ISO/IEC 27001:2022 Certification process in Nepal is rapidly becoming a standard requirement for organizations that handle sensitive information, digital assets, and data-driven operations. As Nepal’s digital economy expands under the framework of the Digital Nepal Framework and the Electronic Transactions Act, 2063 (2008), businesses, financial institutions, government bodies, and IT companies are actively seeking ISO/IEC 27001:2022 certification to demonstrate their commitment to Information Security Management Systems (ISMS). This article explains the complete ISO/IEC 27001:2022 certification process in Nepal in a straightforward and factual manner.
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is an internationally recognized standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within an organization.
The 2022 version replaced the previous ISO/IEC 27001:2013 standard. The updated version was officially published on October 25, 2022. It aligns with the ISO/IEC 27002:2022 controls and introduces a restructured control set reducing the number of controls from 114 to 93 controls grouped under 4 themes:
- Organizational Controls (37 controls)
- People Controls (8 controls)
- Physical Controls (14 controls)
- Technological Controls (34 controls)
ISO/IEC 27001:2022 also introduces 11 new controls that address modern threats such as cloud security, data masking, threat intelligence, and ICT readiness for business continuity.
Why Does ISO/IEC 27001:2022 Certification Matter in Nepal?
Nepal’s legal and regulatory landscape is increasingly pushing organizations toward formalized information security practices. The following laws and regulations make ISO/IEC 27001:2022 highly relevant in Nepal:
- Electronic Transactions Act, 2063 (2008) — Governs electronic records, digital signatures, and cybercrimes in Nepal.
- Nepal Rastra Bank’s IT Security Guidelines — Requires banks and financial institutions (BFIs) to maintain robust information security frameworks.
- Privacy Act, 2018 (Nijata Act) — Places obligations on organizations to protect personal data.
- Cybercrime laws under the Individual Privacy Act, 2018 — Penalizes unauthorized access and data breaches.
ISO/IEC 27001:2022 certification helps organizations in Nepal comply with these legal requirements, build client trust, and secure business in international markets.
Who Should Get ISO/IEC 27001:2022 Certified in Nepal?
ISO/IEC 27001:2022 certification in Nepal is applicable to any organization regardless of size or industry. However, the following sectors particularly benefit from this certification:
- Banks and Financial Institutions (BFIs) regulated by Nepal Rastra Bank
- IT and Software Companies operating in Nepal or exporting services
- Telecommunications Companies such as Nepal Telecom and Ncell
- Government Bodies and Public Sector Organizations
- Healthcare Institutions managing patient records electronically
- E-commerce and Fintech Companies
- Insurance Companies regulated by the Beema Pradhikaran (Insurance Board of Nepal)
- Educational Institutions handling digital student data
- Outsourcing and BPO Companies serving international clients
Key Differences: ISO/IEC 27001:2013 vs ISO/IEC 27001:2022
| Feature | ISO/IEC 27001:2013 | ISO/IEC 27001:2022 |
|---|---|---|
| Publication Date | September 2013 | October 2022 |
| Number of Controls | 114 controls | 93 controls |
| Control Categories | 14 domains | 4 themes |
| New Controls | None | 11 new controls added |
| Cloud Security Controls | Not explicitly covered | Explicitly covered |
| Transition Deadline | N/A | October 31, 2025 |
| Structure | Annex A with 14 clauses | Annex A restructured |
| Threat Intelligence | Not included | Included as new control |
Organizations certified under ISO/IEC 27001:2013 in Nepal must transition to ISO/IEC 27001:2022 by October 31, 2025, as confirmed by the International Accreditation Forum (IAF).
Step-by-Step ISO/IEC 27001:2022 Certification Process in Nepal
The ISO/IEC 27001:2022 certification process in Nepal follows a structured sequence of steps. Organizations must work with an accredited certification body to obtain valid certification.
Step 1: Gap Analysis
The first step in the ISO/IEC 27001:2022 certification process in Nepal is conducting a gap analysis. This involves comparing the organization’s existing information security practices against the requirements of ISO/IEC 27001:2022.
- Identify current ISMS status
- Identify gaps between current practices and ISO 27001:2022 requirements
- Document areas requiring improvement
- Estimate resources needed for compliance
Step 2: Define the Scope of ISMS
The organization must clearly define the scope of the Information Security Management System. This scope identifies which parts of the organization, which processes, which assets, and which locations fall under the ISMS.
