ISO 27001:2022 Certification Status

ISMS scope

Documented

Cloud + On-Premise included

Annex A controls

All mapped

SoA available under NDA

Risk treatment

Complete

Internal audit

Passed Q1 2026

Full ISMS scope

External auditor

Accredited body

Stage 1 ✓ · Stage 2 in progress

Certificate

Q2 2026 target

Subject to Stage 2 closure

Status as of May 17, 2026 IST: Implementation complete. Stage 1 audit complete. Stage 2 audit underway with an accredited external body. Certificate target Q2 2026. We do not currently claim ISO 27001 certification. Pre-certification artefacts (Statement of Applicability, internal audit report, auditor timeline letter) available under NDA.

1 Where we are in the timeline

ISO 27001 certification is a multi-stage process. Here is exactly where Headx Monitor stands:

Phase	Status	Date
Gap assessment and scoping	Complete	2025 Q3
ISMS documentation (policies, procedures, controls)	Complete	2025 Q4
Risk assessment and treatment plan	Complete	2025 Q4
Statement of Applicability (SoA)	Complete	2026 Q1
Internal audit (full ISMS scope)	Complete	2026 Q1
Management review	Complete	2026 Q1
External Stage 1 audit (documentation review)	Complete	2026 Q1
Corrective actions from Stage 1	Complete	2026 Q1
External Stage 2 audit (implementation effectiveness)	In progress	2026 Q2
Certificate issuance	Pending Stage 2	Q2 2026 target
Surveillance audit (year 1)	Scheduled	2027 Q2
Surveillance audit (year 2)	Scheduled	2028 Q2
Recertification audit	Scheduled	2029 Q2

2 What's implemented

All Annex A controls applicable to Headx Monitor's scope are implemented across the four control themes:

Organisational controls (Clause 5)

Information security policy approved and reviewed annually
Roles and responsibilities defined (CISO, DPO, security operations)
Segregation of duties between development and production access
Contact with authorities (CERT-In, sector regulators)
Threat intelligence subscription and integration
Information security in project management — security-review gate on every release
Information transfer policies (with sub-processors, with customers)
Access control policy with RBAC + named privilege escalation

People controls (Clause 6)

Background verification for all employees
Terms and conditions of employment include confidentiality obligations
Disciplinary process for information security violations
Information security awareness training — onboarding + annual refresh
Remote working security policy
Reporting of information security events workflow

Physical controls (Clause 7)

Physical security perimeters at office locations
Physical entry controls (access cards, visitor management)
Security of offices, rooms, facilities
Secure disposal or reuse of equipment
Equipment maintenance and decommissioning procedures
Production infrastructure AWS-hosted; AWS ap-south-1 physical controls inherited via Shared Responsibility model

Technological controls (Clause 8)

User access provisioning, review, and revocation
Privileged access management (just-in-time, time-boxed)
Information access restriction (need-to-know + RBAC)
Secure authentication (bcrypt, MFA available, lockouts)
Capacity management with auto-scaling
Protection against malware (EDR on all endpoints)
Backup and recovery — daily full, hourly incremental, cross-AZ replication
Logging and monitoring — centralised, SIEM-ready, anomaly detection
Networks security (Cloudflare WAF, private subnets, egress controls)
Cryptography — TLS 1.3, AES-256, KMS key management, quarterly key rotation
Secure development life cycle
Application security testing — SAST, SCA, DAST, annual external pen test
Test data management — production data is never used in development or test
Change management — approval workflow, rollback procedures
Vulnerability management — daily SCA, monthly scans, CVE-based patch SLAs

The full Statement of Applicability (Annex A control-by-control with implementation evidence) is available under NDA.

3 What's pending

Three remaining items between us and the certificate:

Stage 2 audit closure — accredited external auditor is currently in fieldwork, observing implementation effectiveness across the ISMS. Expected closure mid-Q2 2026.
Corrective action follow-up — any minor non-conformities from Stage 2 require closure evidence within an agreed window before the certificate is issued.
Certificate issuance — administrative step by the certification body once the audit closes successfully. Typical lead time 2–4 weeks after closure.

We can share the auditor's timeline letter under NDA — it commits the auditor to issuance dates contingent on Stage 2 outcomes.

4 Two options if certification is sign-conditional

If your client cannot sign until the certificate is in hand, we offer two clean paths:

Option A — Contractual commitment now, certificate later Most popular

Sign the agreement now, with a contractual commitment in the MSA that Headx will deliver the ISO 27001:2022 certificate by an agreed date (typically the auditor's timeline date + 30 days as buffer), with a defined remedy if missed. Common remedies:

Service-credit on monthly fees from the missed-date forward until certificate delivery
Right of customer termination with full refund of unused subscription
Quarterly progress reports during the certification period

Multiple BFSI customers have taken this route. It lets the customer's procurement timeline proceed without waiting on our certification timeline.

Option B — Wait for certificate

Defer signing until certificate issuance (Q2 2026 target). We can hold pricing and contract terms agreed during the procurement cycle so the eventual signing is a single-page execution.

If your client is on a strict procurement budget cycle that aligns with our certificate window (June–August 2026), Option B may actually be more convenient than Option A.

5 Available artefacts (under NDA)

Customers and customer security teams can access the following under signed NDA, typically within 24 hours of request:

Statement of Applicability (SoA) — control-by-control applicability and implementation evidence
ISMS scope statement — what is in / out of certification scope
Information security policy — board-approved, current version
Risk assessment and treatment plan — current risk register
Internal audit report — latest internal audit findings and closure status
Management review minutes — quarterly
External auditor's timeline letter — committed certification dates
Stage 1 audit report executive summary
Penetration test executive summary — latest annual external test
Sub-processor register with annual review records

Request via security@headx.in.

6 Other certifications status

Standard	Status	Target / Notes
ISO 27001:2022	Stage 2 in progress	Q2 2026 target (this page)
SOC 2 Type 2	Observation window underway	Q3 2026 target
GDPR	DPA template available	Available now
HIPAA	BAA available on request	Healthcare-adjacent customers
DPDP Act 2023 (India)	Aligned	See DPDP status
PCI DSS	Out of scope	Payment flows handled by Cashfree / Razorpay
CSA STAR	Planned	Following ISO 27001 issuance

7 Contact

Security / certification questions: security@headx.in
Audit-evidence requests (NDA): security@headx.in
Legal / DPA / contract: legal@headx.in
Sales / pre-procurement questionnaires: sales@headx.in

Need detailed audit evidence or a signed DPA?

The full Statement of Applicability, latest penetration-test summary, sub-processor register with annual review records, and pre-filled CAIQ / SIG questionnaires are available under NDA — typically within 24 hours (IST business days).

Request artefacts Talk to sales