What the New Annex A Structure Actually Changes
Why the 4-theme control set matters more for evidence than for policy paperwork.
Read the article →I'm Ravindra Gandhi — an independent Information Security Consultant with 20+ years in IT audit, ISO 27001 lead auditing, SOC 2 readiness, and information security governance. My advisory and audit work is delivered through CertiTrust Consulting, where I serve as Principal Consultant.
Most organisations don’t fail audits because their policies are missing. They fail because their controls don’t reflect reality, their evidence is incomplete, and their governance hasn’t been independently tested. I built my practice around closing that gap.
Documentation that doesn’t match how the business actually runs. The auditor’s first finding.
Artefacts generated the week before the audit. The auditor’s second finding.
Procedures that nobody maintains. The auditor’s recurring observation.
Twenty-plus years in IT audit, ISO 27001 lead auditing and implementation, SOC 2 readiness, and information security governance — across regulated industries in India and beyond.
I'm an independent Information Security Consultant. My advisory work, audits, and certification programmes are delivered through CertiTrust Consulting, where I serve as Principal Consultant. This site is my personal professional profile — for engagement, proposals, or billing, connect with CertiTrust Consulting.
I've spent my career on the side of the table that has to prove things, not just claim them. That started in IT audit, moved through ISO 27001 lead auditing and implementation work, and has grown to cover ISO 27701 privacy integration, SOC 2 readiness for SaaS and technology platforms, and independent security advisory across manufacturing, pharma, IT, CPA, and insurance-adjacent clients.
As Principal Consultant there, I lead every engagement personally — there's no hand-off to junior staff after the first call. That's a deliberate choice: the value of an independent assessment depends on the independence actually being present throughout, not just at the proposal stage.
If a control cannot be independently verified, it cannot be relied upon. I structure every engagement around evidence that holds up under a certification auditor's scrutiny.
Flagging weaknesses early — while correction is still possible — is what makes a client audit-ready rather than audit-reactive.
A focused practice produces depth. I'd rather decline work outside my core specialisations than dilute the standard I hold myself to.
These are the areas I've built genuine depth in over 20+ years — not a generalist menu. Each card links to a deeper look at how I think about that framework; delivery of any engagement happens through CertiTrust Consulting.
Practical ISMS design, risk treatment, and internal audit focused on control effectiveness.
Learn more →Privacy controls layered onto an existing ISMS without duplicating owners or evidence.
Learn more →Structured Type I & II readiness aligned to the Trust Services Criteria your customers ask about.
Learn more →Administrative, Physical, and Technical Safeguards for covered entities and business associates.
Learn more →Risk-tiered vendor inventory, due diligence, and monitoring integrated with your existing frameworks.
Learn more →Risk-based assessments focused on findings that materially affect audit and business risk, not noise.
Learn more →Independent evaluation of IT systems, controls, and performance against the standard you're held to.
Learn more →Role-based training that changes behaviour, not just attendance records.
Learn more →Independent, business-aligned advisory for governance, control design, and audit-ready operations.
Learn more →I'm an independent consultant — scoped engagements across all nine areas above are delivered through CertiTrust Consulting, where I serve as Principal Consultant. Engagement, proposals, and billing sit with the firm.
“If a control cannot be evidenced, it does not exist.”
I map actual operations, scope boundaries, data flows, and risk — not the version that lives in policy documents.
Controls written to how the business runs, then mapped against Annex A, ISO 27701, SOC 2 TSCs, and HIPAA Safeguards.
Independent internal audits identify gaps in evidence, ownership, and effectiveness before external auditors do.
Targeted remediation focused on material risk and audit-blocking findings, with measurable closure timelines.
Two decades across audit-driven industries — each with its own regulatory pressure and its own definition of "good enough." For engagement in any of these industries, CertiTrust Consulting is the delivering entity.
ISO 27001:2022, ISO 27701:2025, SOC 2, and HIPAA — not a generalist practice.
I design what survives external scrutiny — not what looks good on a deck.
Every engagement I take on through CertiTrust is led by me directly, not delegated to juniors.
Audit outcomes are first-class deliverables — not afterthoughts.
Professionally aligned with international auditing practice standards.
Execution without compliance shortcuts or governance theatre.
Certifications and professional affiliations I maintain through continuing professional development, directly relevant to ISO 27001, ISO 27701, SOC 2, and audit practice.
