// INDIAN REGULATORY COMPLIANCE

CERT-In Empanelled Audit

Authorised information security audit as a CERT-In empanelled organisation under India's IT Act and cybersecurity guidelines.

CERT-InEmpanelled
IT Act2008 Aligned
GovtRecognised
100%Regulator Accepted
Overview

CERT-In Empanelled Information Security Audit

The Computer Emergency Response Team of India (CERT-In) maintains a panel of accredited information security auditing organisations authorised to conduct IS audits under the IT Act 2008 and associated guidelines. Intelliroot is a CERT-In empanelled organisation — meaning our audit reports carry government recognition and are accepted by courts, regulators, and procurement authorities without further verification.

Organisations subject to CERT-In directives — including those handling sensitive personal data, critical infrastructure operators, and entities required to report incidents to CERT-In — require periodic IS audits from empanelled firms. Intelliroot delivers these audits with the rigour, documentation standards, and regulatory alignment that government and enterprise clients demand.

Important: From April 2022, CERT-In's Directions under Section 70B(6) of the IT Act require covered entities to report cybersecurity incidents within 6 hours and maintain logs for 180 days. A CERT-In empanelled audit helps you assess readiness against these obligations and identify gaps before an incident occurs.

Why This Matters

Why CERT-In Empanelment Matters

Government-Recognised Reports

Only empanelled organisations can issue IS audit certificates accepted by government agencies, courts, and regulatory bodies under the IT Act.

Mandatory for Regulated Sectors

Banks, NBFCs, insurers, PSOs, and critical infrastructure operators are required by their respective regulators to use CERT-In empanelled auditors.

Incident Reporting Readiness

Assess your capability to detect and report the 20 categories of cybersecurity incidents to CERT-In within the mandatory 6-hour window.

Tender & Procurement Compliance

Government tenders and enterprise RFPs increasingly require vendors to hold security certifications from CERT-In empanelled auditors.

CERT-In Directions 2022 IT Act 2008 s.43A IT (Amendment) Act 2008 SPDI Rules 2011 NCIIPC Guidelines
Scope

What the Audit Covers

IS Policy & Governance

  • Information security policy review
  • Roles, responsibilities, and accountability
  • Risk management framework assessment
  • Security awareness and training programme

Access Control & Identity

  • Privileged access management review
  • User provisioning and deprovisioning
  • Multi-factor authentication coverage
  • Password and account lockout policies

Network & Infrastructure Security

  • Firewall ruleset and segmentation review
  • Vulnerability assessment of critical systems
  • Patch management process effectiveness
  • Secure configuration baseline compliance

Incident Response & CERT-In Compliance

  • Incident detection and 6-hour reporting capability
  • Log retention (180-day compliance)
  • Incident classification against 20 CERT-In categories
  • Cyber crisis management plan review
Methodology

Our Audit Methodology

01

Scoping & Information Gathering

Define audit scope, collect organisational context, asset inventory, and existing security documentation. Identify applicable CERT-In directives and sector-specific requirements.

02

Document Review & Policy Assessment

Review security policies, procedures, and governance documents against CERT-In guidelines, IT Act requirements, and SPDI Rules. Identify documentation gaps.

03

Technical Assessment

Conduct VAPT of internet-facing systems, internal network assessment, and configuration review of critical infrastructure components aligned to CERT-In audit requirements.

04

Interviews & Observations

Interview key personnel (CISO, IT staff, security team) and observe security operations to assess process maturity and control implementation effectiveness.

05

Gap Analysis & Risk Rating

Map findings against CERT-In control requirements and IT Act obligations. Assign risk ratings and identify mandatory compliance gaps requiring immediate remediation.

06

Report Issuance & Certification

Issue the CERT-In compliant audit report with all required annexures, signed by the empanelled auditor. Deliver the audit certificate suitable for regulatory submission.

Regulatory Coverage
CERT-In Empanelled IT Act 2008 SPDI Rules 2011 Incident Reporting Log Retention VAPT Critical Infrastructure Govt Procurement
FAQ

Frequently Asked Questions

CERT-In maintains a list of information security organisations that have been vetted and approved to conduct IS audits under the Information Technology Act 2008. Intelliroot is on this panel, meaning our audit reports carry official government recognition and are accepted by Indian regulators without further verification.
Any organisation subject to CERT-In Directions (2022) or sector-specific mandates from RBI, SEBI, IRDAI, or NCIIPC that require government-recognised IS audits. This includes banks, NBFCs, payment system operators, insurers, listed companies, and critical infrastructure operators.
Typically 2–4 weeks depending on the size and complexity of your IT environment. The audit covers document review, technical assessment, interviews, and report preparation. We can provide a detailed timeline after an initial scoping call.
Yes. A CERT-In empanelled audit report is broadly accepted across Indian regulatory bodies. However, some regulators (e.g., RBI for specific categories, SEBI CSCRF) have additional reporting templates. We can customise the report format and annexures to meet multiple regulatory requirements simultaneously.

Deliverables

CERT-In Compliant Audit Report

Full audit report signed by the CERT-In empanelled auditor, with all required annexures, suitable for regulatory submission.

Gap Assessment Register

Detailed register mapping each finding against CERT-In guidelines and IT Act requirements, with risk ratings and remediation recommendations.

VAPT Report

Vulnerability assessment and penetration testing report for internet-facing and critical internal systems, with CVSS-rated findings.

Remediation Roadmap

Prioritised action plan for addressing identified gaps, with effort estimates and compliance deadline alignment.

Audit Closure Certificate

Signed closure certificate issued after remediation verification — accepted for government tender submissions and regulatory enquiries.

Evidence Pack

Compiled evidence bundle including screenshots, log samples, and test results for audit trail and regulatory submission requirements.

Related Services in Indian Regulatory Compliance

RBI Information Security Audit SEBI CSCRF Audit IRDAI Information Security Audit UIDAI / Aadhaar Audit
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.