls are designed appropriately as of a specific date. Faster to obtain (3–6 months), less valuable to enterprise customers. Use Type I as an interim milestone while working toward Type II
- SOC 2 Type II: Covers a defined observation period (minimum 6 months, typically 12 months) — controls were designed appropriately AND operated effectively throughout the period. This is what enterprise customers actually require
SOC 2 Readiness — Key Technical Controls
CC6.1
Logical Access Controls: MFA enforced for all systems in scope, access provisioning/deprovisioning process documented and evidenced, quarterly access reviews conducted and documented, privileged access managed via PAM or PIM
CC6.2
Authentication: Password policy enforced (minimum 12 characters, complexity, no reuse), MFA required for all remote access, service accounts inventoried and reviewed, SSH key management documented
CC7.2
System Monitoring: Centralized logging enabled for all in-scope systems, log retention minimum 90 days (1 year preferred), security alerts monitored and responded to, anomalous activity detection configured
CC8.1
Change Management: All production changes go through a documented change management process — request, review, approval, test, deploy, post-deploy verification. Emergency change procedure documented. Change log maintained and auditable
CC9.2
Vendor Management: All third-party vendors assessed before onboarding, vendor SOC 2 / ISO 27001 certificates collected annually, contractual security requirements in all vendor agreements, critical vendor access reviewed quarterly
A1.2
Availability (if in scope): Uptime monitoring with alerting, incident response procedures for availability events, DR plan tested at least annually, system capacity monitored and capacity planning documented
✅ Pro Tip: Use a GRC (Governance, Risk & Compliance) platform — Vanta, Drata, Secureframe, or Sprinto (India-founded, excellent for Indian companies) — to automate SOC 2 evidence collection. These tools integrate directly with AWS, Azure, GitHub, Okta, Slack, and 100+ other tools to automatically collect control evidence daily. Organizations using GRC automation reduce audit preparation time by 60–70% and significantly reduce the risk of evidence gaps that cause audit findings. Sprinto in particular has strong support for Indian compliance frameworks including DPDPA.
4 India DPDPA 2023 Compliance
The Digital Personal Data Protection Act 2023 is India's comprehensive data protection law — enacted August 2023, with implementing Rules expected to be notified. It applies to processing of digital personal data of Indian citizens, both within India and outside India if the processing is in connection with offering goods or services to Indian data principals.
Key DPDPA 2023 Obligations
- Lawful basis for processing: Personal data can only be processed with valid consent or for legitimate uses defined in the Act (employment, legal obligation, etc.). Consent must be free, specific, informed, unconditional, and unambiguous — pre-ticked boxes and bundled consent are not valid
- Notice requirement: At the time of collecting personal data, provide a clear notice in English and any of the 22 scheduled languages — describing what data is collected, purpose, and how to exercise rights
- Data Principal rights: Right to access information about data processed, right to correction and erasure, right to grievance redressal, right to nominate (designate someone to exercise rights in case of death/incapacity). Must respond within prescribed timelines (rules pending)
- Data Fiduciary obligations: Implement appropriate technical and organizational measures (TOMs) to ensure security. Notify Data Protection Board and affected data principals in case of personal data breach within prescribed timeline
- Data retention limitation: Personal data must not be retained beyond the period necessary for the purpose. Implement automated data deletion policies — personal data of users who have not engaged must be deleted after a defined period
- Significant Data Fiduciaries (SDF): Organizations designated as SDFs by the central government face additional obligations — Data Protection Officer appointment, Data Protection Impact Assessment, algorithmic accountability. SDFs likely include large e-commerce, social media, and fintech platforms
DPDPA Technical Implementation Checklist
# DPDPA 2023 — Technical Controls Implementation
# ── 1. CONSENT MANAGEMENT ────────────────────────────────
□ Deploy Consent Management Platform (CMP) on website/app
□ Implement granular consent — separate consent for each purpose
□ Record consent with timestamp, IP, user ID, consent text version
□ Implement consent withdrawal — as easy as giving consent
□ Audit trail: every consent action logged and retrievable
Tools: OneTrust, Cookiebot, Usercentrics, or custom CMP
# ── 2. DATA MAPPING & INVENTORY ──────────────────────────
□ Create Data Processing Register (Article 30 equivalent)
For each data category:
- What personal data is collected
- Why it is collected (purpose)
- Where it is stored (system, location, cloud region)
