ISO 27001 is a security management standard. It asks you to build an Information Security Management System, or ISMS, which is a documented, auditable way of tracking who has access to what, what risks exist in your systems, and what you are doing about them.
It is not a technical checklist you hand to an engineer. The whole point is that security becomes a managed process across your organisation, with records that prove it.
For SaaS companies in Dhaka, the pressure to get certified has arrived from two sides at the same time. Export clients are the first side. UK, EU, and US enterprise buyers have made ISO 27001 a procurement condition the same way they require signed NDAs.
Bangladeshi SaaS teams are hitting this wall mid-sales-cycle more and more often, which is a painful place to find out you need a certificate that takes months to get. The domestic side is the second pressure. The Bangladesh Bank tightened its ICT Security Guidelines for financial institutions over the past few years, and the Digital Security Act 2018 created real legal obligations around data handling and breach notification. ISO 27001 addresses both in one process.
The standard has 93 controls covering organisational policies, people practices, physical security, and technology. You do not implement all 93. You document which controls apply to your company and your justification for excluding others. This document is called the Statement of Applicability.
The other document procurement teams ask for early is the Risk Treatment Plan, which records what risks you found and what you are doing about each one. Companies that have gone through the process say enterprise security questionnaires that used to take weeks now take an afternoon.
Worth saying directly: many Bangladeshi SaaS companies assume ISO 27001 is for large organisations with a dedicated security function. It is not. A 15-person company in Gulshan running on AWS can get certified. The work is more about being organised and documented than about having complex infrastructure.
| BASIS MEMBERS | The ICT Division runs export readiness facilitation schemes that sometimes include subsidised consultant access for ISO certification work. The Bangladesh Hi-Tech Park Authority has also tied certification eligibility to certain export incentive programmes. Check what is currently available before budgeting for outside consulting. |
The ISMS is not one document. It is a set of policies, procedures, and records that runs continuously. Your first decision is scope: which systems, environments, and data flows sit inside the certification boundary.
Scoping too wide creates more compliance work than a small team can maintain. Scoping too narrow produces a certificate that does not satisfy clients who ask detailed follow-up questions.
For most Bangladeshi SaaS companies, the scope covers the production environment on AWS Singapore (ap-southeast-1) or AWS Mumbai (ap-south-1), the CI/CD pipeline, customer databases, and internal tools that have production access. One thing most guides skip over:
AWS holds its own ISO 27001 certification for both those regions. Physical data centre controls, including server security, power backup, and physical access, are AWS’s responsibility under the shared responsibility model. You document this fact in your ISMS, and auditors accept it. That simplifies your scope considerably compared to teams running their own hardware.
The gap analysis almost always turns up the same pattern in Bangladesh. Technical security is reasonable. HTTPS is in place, there is some AWS IAM configuration, deployments go through a pipeline.
What is missing is documentation. No formal access review process. No written incident response procedure that has been tested. No policy document with a leadership signature.
The implementation phase involves roughly as much policy writing as it does technical work, and teams that do not expect this find themselves spending much more time on it than planned.
ISO 27001 should come first for most export-focused Bangladeshi SaaS companies. SOC 2 matters mainly for US-market clients, and GDPR applies if you are handling personal data of EU residents. Here is the comparison.
| Factor | ISO 27001 | SOC 2 Type II | GDPR |
| BD Relevance | Highest. Maps onto Bangladesh Bank ICT guidelines and DSA 2018 directly | Low local recognition | Applies only if you handle EU resident data |
| Best For | Export deals in EU, UK, US. Also growing demand from local enterprise | US-focused B2B SaaS clients | EU personal data obligations |
| Year 1 Cost (BD) | BDT 11L to 44L | $20K to $60K (USD) | $15K to $50K (USD) |
| Audit Body in BD | BSI Bangladesh or Bureau Veritas Dhaka | US CPA firm attestation | Supervisory authority enforcement |
| Timeline | 3 to 12 months depending on team size | 2 to 6 months | Ongoing obligation, no certificate |
| FINTECH | ISO 27001 Annex A controls map directly onto Bangladesh Bank ICT Security Guidelines around access control, encryption, audit trails, business continuity, and third-party vendor risk. Banks’ internal audit teams close vendor due diligence considerably faster once a SaaS supplier holds the certificate. |
Three workstreams run at the same time here. First, scope definition. Second, the gap analysis, which compares your current practices against all 93 Annex A controls. Third, the risk assessment.
Most Bangladeshi teams underinvest in the risk assessment. It is not a spreadsheet you fill in once. It is a documented methodology that scores threats by likelihood and damage, assigns an owner to each one, and feeds directly into the Risk Treatment Plan.
SaaS-specific risks to assess explicitly include multi-tenant data isolation failures, API authentication gaps, and cloud IAM misconfigurations. Start staff security training during this phase. You need dated attendance records at the audit, and running training late means thin records.
The technical side: role-based access control properly configured in AWS, CloudTrail logging switched on across all accounts and regions, encryption confirmed at rest and in transit for every customer data store, at least one penetration test completed.
