How a Mumbai NBFC Got ISO 27001 Certified in 6 Months — and Won a ₹3 Crore Institutional Client

Anish Pandey · 2026-02-15 · 11 min read

CapiBridge Finance is a Mumbai-based NBFC with ₹120 crore in Assets Under Management, focused on MSME lending. In early 2025, they were in advanced discussions with a large public sector bank for a co-lending arrangement that would significantly expand their lending capacity. The bank's due diligence team raised one requirement that blocked the deal: ISO 27001:2022 certification or an equivalent evidence of information security management system (ISMS) maturity. CapiBridge had no formal ISMS, no security policies, and no certification. The bank gave them 9 months. CapiBridge engaged our team and got certified in 6. The co-lending deal — worth ₹3 crore in fee income over the first year — was signed the month after certification.

Why ISO 27001 Matters for Indian Financial Services

ISO 27001 is the international standard for Information Security Management Systems (ISMS). For Indian NBFCs, the relevance comes from multiple directions. RBI's Master Direction on IT Governance strongly encourages regulated entities to implement a formal ISMS aligned to ISO 27001. Institutional investors and co-lending partners increasingly require ISO 27001 or SOC 2 as a vendor due diligence requirement. Several large insurers and corporates require it from any technology-facing financial services partner. And for any NBFC considering a stock exchange listing, SEBI's Cyber Security and Cyber Resilience framework (for market infrastructure institutions) uses ISO 27001 as a reference framework. Getting certified is, in practical terms, table stakes for any NBFC that intends to work with institutional counterparties.

The GAP Assessment: Knowing Where You Start

our team began CapiBridge's ISO 27001 journey with a formal GAP assessment — a structured comparison of their current information security practices against the 93 controls in Annex A of ISO 27001:2022. The assessment covered physical security (server room access, clean desk policy), logical access controls (password policies, MFA deployment, user access reviews), data handling (data classification, encryption, retention policies), vendor management (security requirements in vendor contracts), incident management (whether there was a process for detecting and responding to security incidents), and business continuity (backup procedures, recovery testing). The GAP assessment took 4 days and produced a 47-page report. CapiBridge had 61 of 93 controls either not implemented or only partially implemented — a significant gap, but typical for a financial services company that has prioritised business growth over governance.

The 6-Month Roadmap: What Was Built

our team structured the ISMS implementation into three phases across 6 months. Phase 1 (months 1-2) addressed the foundational controls: information security policy, asset inventory, access control policy, and the formal risk assessment and risk treatment process (the core of any ISO 27001 ISMS). Phase 2 (months 3-4) implemented the operational controls: MFA on all critical systems (the lending platform, core banking system, and email), encryption of customer data at rest and in transit, a formal vendor security assessment process, and a business continuity plan with tested backup and recovery procedures. Phase 3 (month 5) was documentation and internal audit: all 93 controls documented, evidence of operation collected, and an internal audit conducted by certified ISMS auditors to identify any remaining gaps before the formal certification audit.

The Certification Audit: What to Expect

ISO 27001 certification is conducted by an accredited certification body — in India, the major bodies are Bureau Veritas, BSI, DNV, and TUV India. The audit has two stages. Stage 1 is a documentation review: the auditor reviews the ISMS documentation, the risk assessment, and the Statement of Applicability (which documents which of the 93 controls are applicable, implemented, or excluded and why). Stage 2 is the operational audit: the auditor visits the office, interviews staff, tests controls (requesting evidence that access reviews are actually conducted, that backups are actually being tested, that security incidents are actually being logged), and verifies that the ISMS is operating as documented. CapiBridge's Stage 2 audit found two minor non-conformities (gaps in the vendor assessment documentation for two sub-vendors) which were addressed within the 30-day correction window. The certification was issued 5 weeks after the Stage 2 audit.

Beyond the Certificate: What an ISMS Actually Does for the Business

The ISO 27001 certificate CapiBridge received is a PDF with an accreditation body's stamp. Its value in the institutional market is significant — it opened the co-lending deal. But the more durable benefit is the ISMS itself. CapiBridge now has a formal process for reviewing who has access to their lending platform (monthly user access review), a documented incident response procedure so that if their systems are attacked, the response is coordinated rather than improvised, and a risk register that is reviewed quarterly by senior management. These are not bureaucratic exercises — they are the practices that prevent the kind of data breach or operational disruption that would destroy an NBFC's relationship with the very institutional partners the certification was designed to attract.

ISO 27001 Implementation Costs for Indian Companies

The cost of an ISO 27001 implementation has three components. First, the implementation partner fee — The ISMS implementation fee for a company of CapiBridge's size (40 employees, one office, standard NBFC IT environment) was ₹6.8 lakh for the full 6-month engagement. This included the GAP assessment, policy development, technical control implementation, internal audit, and certification audit support. Second, the certification body fee — for a company of this size, the Bureau Veritas fee for Stage 1 and Stage 2 audit plus 3-year certification (with annual surveillance audits) was ₹3.2 lakh. Third, technology investments triggered by the GAP assessment — MFA deployment, encryption tools, and backup testing infrastructure — totalled ₹2.4 lakh. Total investment: ₹12.4 lakh. Against ₹3 crore in first-year fee income from the co-lending deal, the ROI is clear.

Conclusion

ISO 27001 certification used to be the domain of large IT companies and multinationals. In 2026, it is increasingly a requirement for Indian NBFCs, fintech companies, healthcare providers, and any company that handles sensitive customer data and wants to work with institutional counterparties. CapiBridge's 6-month journey is achievable for any company with a clear roadmap and an experienced implementation partner. The certification is not the end — it is the foundation of an ongoing security management process that makes the business demonstrably more trustworthy. If your company is in financial services and is being asked for security certifications by institutional clients, let us start with a GAP assessment.

Topics: ISO 27001, Compliance, NBFC, Information Security, ISMS, Mumbai, Financial Services