- How long it is retained (retention period)
- Who has access (internal teams, third parties)
- Is it shared cross-border? (rules pending on transfers)
# ── 3. BREACH NOTIFICATION CAPABILITY ────────────────────
□ Define what constitutes a "personal data breach" internally
□ Establish breach detection monitoring (SIEM alerts for PII access)
□ Document breach assessment and classification procedure
□ Create breach notification templates (DPB notification + affected individuals)
□ Designate breach notification coordinator (likely Data Protection Officer)
□ Test breach response procedure — tabletop exercise annually
# ── 4. DATA SUBJECT RIGHTS FULFILMENT ────────────────────
□ Create Data Principal Rights request intake form (web + email)
□ Define internal workflow for access/correction/erasure requests
□ Implement technical capability for data export (structured format)
□ Implement technical capability for data erasure (including backups)
□ SLA: respond within prescribed timeline (rules to specify — likely 30 days)
□ Log all rights requests and outcomes
# ── 5. RETENTION & DELETION ──────────────────────────────
□ Define retention schedule for each data category
□ Implement automated deletion jobs for expired personal data
□ Ensure deletion cascades to backups (hard requirement — not just prod DB)
□ Test deletion — verify data is not recoverable post-deletion
□ Maintain deletion logs as evidence of compliance
# ── 6. PRIVACY NOTICES ───────────────────────────────────
□ Update website Privacy Policy — must reference DPDPA 2023
□ Update app onboarding consent screens
□ Employee data processing notice (HR systems, monitoring)
□ Vendor / partner data processing agreements (DPA clauses)
⚠️ Important — DPDPA Rules Status (March 2026): The DPDPA 2023 Rules have not yet been formally notified as of March 2026 — specific timelines for breach notification, Data Principal rights response windows, and cross-border transfer conditions are pending. However, the Act itself is enacted law and the core obligations (consent, security measures, breach notification obligation) are in force. Organizations should implement compliance now based on the Act's text and reasonable international practice, rather than waiting for Rules notification. Penalties of up to ₹250 crore per violation apply once Rules are in force.
5 RBI IT Framework Compliance
The Reserve Bank of India's Master Directions on Information Technology Governance, Risk, Controls and Assurance Practices (2023) apply to all RBI-regulated entities — banks, NBFCs with asset size above ₹500 crore, payment aggregators, and payment system operators. Non-compliance is a regulatory risk.
Key RBI IT Framework Domains
- IT Governance: IT Strategy Committee at board level, Chief Information Security Officer (CISO) appointment, IT Risk Framework, IT audit function independent from IT operations, Technology Risk Management Policy approved by board
- Information Security: Information Security Policy, quarterly vulnerability assessment, annual penetration testing by CERT-In empanelled auditors, SOC (Security Operations Centre) or equivalent monitoring, DDoS protection, application security testing (SAST/DAST) before production deployment
- Cyber Resilience: Cyber Crisis Management Plan (CCMP), participation in CERT-In incident reporting, cyber insurance, red team exercises for Category A & B entities, Cyber Security Operations Centre (C-SOC)
- IT Infrastructure: Data centre standards, hardware lifecycle management, network security architecture review, cloud adoption governance policy (mandatory if using cloud services), third-party cloud provider due diligence
- Business Continuity: DR site requirements (minimum Tier 3 data centre), RTO/RPO defined and tested, annual DR drill with results reported to board, BCP approved by board annually
- Vendor Risk Management: IT vendor due diligence framework, contractual security requirements, critical vendor monitoring, no single-vendor dependency for critical systems, exit strategy for all critical vendors
RBI Reporting Requirements
| Report | Frequency | Submitted To | Contents |
|---|
| Cyber Security Incident Report | Within 6 hours of detection | CERT-In + RBI CSITE | Incident description, systems affected, initial impact assessment |
| IT Risk & Cybersecurity Report | Quarterly | Board IT Strategy Committee | Risk posture, control effectiveness, incidents, vulnerability status |
| IS Audit Report | Annual | Board Audit Committee + RBI (on request) | Audit findings, control gaps, remediation status |
| Penetration Test Report | Annual (CERT-In empanelled) | Board + RBI (on request) | Vulnerabilities found, severity, remediation timeline |
| DR Drill Report | Annual | Board | RTO/RPO achieved vs targets, issues found, remediation |
6 PCI-DSS v4.0 Controls
PCI-DSS v4.0 (mandatory since March 2024) applies to any organization that stores, processes, or transmits Primary Account Numbers (PANs) — credit/debit card numbers. The 12 requirements of PCI-DSS map directly to technical security controls, most of which overlap with ISO 27001 and SOC 2.