IRCA / CQI certified — qualified to plan, conduct, report, and follow up on ISMS audits in accordance with ISO 19011.
✓ Verified credentialQualified to design, implement, and operate ISMS environments aligned to ISO/IEC 27001:2022.
✓ Verified credentialCertified Information Systems Auditor — ISACA's globally recognised credential for IS audit, assurance, and control.
✓ Verified credentialCertified Ethical Hacker — structured, practical grounding in offensive-security thinking that informs my risk assessments.
✓ Verified credentialPrivacy Information Management System qualification, supporting ISO 27701:2025 implementation and internal audit.
✓ Verified credentialActive membership of the global professional body for IS audit, governance, risk, and cybersecurity.
✓ Verified credentialActive membership of the International Register of Certificated Auditors and the Chartered Quality Institute.
✓ Verified credentialFor customer security reviews, certification audits, or vendor empanelment, I provide attested copies of these credentials on request.
Engagements referenced here — including feedback from Mr. Vijay Ramane, Mr. Vijesh Zinzuwadia, Mr. Chetansinh Parmar, and Mr. Shobhit Singh — were delivered through CertiTrust Consulting.
Testimonials and engagement outcomes live on CertiTrust Consulting, the firm that delivered them.
Why the 4-theme control set matters more for evidence than for policy paperwork.
Read the article →How to layer a PIMS over an existing ISMS without doubling policies, owners, or evidence.
Read the article →A realistic view of the runway a growth-stage SaaS team needs before Type I.
Read the article →Including the one about who you'd actually be contracting with.
It usually comes down to who's asking. If US enterprise customers are driving the requirement, SOC 2 is often the faster fit. If you're selling into markets where ISO certification is the recognised standard, or you want a management-system approach that also covers privacy, ISO 27001 (with ISO 27701 if privacy is in scope) is usually the better foundation.
For a mid-market organisation with reasonable existing controls, 4 to 8 months from kickoff to certification audit is realistic. Anyone promising certification in a few weeks is optimising for a quick sale, not a defensible outcome.
Yes. My client base spans manufacturing, pharma, IT/SaaS, and CPA firms across India, and engagements are not limited by geography for remote-deliverable work such as advisory, readiness, and awareness training.
ISO 27701 gives you a certifiable management-system structure for privacy, built on top of ISO 27001. GDPR and India's DPDP Act are legal obligations, not certifications. ISO 27701 is one of the most efficient ways to operationalise those legal obligations.
If you're a business associate handling ePHI on behalf of a US covered entity — a common position for Indian IT/ITES and SaaS vendors — HIPAA's Security and Privacy Rule requirements apply to you contractually, even though you're not directly regulated by OCR.
Often, yes, and there's real efficiency in doing so — a well-built ISMS produces most of the evidence a SOC 2 Type II audit will ask for. I typically sequence the two rather than run them as fully separate projects.
Yes. As Principal Consultant at CertiTrust Consulting, I'm involved from scope definition through to audit readiness confirmation — there's no hand-off to junior staff partway through.
Realistic time from the control owners, not just the compliance lead — IT, HR, and operations typically all hold evidence an auditor will ask for. I scope this explicitly at the start.
CertiTrust Consulting. iTAuditor is my personal brand and professional profile — it doesn't invoice clients and isn't a contracting entity. Any proposal, statement of work, or invoice you receive will be from CertiTrust Consulting, where I serve as Principal Consultant.
CertiTrust Consulting handles all contracting and billing. This site exists to give you a clear, verifiable picture of my background and credentials before that conversation starts.
Still have a question? Get in touch or message me directly on WhatsApp.
Two paths, depending on what brought you here.
Speaking engagements, media requests, mentorship, professional networking, or a general question — reach me directly.
Audits, certification programmes, SOC 2 or HIPAA readiness, or any scoped advisory work. This is delivered through CertiTrust Consulting, where I serve as Principal Consultant — proposals, contracting, and billing all happen there.
The scheduling link above books an introductory conversation with me — not a signed engagement. Scoping and contracting follow through CertiTrust.
305, Vihav Business Square,
Nr. HCG Cancer Hospital, Sun Pharma Road,
Atladara, Vadodara — 390012, Gujarat
Whether you're weighing ISO 27001, ISO 27701, SOC 2, or HIPAA readiness — or just want an independent read on where you stand — I'm glad to talk it through. For a scoped engagement, I'll bring in CertiTrust Consulting.