If you’ve read an RBI circular, a SEBI requirement or a government tender, you’ve probably seen the phrase “audit by a CERT-In empanelled auditor.” For many regulated Indian organisations, that single line decides who is even allowed to test their systems. This guide explains what CERT-In empanelment actually is, why regulators lean on it, how the panel works, and what to look for when choosing a VAPT partner.
What is CERT-In?
CERT-In—the Indian Computer Emergency Response Team—is the national nodal agency for responding to cyber-security incidents, operating under the Ministry of Electronics and Information Technology (MeitY). It issues advisories, coordinates incident response, and sets baseline security practices for Indian entities.
CERT-In is also the body behind the well-known six-hour incident-reporting rule. Under its Directions issued on 28 April 2022 (effective 27 June 2022), a wide range of organisations must report notified cyber incidents to CERT-In within six hours of noticing them—one of the tightest reporting windows anywhere in the world.
What is CERT-In empanelment?
Separately from its incident-response role, CERT-In maintains a panel of empanelled information-security auditing organisations. To be empanelled, an audit provider goes through a formal evaluation of its technical capability, methodology and personnel. Once listed, the organisation is officially recognised by CERT-In to carry out information-security audits—including vulnerability assessment and penetration testing—for other entities.
In short: CERT-In empanelment is a government-recognised quality mark for security auditors. It signals that the provider has been vetted to a defined standard.
Why empanelment matters
1. It’s often mandatory
Government departments, PSUs and many regulated entities are required to have their security audits performed by CERT-In empanelled auditors. Sectoral regulators frequently reference the same expectation—so for RBI-regulated and SEBI-regulated organisations, empanelment can be a procurement prerequisite.
2. It reduces vendor risk
Empanelment gives buyers an independent baseline of trust before they hand over access to sensitive systems—useful due-diligence signal for any security engagement.
3. It aligns with incident-response obligations
Because CERT-In also sets the reporting rules, auditors familiar with its framework help organisations build detection and incident-response processes that can actually meet the six-hour window.
Empanelment is not the whole story
Empanelment tells you a provider cleared CERT-In’s bar—but it doesn’t, by itself, tell you how good the individual testers are or whether the methodology fits your environment. When you evaluate a VAPT partner, look at the full picture:
- Tester credentials – hands-on certifications such as OSCP, CPENT, CEH Master and ISO 27001 Lead Auditor indicate genuine offensive and audit skill.
- Methodology – alignment to OWASP, PTES, OSSTMM and (for adversary emulation) MITRE ATT&CK.
- Manual depth – real exploitation and business-logic testing, not just automated scans.
- Retesting – validation that your fixes actually closed the findings.
- Clear reporting – risk-ranked findings with business impact your board and auditors can act on.
How CERT-In empanelment works (in brief)
Providers apply to CERT-In and are assessed against defined technical and organisational criteria before being listed for a fixed empanelment period, after which they must renew. The panel is periodically refreshed, and organisations can verify a provider’s current status against CERT-In’s published list.
Frequently asked questions
Is a CERT-In empanelled audit legally required for every company?
Not universally. It is commonly required for government bodies, PSUs and specific regulated contexts, and is often specified in tenders and sectoral guidance. Many private organisations still choose empanelled auditors for the added assurance.
What is the CERT-In six-hour rule?
Under CERT-In’s 2022 Directions, covered entities must report notified cyber incidents to CERT-In within six hours of becoming aware of them.
How do I verify if an auditor is CERT-In empanelled?
CERT-In publishes its list of empanelled auditing organisations; always confirm a provider’s current status and empanelment validity directly against that list before contracting.
Choosing a VAPT partner in India
Selkey Cyber Security is an India-based cybersecurity consultancy delivering vulnerability assessment, penetration testing, red teaming, digital forensics and incident response, and compliance support mapped to ISO 27001, RBI, SEBI and DPDPA requirements. Our team holds hands-on credentials including OSCP, CEH Master, CPENT and ISO 27001 Lead Auditor, and every engagement is methodology-driven with a retest included.
Talk to Selkey about your VAPT or compliance audit →
This article is general information, not legal or regulatory advice. Confirm current CERT-In requirements and empanelment lists against official CERT-In sources.