ISO 27001:2022 · ISO 27701:2025 · SOC 2 · HIPAA

Security and Privacy Programmes That Survive Audits, Customers, and Regulators.

I'm Ravindra Gandhi — an independent Information Security Consultant with 20+ years in IT audit, ISO 27001 lead auditing, SOC 2 readiness, and information security governance. My advisory and audit work is delivered through CertiTrust Consulting, where I serve as Principal Consultant.

Credentials & Affiliations
ISO 27001 LA ISO 27701 LI CISA CEH IRCA / CQI ISACA
ISO/IEC 27001:2022 Lead Auditor ISO/IEC 27701:2025 PIMS Specialist SOC 2 aligned HIPAA safeguards CISA - Certified Information Systems Auditor IRCA / CQI Lead Auditor ISACA member
The Compliance Reality

Compliance Is Easy to Claim. Hard to Prove.

Most organisations don’t fail audits because their policies are missing. They fail because their controls don’t reflect reality, their evidence is incomplete, and their governance hasn’t been independently tested. I built my practice around closing that gap.

Policies vs. Operations

Documentation that doesn’t match how the business actually runs. The auditor’s first finding.

Last-Minute Evidence

Artefacts generated the week before the audit. The auditor’s second finding.

Controls Without Owners

Procedures that nobody maintains. The auditor’s recurring observation.

Ravindra Gandhi — ISO 27001 Lead Auditor, CISA, Principal Consultant at CertiTrust Consulting
Principal Consultant, CertiTrust Consulting

Ravindra Gandhi

Twenty-plus years in IT audit, ISO 27001 lead auditing and implementation, SOC 2 readiness, and information security governance — across regulated industries in India and beyond.

How I'm set up

I'm an independent Information Security Consultant. My advisory work, audits, and certification programmes are delivered through CertiTrust Consulting, where I serve as Principal Consultant. This site is my personal professional profile — for engagement, proposals, or billing, connect with CertiTrust Consulting.

I've spent my career on the side of the table that has to prove things, not just claim them. That started in IT audit, moved through ISO 27001 lead auditing and implementation work, and has grown to cover ISO 27701 privacy integration, SOC 2 readiness for SaaS and technology platforms, and independent security advisory across manufacturing, pharma, IT, CPA, and insurance-adjacent clients.

As Principal Consultant there, I lead every engagement personally — there's no hand-off to junior staff after the first call. That's a deliberate choice: the value of an independent assessment depends on the independence actually being present throughout, not just at the proposal stage.

1

Evidence over assertion

If a control cannot be independently verified, it cannot be relied upon. I structure every engagement around evidence that holds up under a certification auditor's scrutiny.

2

Independence over comfort

Flagging weaknesses early — while correction is still possible — is what makes a client audit-ready rather than audit-reactive.

3

Discipline over breadth

A focused practice produces depth. I'd rather decline work outside my core specialisations than dilute the standard I hold myself to.

Areas of Expertise

A Focused Practice. Nine Disciplines. One Standard of Evidence.

These are the areas I've built genuine depth in over 20+ years — not a generalist menu. Each card links to a deeper look at how I think about that framework; delivery of any engagement happens through CertiTrust Consulting.

Delivered through CertiTrust Consulting

I'm an independent consultant — scoped engagements across all nine areas above are delivered through CertiTrust Consulting, where I serve as Principal Consultant. Engagement, proposals, and billing sit with the firm.

Visit CertiTrust Consulting →
How I Work

An Audit-Centric Consulting Model

“If a control cannot be evidenced, it does not exist.”

01

Assess Reality

I map actual operations, scope boundaries, data flows, and risk — not the version that lives in policy documents.

02

Design What Fits

Controls written to how the business runs, then mapped against Annex A, ISO 27701, SOC 2 TSCs, and HIPAA Safeguards.

03

Validate Early

Independent internal audits identify gaps in evidence, ownership, and effectiveness before external auditors do.

