What is CERT-In Empanelment? Why Your VAPT Provider Must Be Empanelled

On Uncategorized

What is CERT-In Empanelment? Why Your VAPT Provider Must Be Empanelled

If you have been evaluating cybersecurity companies in India, you have almost certainly encountered the term “CERT-In empanelled.” Vendors prominently advertise their empanelment status, and procurement teams increasingly require it as a baseline criterion. Yet many security buyers do not fully understand what CERT-In empanelment actually means, what it takes to achieve, or why it matters for their specific compliance situation.

This guide explains CERT-In empanelment from the ground up — what CERT-In is, what empanelment signifies, how to verify it, and critically, which types of security assessments legally require an empanelled vendor versus those where empanelment is a quality signal rather than a regulatory requirement.

What Is CERT-In?

CERT-In — the Indian Computer Emergency Response Team — is the national nodal agency for responding to cybersecurity incidents in India. Established under the Information Technology Act, 2000, and formally constituted under the IT (Amendment) Act 2008, CERT-In operates under the Ministry of Electronics and Information Technology (MeitY). Its functions include:

  • Collecting, analysing, and disseminating information on cyber incidents
  • Forecasting and alerting about cybersecurity incidents
  • Coordinating cyber incident response activities
  • Issuing guidelines, advisories, and directions on information security practices
  • Empanelling information security auditing organisations
  • Issuing directions to intermediaries, data centres, and government bodies on cybersecurity compliance

CERT-In’s 2022 Directions (issued under Section 70B(6) of the IT Act) significantly expanded its regulatory authority, mandating six-hour incident reporting for a wide range of organisations, requiring maintenance of ICT system logs for 180 days, and establishing requirements for synchronised system clocks. These directions cemented CERT-In as a primary cybersecurity regulator for Indian organisations.

What Does CERT-In Empanelment Mean?

CERT-In maintains a list of empanelled information security auditing organisations — firms that CERT-In has evaluated and approved to conduct security audits, vulnerability assessments, and penetration tests on behalf of Indian organisations. Empanelment is, in essence, a government-level quality certification for cybersecurity assessment companies.

An empanelled organisation has demonstrated to CERT-In’s satisfaction that it has:

  • Qualified and certified security professionals (minimum standards for team credentials)
  • Documented and validated assessment methodologies
  • Infrastructure and tools appropriate for conducting information security audits
  • Processes for maintaining confidentiality of client information
  • Appropriate legal and regulatory compliance as an organisation

Empanelment is not a one-time award. Organisations must maintain their empanelment by meeting ongoing standards, and CERT-In can revoke empanelment for non-compliance or quality failures. The list is periodically updated and published at cert-in.org.in.

Eligibility Requirements for CERT-In Empanelment

To apply for CERT-In empanelment, an organisation must typically meet these criteria (requirements may be updated — always refer to the current CERT-In guidelines):

  • Legal entity: Must be a registered Indian company under the Companies Act or a firm registered in India
  • Qualified staff: Minimum number of certified professionals — CISSP, CISA, CEH, OSCP, or other recognised certifications — across the team
  • Methodology documentation: Documented, repeatable assessment methodologies for network VAPT, web application VAPT, and other relevant service lines
  • Prior experience: Demonstrated track record of conducting information security audits, with client references
  • Infrastructure: Appropriate tools and laboratory environment for conducting assessments
  • Confidentiality controls: Documented information handling and confidentiality procedures
  • Non-disclosure with foreign entities: Restrictions on sharing findings with foreign entities — a national security consideration

The application process involves submitting documentation to CERT-In, followed by a review and potentially an interview or assessment of the applicant organisation’s capabilities. Successful applicants are listed on the CERT-In website.

How to Verify CERT-In Empanelment

Verification is straightforward and should always be done before engaging a security auditor for compliance-driven work:

  1. Visit cert-in.org.in
  2. Navigate to the “Empanelled Information Security Auditing Organisations” section
  3. Search for the vendor’s company name in the published list
  4. Confirm the empanelment is current (the list is dated; check the last updated date)

Do not accept self-reported empanelment claims without independent verification. Some vendors falsely claim empanelment. The CERT-In website is the authoritative source — if the company is not on the list, they are not empanelled.

MDIT Services is a CERT-In empanelled information security auditing organisation. Our empanelment can be verified directly at cert-in.org.in.

Why CERT-In Empanelment Matters — Compliance Context

Government and Critical Information Infrastructure

CERT-In Directions and the Information Technology Act require that information security audits of government systems and Critical Information Infrastructure (CII) be conducted by empanelled organisations. CII sectors include power, banking, telecommunications, transport, e-governance, and strategic enterprises. If you supply IT services to government entities or operate within CII sectors, your security auditor must be empanelled — this is a legal requirement, not a preference.