- Define organizational boundaries
- Identify all information assets within scope
- Document internal and external issues (Clause 4 of ISO 27001:2022)
- Identify interested parties and their requirements
Step 3: Conduct Risk Assessment and Risk Treatment
ISO/IEC 27001:2022 (Clause 6.1.2) requires organizations to conduct a formal information security risk assessment. This is a mandatory requirement for certification.
- Identify information security risks
- Analyze and evaluate the risks using a defined risk methodology
- Determine risk owners
- Apply risk treatment options (accept, mitigate, transfer, or avoid)
- Produce a Risk Treatment Plan (RTP)
- Produce a Statement of Applicability (SoA)
Step 4: Develop and Implement ISMS Policies and Controls
Based on the risk treatment plan, the organization must develop and implement the necessary ISMS policies, procedures, and controls from Annex A of ISO/IEC 27001:2022.
- Draft Information Security Policy
- Develop supporting policies (Access Control, Acceptable Use, Incident Response, etc.)
- Implement technical and organizational controls
- Train employees on ISMS requirements
- Establish internal communication procedures
Step 5: Conduct Internal Audit
Before applying for certification, the organization must conduct an internal audit of the ISMS as required by Clause 9.2 of ISO/IEC 27001:2022.
- Plan and schedule internal audit
- Conduct audit against all ISO 27001:2022 clauses
- Document findings and non-conformities
- Take corrective actions for identified issues
- Review internal audit results in Management Review
Step 6: Management Review
Clause 9.3 of ISO/IEC 27001:2022 requires top management to conduct a formal management review of the ISMS. This ensures leadership commitment and awareness of ISMS performance.
- Review ISMS performance indicators
- Review results of internal audits
- Review status of corrective actions
- Review changes in internal/external context
- Document decisions and actions
Step 7: Select an Accredited Certification Body
In Nepal, organizations must select a certification body (CB) that is accredited by a recognized accreditation body. Common accreditation bodies whose certified CBs operate in Nepal include:
- United Kingdom Accreditation Service (UKAS)
- Deutsche Akkreditierungsstelle (DAkkS)
- Joint Accreditation System of Australia and New Zealand (JAS-ANZ)
- National Accreditation Board for Certification Bodies (NABCB) India
Nepal does not yet have a domestic accreditation body specifically for ISO management system certification. The Nepal Bureau of Standards and Metrology (NBSM) under the Ministry of Industry, Commerce and Supplies handles national standardization but does not accredit ISO 27001 certification bodies directly.
You can verify accredited certification bodies through the IAF MLA Database at https://www.iaf.nu.
Step 8: Stage 1 Audit (Documentation Review)
The certification body conducts a Stage 1 Audit, which is primarily a documentation and readiness review.
- Review of ISMS scope, policies, and procedures
- Review of Statement of Applicability (SoA)
- Review of Risk Assessment and Risk Treatment Plan
- Assess readiness for Stage 2 Audit
- Identify any major gaps before Stage 2
Step 9: Stage 2 Audit (Certification Audit)
The Stage 2 Audit is the main certification audit. The auditors from the certification body visit the organization (on-site or remotely) and verify that the ISMS is effectively implemented and operational.
- Audit all clauses of ISO/IEC 27001:2022
- Verify implementation of Annex A controls
- Interview employees at all levels
- Observe processes and check records
- Raise non-conformities (major or minor) if found
- Submit audit report to certification body
Step 10: Corrective Actions and Certification Decision
If non-conformities are raised during Stage 2 Audit, the organization must submit corrective action evidence within a defined timeframe (usually 30-90 days). After satisfactory corrective actions are verified, the certification body issues the ISO/IEC 27001:2022 Certificate.