04

Strengthen What Matters

Targeted remediation focused on material risk and audit-blocking findings, with measurable closure timelines.

Industries I've Worked With

Sector Fluency, Not Guesswork

Two decades across audit-driven industries — each with its own regulatory pressure and its own definition of "good enough." For engagement in any of these industries, CertiTrust Consulting is the delivering entity.

Px
Pharma & Life Sciences
GxP-adjacent operations and pharma supply chains where a single audit finding can affect a customer relationship.
IT
IT / ITES & SaaS
Where SOC 2 and ISO 27001 are increasingly a condition of the enterprise sales cycle, not a nice-to-have.
He
Healthcare
ePHI handling, business associate relationships, and the discipline HIPAA's Safeguards require.
Mf
Manufacturing
OT/IT convergence and vendor ecosystems that often carry more risk than the corporate network itself.
CPA
CPA & Accounting Firms
Client confidentiality obligations that map closely to ISO 27001's access-control requirements.
Ins
Insurance & BFSI-adjacent
Regulatory alignment and third-party exposure where control failure costs more than audit findings.
By the Numbers

Two Decades of Audit-Defensible Practice

20+
Years in IT Audit & Consulting
60+
Clients across Manufacturing, Pharma, CPA & IT Services
40+
Projects in ISO 27001, 27701 & SOC 2
30+
Conferences, Workshops & Training Events
Why Work With Me

Independent. Disciplined. Personally Led.

Deep Specialisation

ISO 27001:2022, ISO 27701:2025, SOC 2, and HIPAA — not a generalist practice.

Internal-Audit Mindset

I design what survives external scrutiny — not what looks good on a deck.

Personally Led

Every engagement I take on through CertiTrust is led by me directly, not delegated to juniors.

Evidence & Effectiveness

Audit outcomes are first-class deliverables — not afterthoughts.

IRCA / CQI Discipline

Professionally aligned with international auditing practice standards.

SME & Mid-Market Focus

Execution without compliance shortcuts or governance theatre.

Personal Record

Credentials & Accreditations

Certifications and professional affiliations I maintain through continuing professional development, directly relevant to ISO 27001, ISO 27701, SOC 2, and audit practice.

LA

ISO 27001 Lead Auditor

IRCA / CQI certified — qualified to plan, conduct, report, and follow up on ISMS audits in accordance with ISO 19011.

✓ Verified credential
LI

ISO 27001 Lead Implementer

Qualified to design, implement, and operate ISMS environments aligned to ISO/IEC 27001:2022.

✓ Verified credential
CISA

CISA

Certified Information Systems Auditor — ISACA's globally recognised credential for IS audit, assurance, and control.

✓ Verified credential
CEH

CEH

Certified Ethical Hacker — structured, practical grounding in offensive-security thinking that informs my risk assessments.

✓ Verified credential
P27701

ISO 27701 PIMS Specialist

Privacy Information Management System qualification, supporting ISO 27701:2025 implementation and internal audit.

✓ Verified credential
ISACA

Member, ISACA

Active membership of the global professional body for IS audit, governance, risk, and cybersecurity.

✓ Verified credential
IRCA

Member, IRCA / CQI

Active membership of the International Register of Certificated Auditors and the Chartered Quality Institute.

✓ Verified credential

Need certificate copies for an audit pack or empanelment?

For customer security reviews, certification audits, or vendor empanelment, I provide attested copies of these credentials on request.

Request Verified Copies →
Proof of Outcomes

What Clients Say, After the Audit Is Over

Engagements referenced here — including feedback from Mr. Vijay Ramane, Mr. Vijesh Zinzuwadia, Mr. Chetansinh Parmar, and Mr. Shobhit Singh — were delivered through CertiTrust Consulting.

Client success stories

Testimonials and engagement outcomes live on CertiTrust Consulting, the firm that delivered them.