The policy side: a signed information security policy, written procedures covering access control, incident response, business continuity, and supplier assessments. Before you book the certification audit, run a full internal audit cycle and hold a formal management review.
Those two items produce the evidence that the ISMS is actually operating. Without them, Stage 2 will surface the gap.
HMS Limited is one of best certification body options for local companies. HMS carries UKAS accreditation, which means UK, EU, and US procurement teams recognise the certificates.
Stage 1 is documentation review, usually remote, over one to two weeks. The auditor goes through your SoA, Risk Treatment Plan, policies, and internal audit records.
Stage 2 is the live audit: interviews with staff across different roles, log samples, configuration reviews, supplier contract checks. Allow four to eight weeks from Stage 2 scheduling through to receiving the certificate.
HMS Limited cover the whole South Asian market from regional offices, and their calendars fill up. Book your slot before you think you are ready.
The certificate is valid three years, with surveillance audits in years one and two, each running one to two days. The full recertification audit is in year three. Between audits, any significant infrastructure change should trigger an ISMS review: a new cloud region, a new third-party integration, a product feature that changes how customer data flows.
Certification bodies check change management records during surveillance, and a gap between what the documentation says and what the systems actually do is the most common nonconformity finding.
Ignore the $35,000 to $120,000 figures in Western guides. They do not apply here. BSI and Bureau Veritas price South Asian audit engagements at 40 to 60 percent below their North American rates. Local consulting fees reflect local salary markets. The table below shows realistic BDT ranges.
| Cost Item | Estimated Cost | Notes |
| Gap analysis and risk assessment | BDT 2L to 5L | Local ISMS consultant or BASIS-referred firm |
| Stage 1 and Stage 2 audit | BDT 8L to 18L | BSI Bangladesh or Bureau Veritas Dhaka (UKAS accredited) |
| Annual surveillance audit | BDT 3L to 5L | Years 1 and 2, same certification body |
| Security tooling and pen test | BDT 5L to 15L | Year 1 setup, local or regional vendor |
| Internal engineer time | BDT 3L to 12L | 150 to 300 hours at Dhaka market salary rates |
| Staff security training | BDT 50K to 1.5L | All staff. Dated attendance records are required at audit |
A startup of 10 to 30 people should budget BDT 15 to 30 lakh for year one, covering consulting, both audit stages, basic tooling, and internal engineering time. Companies with 30 to 100 staff should plan for BDT 30 to 60 lakh. Year two and year three costs drop sharply, mainly to the surveillance audit fee and ongoing tooling.
Compliance automation tools like Vanta and Drata are priced in US dollars. The pricing is noticeable against Dhaka salary benchmarks. They pull audit evidence automatically from AWS, GitHub, your identity provider, and HR system, cutting manual collection time by around 60 percent.
For companies above roughly 25 staff, that saving usually makes the cost worthwhile. Under 20 people, a well-maintained shared folder with a single named owner often handles it without a paid tool.
Standard ISO 27001 guides assume on-premises servers. If your platform runs on AWS and deploys through GitHub Actions, the implementation looks different. Security controls belong inside the development workflow.
| Is ISO 27001 mandatory in Bangladesh? | No law requires it. That said, UK and EU enterprise buyers now ask for it the same way they ask for a signed contract. Several local banks and NBFIs have started putting it in vendor questionnaires too. You won’t get a fine for not having it, but you will lose deals. |
| BSI or Bureau Veritas? | Both work. Both are UKAS-accredited, so the certificate is globally valid either way. If you’re selling primarily into UK markets, BSI gets recognised faster by procurement teams there. Bureau Veritas tends to have more schedule flexibility in South Asia. |
| How does ISO 27001 connect to the Digital Security Act 2018? | DSA 2018 covers breach response, data protection obligations, and critical information infrastructure. ISO 27001 controls on incident response, access logs, and audit trails handle most of the DSA’s technical requirements. Companies often find DSA compliance falls into place once the ISMS is built, without treating it as a second project. |
| What about Bangladesh Bank ICT guidelines? | Heavy overlap. Bangladesh Bank’s requirements for banks around access control, encryption, audit trails, business continuity, and third-party risk management are almost a subset of ISO 27001 Annex A. Fintech SaaS companies doing vendor onboarding with banks find the process goes much faster once they hold the certificate. |
| Can a small Dhaka startup afford ISO 27001? | A 10 to 20-person team with a sensibly scoped ISMS can get certified for BDT 15 to 25 lakh in year one. The traps are over-scoping, picking the wrong consultant, and letting documentation work sit unowned for months. Avoid those three and the cost stays manageable. |
ISO 27001 does not end when you get the certificate. Surveillance audits, risk reviews triggered by infrastructure changes, annual management reviews. But the ongoing load is much lighter than the initial certification effort, and most teams find it manageable once the ISMS is built and the habits are set.
The companies that stall are the ones without a named owner, or the ones that scope in every system in the business and then find the documentation burden impossible to sustain. Keep the scope honest.
Pick a consultant who has taken SaaS companies through the process in Bangladesh specifically, not a generalist firm. And start before a client asks for it. Mid-sales-cycle is not where you want to be explaining a six-month timeline.