- ISO/IEC 27001:2022 certificate is valid for 3 years
- Annual surveillance audits are conducted in Year 1 and Year 2
- A recertification audit is conducted in Year 3
Documents Required for ISO/IEC 27001:2022 Certification in Nepal
Organizations in Nepal must prepare and maintain the following mandatory documentation:
- ISMS Scope Document
- Information Security Policy
- Risk Assessment Methodology Document
- Risk Assessment Report
- Risk Treatment Plan
- Statement of Applicability (SoA)
- Information Security Objectives
- Competence Records and Training Records
- Operational Planning and Control Documents
- Internal Audit Program and Audit Reports
- Management Review Minutes
- Evidence of Corrective Actions
- Incident Management Records
- Business Continuity and Disaster Recovery Plans
- Supplier Security Agreements
Cost of ISO/IEC 27001:2022 Certification in Nepal
The cost of obtaining ISO/IEC 27001:2022 certification in Nepal varies depending on the size of the organization, scope of the ISMS, and the certification body selected. Below is an estimated cost breakdown:
| Cost Component | Estimated Cost (NPR) |
|---|---|
| Gap Analysis (Consultant) | NPR 50,000 – 2,00,000 |
| ISMS Implementation (Consultant) | NPR 2,00,000 – 8,00,000 |
| Employee Training | NPR 30,000 – 1,50,000 |
| Internal Audit Support | NPR 50,000 – 1,00,000 |
| Stage 1 Certification Audit | NPR 80,000 – 2,00,000 |
| Stage 2 Certification Audit | NPR 1,50,000 – 4,00,000 |
| Annual Surveillance Audit | NPR 1,00,000 – 2,00,000 |
| Total Estimated Cost | NPR 6,60,000 – 19,50,000 |
Costs may vary based on currency exchange rates and the selected certification body’s country of origin.
Nepal Bureau of Standards and Metrology (NBSM) and ISO Certification
The Nepal Bureau of Standards and Metrology (NBSM), established under the Nepal Bureau of Standards and Metrology Act, 2037 (1980), is Nepal’s national standards body. NBSM operates under the Ministry of Industry, Commerce and Supplies and is responsible for formulating and promoting national standards in Nepal.
While NBSM does not directly issue ISO/IEC 27001:2022 certificates, it plays a role in promoting standardization culture in Nepal. Organizations can visit NBSM’s official website for information on standardization activities in Nepal.
FAQs
1. What is the validity period of ISO/IEC 27001:2022 certification in Nepal?
ISO/IEC 27001:2022 certification is valid for 3 years. During this period, the organization must undergo annual surveillance audits in Year 1 and Year 2, followed by a recertification audit in Year 3 to maintain the certificate.
2. Can Nepali organizations get ISO/IEC 27001:2022 certified through a foreign certification body?
Yes. Since Nepal lacks an IAF-recognized domestic accreditation body for ISO 27001, Nepali organizations typically obtain certification through internationally accredited certification bodies operating in Nepal or remotely from India, UK, or other countries.
3. Is ISO/IEC 27001:2022 certification mandatory in Nepal?
ISO/IEC 27001:2022 is not universally mandatory in Nepal. However, Nepal Rastra Bank’s IT Security Guidelines strongly encourage BFIs to adopt ISMS frameworks. Some government tenders and international contracts also require ISO 27001 certification as a prerequisite.
4. How long does the ISO/IEC 27001:2022 certification process take in Nepal?
The complete certification process typically takes 6 to 18 months, depending on the organization’s size, existing security maturity, availability of resources, and responsiveness in implementing corrective actions after audits.
5. What is the Statement of Applicability (SoA) in ISO/IEC 27001:2022?
The Statement of Applicability (SoA) is a mandatory document that lists all 93 Annex A controls from ISO/IEC 27001:2022, states whether each control is applicable or not, and provides justification for inclusion or exclusion of each control in the ISMS.
6. What happens if an organization fails the Stage 2 Certification Audit?
If major non-conformities are identified during the Stage 2 Audit, the organization must implement corrective actions and provide evidence to the certification body. The CB may conduct a follow-up audit before issuing the certificate. Minor non-conformities are closed through documentary evidence.
Conclusion
ISO/IEC 27001:2022 certification in Nepal represents a formal and structured commitment to protecting information assets and managing information security risks. The certification process involves gap analysis, risk assessment, ISMS implementation, internal auditing, and a two-stage external audit by an accredited certification body. As Nepal’s regulatory environment around data protection and cybersecurity continues to mature supported by the Electronic Transactions Act, 2063, the Individual Privacy Act, 2018, and Nepal Rastra Bank’s IT Security Guidelines ISO/IEC 27001:2022 certification will become an increasingly valued credential for Nepali organizations operating domestically and internationally.
- All ISO Certification Standards in Nepal
- ISO 22000:2018 Certification Process in Nepal
- ISO/IEC 27001:2022 Certification Process in Nepal
- ISO 45001:2018 Certification Process in Nepal
- ISO 14001:2015 Certification Process in Nepal
- ISO 9001:2015 Certification in Nepal
- Registration of LLC (Limited Liability Company) in Nepal