View Success Stories →
Insights

Perspectives on Audit, Privacy, and Governance

PerspectiveISO 27001:2022

What the New Annex A Structure Actually Changes

Why the 4-theme control set matters more for evidence than for policy paperwork.

Read the article →
PerspectiveISO 27701:2025

Integrating ISO 27701 Without Duplicating Governance

How to layer a PIMS over an existing ISMS without doubling policies, owners, or evidence.

Read the article →
PerspectiveSOC 2

What SOC 2 Readiness Actually Requires in 90 Days

A realistic view of the runway a growth-stage SaaS team needs before Type I.

Read the article →
Read more on Insights →
Frequently Asked Questions

Questions I Hear Most Often

Including the one about who you'd actually be contracting with.

Getting Started

It usually comes down to who's asking. If US enterprise customers are driving the requirement, SOC 2 is often the faster fit. If you're selling into markets where ISO certification is the recognised standard, or you want a management-system approach that also covers privacy, ISO 27001 (with ISO 27701 if privacy is in scope) is usually the better foundation.

For a mid-market organisation with reasonable existing controls, 4 to 8 months from kickoff to certification audit is realistic. Anyone promising certification in a few weeks is optimising for a quick sale, not a defensible outcome.

Yes. My client base spans manufacturing, pharma, IT/SaaS, and CPA firms across India, and engagements are not limited by geography for remote-deliverable work such as advisory, readiness, and awareness training.

Frameworks

ISO 27701 gives you a certifiable management-system structure for privacy, built on top of ISO 27001. GDPR and India's DPDP Act are legal obligations, not certifications. ISO 27701 is one of the most efficient ways to operationalise those legal obligations.

If you're a business associate handling ePHI on behalf of a US covered entity — a common position for Indian IT/ITES and SaaS vendors — HIPAA's Security and Privacy Rule requirements apply to you contractually, even though you're not directly regulated by OCR.

Often, yes, and there's real efficiency in doing so — a well-built ISMS produces most of the evidence a SOC 2 Type II audit will ask for. I typically sequence the two rather than run them as fully separate projects.

Working With Me

Yes. As Principal Consultant at CertiTrust Consulting, I'm involved from scope definition through to audit readiness confirmation — there's no hand-off to junior staff partway through.

Realistic time from the control owners, not just the compliance lead — IT, HR, and operations typically all hold evidence an auditor will ask for. I scope this explicitly at the start.

iTAuditor vs. CertiTrust Consulting

CertiTrust Consulting. iTAuditor is my personal brand and professional profile — it doesn't invoice clients and isn't a contracting entity. Any proposal, statement of work, or invoice you receive will be from CertiTrust Consulting, where I serve as Principal Consultant.

CertiTrust Consulting handles all contracting and billing. This site exists to give you a clear, verifiable picture of my background and credentials before that conversation starts.

Still have a question? Get in touch or message me directly on WhatsApp.

Get in Touch

Let's Start With Clarity.

Two paths, depending on what brought you here.

Personal & Professional

Speaking engagements, media requests, mentorship, professional networking, or a general question — reach me directly.

Consulting Engagements

Audits, certification programmes, SOC 2 or HIPAA readiness, or any scoped advisory work. This is delivered through CertiTrust Consulting, where I serve as Principal Consultant — proposals, contracting, and billing all happen there.

The scheduling link above books an introductory conversation with me — not a signed engagement. Scoping and contracting follow through CertiTrust.

Address

305, Vihav Business Square,
Nr. HCG Cancer Hospital, Sun Pharma Road,
Atladara, Vadodara — 390012, Gujarat

Start With Clarity

Let's Have a Conversation

Whether you're weighing ISO 27001, ISO 27701, SOC 2, or HIPAA readiness — or just want an independent read on where you stand — I'm glad to talk it through. For a scoped engagement, I'll bring in CertiTrust Consulting.

Understand your gaps, risks, and next steps — before they become audit findings.
Call Schedule a Conversation