PCI-DSS v4.0 — 12 Requirements Summary
| # | Requirement | Key Technical Controls |
|---|
| 1 | Network security controls | Firewall rules documented, CDE (Cardholder Data Environment) isolated, DMZ architecture, deny-all default policy |
| 2 | Secure configurations | No vendor defaults, CIS Benchmarks applied, unnecessary services disabled, configuration standards documented |
| 3 | Protect stored account data | PAN never stored unencrypted, tokenization preferred, key management policy, PAN masking in displays/logs |
| 4 | Protect data in transit | TLS 1.2+ for all PAN transmission, no unencrypted protocols (HTTP, FTP, Telnet) in CDE, certificate management |
| 5 | Malware protection | Anti-malware on all CDE systems, daily signature updates, periodic scans, anti-phishing controls |
| 6 | Secure systems & software | Vulnerability management program, critical patches within 1 month, application security (OWASP Top 10), WAF for web-facing apps |
| 7 | Restrict access by need-to-know | RBAC, access control policy, deny-all default for CDE access, access reviews quarterly |
| 8 | Identify users & authenticate | Unique user IDs, MFA for all CDE access, password complexity enforced, no shared accounts, session timeout 15 min |
| 9 | Physical access controls | Server room access restricted, visitor log, camera coverage, media disposal policy, POS terminal tamper monitoring |
| 10 | Log and monitor all access | Audit logs for all CDE access, 12-month log retention (3 months online), daily log review, time synchronization (NTP) |
| 11 | Test security regularly | Quarterly internal vulnerability scans, quarterly external scans by ASV, annual penetration test, network change detection (FIM) |
| 12 | Organizational security policy | Information security policy, annual security awareness training, incident response plan, risk assessment process, vendor management |
✅ Scope Reduction Strategy: The most powerful PCI-DSS cost optimization is scope reduction — minimizing the systems that touch cardholder data so fewer systems need PCI controls. The best approach: use a PCI-DSS compliant payment gateway (Razorpay, PayU, Stripe) with hosted payment pages or JavaScript tokenization — this means card numbers never touch your servers at all. If you never store, process, or transmit raw PANs, your PCI scope reduces to SAQ A (the simplest self-assessment questionnaire) — approximately 22 controls instead of 250+. This is the recommended approach for all Indian e-commerce and SaaS companies.
7 Unified Controls Mapping
The most efficient compliance approach is implementing controls once and mapping them to multiple frameworks simultaneously. The table below shows the highest-value controls that satisfy requirements across all five frameworks — implement these first for maximum compliance coverage with minimum effort.