RBI-Regulated Entities

The Reserve Bank of India’s IT Examination Framework and Cybersecurity Framework for banks, NBFCs, payment aggregators, and Urban Cooperative Banks explicitly reference CERT-In empanelled organisations for conducting security audits. While the RBI framework does not always use the precise term “CERT-In empanelled” in every guideline, the Master Directions reference MeitY-approved auditors, which in practice means CERT-In empanelled firms. RBI inspectors routinely ask to see the VAPT report and enquire about the auditor’s empanelment status.

SEBI-Regulated Entities

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) for registered intermediaries (stock brokers, depository participants, asset management companies, mutual funds) requires annual security audits conducted by CERT-In empanelled auditors. Compliance reports submitted to stock exchanges and SEBI must identify the auditing organisation and its empanelment status.

IRDAI-Regulated Entities

IRDAI’s guidelines on information and cybersecurity for insurance companies reference the requirement for cyber audits by qualified assessors, and empanelled organisations are the standard for regulatory acceptance.

CERT-In Incident Response

Following a significant cyber incident, CERT-In may require the affected organisation to conduct a forensic audit and security assessment. In such cases, CERT-In itself expects the audit to be conducted by an empanelled organisation to ensure the quality and objectivity of findings.

Services That Typically Require a CERT-In Empanelled Auditor

  • Information security audits for government ministries, departments, and public sector undertakings
  • VAPT for RBI-regulated entities (banks, NBFCs, payment aggregators)
  • Security audits for SEBI-registered intermediaries
  • Security assessments for Critical Information Infrastructure operators
  • ISO 27001 pre-certification security assessments where regulatory submission is required
  • PCI DSS security assessments requiring regulator acceptance
  • Post-incident forensic audits mandated by CERT-In or any regulator

Services Where Empanelment Is a Quality Signal (Not Mandatory)

For some use cases, CERT-In empanelment is not a legal requirement but remains an important quality and trust indicator:

  • Web application VAPT for private companies with no regulatory mandate
  • Security assessments commissioned purely for internal risk management
  • Bug bounty programme management
  • Developer security training

Even in these cases, choosing an empanelled firm significantly reduces the risk of receiving substandard assessment work, since empanelment establishes a minimum quality floor.

CERT-In Empanelment vs ISO 27001 vs CREST — Understanding the Differences

Buyers sometimes encounter multiple quality markers and are uncertain how they relate:

  • CERT-In empanelment: India-specific government approval for conducting information security audits. Required for regulatory submissions in India.
  • ISO 27001 (company): The auditing company itself is ISO 27001-certified, meaning its own information security management system is audited. A useful quality indicator but not a substitute for CERT-In empanelment for regulatory work.
  • CREST: UK-based international certification for penetration testing companies and individuals. Well-regarded globally but not a regulatory requirement in India. CREST-certified testers within a CERT-In empanelled firm represent a strong combination.
  • OSCP/CEH (individual certifications): Certifications held by individual testers, not the company. Ensure the tester conducting your assessment holds relevant credentials.

The strongest quality signal is a CERT-In empanelled company whose individual testers hold OSCP, CREST, or equivalent certifications and who can demonstrate a library of real assessment reports from similar engagements.

Red Flags That Indicate a Vendor Is Not Genuinely Empanelled

  • Cannot provide their company name as listed on the CERT-In website
  • Claims to be “applying for empanelment” — only active empanelment is valid for compliance
  • Cannot produce a VAPT report from a past engagement that shows their company credentials
  • Quotes prices significantly below market (₹5,000–₹15,000 for a web app VAPT) — genuine CERT-In empanelled assessments require qualified staff time and cannot be delivered at these prices
  • Does not produce a signed Rules of Engagement document before testing

MDIT Services — CERT-In Empanelled Information Security Auditors

MDIT Services is a CERT-In empanelled information security auditing organisation headquartered in New Delhi. We deliver VAPT, security audits, red team exercises, and managed security services to organisations across BFSI, government, healthcare, IT, and manufacturing sectors. Our VAPT reports are accepted by RBI, SEBI, IRDAI, and CERT-In for regulatory compliance submissions.

Our team comprises certified professionals holding OSCP, CEH, CISA, and other recognised credentials. We maintain documented assessment methodologies aligned with OWASP, PTES, NIST SP 800-115, and MITRE ATT&CK frameworks.

With 200+ clients across India, MDIT has a demonstrated track record supporting regulated entities in meeting their mandatory security audit requirements with high-quality, compliance-grade assessment reports.

Engage a CERT-In Empanelled VAPT Provider

Contact MDIT Services to initiate a scoped VAPT engagement. We will confirm our current empanelment status, provide a sample report structure, and issue a detailed proposal within 24 hours of scope confirmation.

Visit: mditservices.in/contact | Email: info@mditservices.in | Call: +91-11-XXXX-XXXX

About Author

Free Consult