High-Value Controls Satisfying Multiple Frameworks
| Technical Control | ISO 27001 | SOC 2 | DPDPA | PCI-DSS | RBI |
|---|
| MFA on all systems |
A.8.5 ✅ |
CC6.1 ✅ |
Security TOMs ✅ |
Req 8.4 ✅ |
IS Policy ✅ |
| Centralized logging + SIEM |
A.8.15 ✅ |
CC7.2 ✅ |
Breach detection ✅ |
Req 10 ✅ |
SOC ✅ |
| Vulnerability management + patching |
A.8.8 ✅ |
CC7.1 ✅ |
Indirect ✅ |
Req 6.3 ✅ |
VAPT ✅ |
| Access control policy + quarterly reviews |
A.5.15 ✅ |
CC6.2 ✅ |
Data access control ✅ |
Req 7 ✅ |
IAM policy ✅ |
| Encryption at rest + in transit |
A.8.24 ✅ |
CC6.7 ✅ |
Security TOMs ✅ |
Req 3+4 ✅ |
Data security ✅ |
| Incident response plan + testing |
A.5.24 ✅ |
CC7.4 ✅ |
Breach notification ✅ |
Req 12.10 ✅ |
CCMP ✅ |
| Backup + DR testing |
A.8.13 ✅ |
A1.2 ✅ |
Indirect ✅ |
Req 12.3 ✅ |
BCP ✅ |
| Security awareness training |
A.6.3 ✅ |
CC1.4 ✅ |
Staff training ✅ |
Req 12.6 ✅ |
Training ✅ |
| Vendor / third-party security |
A.5.19 ✅ |
CC9.2 ✅ |
Data processor terms ✅ |
Req 12.8 ✅ |
VRM ✅ |
8 Audit Preparation Checklist
The 6 weeks before any compliance audit are critical — auditors assess both control design and operating effectiveness, so evidence organization and pre-audit internal review significantly impact audit outcomes.
6-Week Pre-Audit Preparation Checklist
Week 6
Evidence Collection Sprint
Run an internal evidence audit — collect and organize all control evidence into a shared evidence repository. Organize by framework clause/control number. For each control: policy document + implementation screenshot/config export + operating evidence (logs, reports, meeting minutes). Flag any controls with missing or thin evidence immediately.
Week 5
Gap Remediation
For every gap identified in Week 6 — implement the missing control or gather missing evidence. Prioritize: (1) controls with zero evidence, (2) high-risk findings from last internal audit, (3) any new requirements in the framework version being audited. Do not attempt to retroactively fabricate evidence — auditors identify this and it is far worse than a legitimate finding.
Week 4
Internal Mock Audit
Conduct a full internal mock audit — have someone unfamiliar with day-to-day operations walk through the control evidence as an auditor would. Can they follow the evidence trail? Is everything clearly labelled and organized? Are policy documents current (no documents dated 3+ years ago without review)? Document all issues found and remediate before Week 2.
Week 3
Staff Briefing & Interview Preparation
Brief all staff who will be interviewed by auditors — IT team, operations leads, HR, management. Auditors will ask: "Walk me through how you handle a security incident." "What do you do when you receive a phishing email?" "How do you request access to a system?" Ensure answers are consistent with documented procedures — not because answers are scripted, but because staff actually follow the documented processes.
Week 2
Evidence Repository Final Review
Final check — all evidence files correctly named and organized, all policies have current review dates, all access review records include manager sign-off, all vulnerability scan reports show remediation status of findings. Prepare the auditor welcome pack: network diagram, system inventory, org chart, ISMS scope document, SoA (for ISO 27001).
Week 1
Logistics & Audit Kickoff Preparation
Confirm audit logistics — room booking, system access for remote audit tools, VPN access if needed. Designate a single point of contact (SPOC) for the audit team — all auditor requests routed through this person. Brief the SPOC: never guess answers, never provide more information than asked, always say "I'll confirm and get back to you" rather than speculating. Schedule the opening meeting, walkthrough sessions, and closing meeting.
Need Help with Compliance?
EnterWeb IT Firm provides compliance readiness assessments and implementation support for ISO 27001, SOC 2 Type II, DPDPA 2023, and RBI IT Framework — including gap assessments, policy documentation, technical control implementation, and audit preparation for Indian enterprises.