If you have ever responded to a BFSI tender, applied for a payment-aggregator license, or shipped a SEBI Cybersecurity & Cyber Resilience Framework audit report, you have run into the same procurement problem that the CERT-In empanelled auditor list exists to solve. The clause is short. Verifying a vendor’s status against the current list is annoying. Mis-reading it has cost more than one Bangalore CTO a re-tender.
This guide is the operational walkthrough we wish we had handy when we first got empanelled, written from the perspective of the buyer doing due diligence rather than the auditor selling services. Skip ahead to the verification checklist if you are mid-RFP. Otherwise, the article moves top-down: what empanelment is, how the list is structured, how to verify a vendor’s status, what changes in 2026, and what the Indian regulatory environment expects from buyers who depend on it.
What CERT-In empanelment actually is
CERT-In — the Indian Computer Emergency Response Team, an office under the Ministry of Electronics and Information Technology — maintains a published list of third-party organisations technically vetted to perform information-security audits and incident-response engagements for Indian regulated entities. Empanelment is granted for a defined period (typically three years), is renewable, and follows a documented assessment that includes:
- A technical capability review covering scope of services, methodology documentation, and staff certifications
- A financial-fitness due-diligence review
- A sample-audit verification by CERT-In’s own technical team
- Periodic compliance reviews during the three-year empanelment period
The empanelled organisation is issued a unique empanelment number which appears on its certificate of audit and which procurement teams use to verify the engagement was performed by an authorised auditor.
The empanelment is not a quality certification — it is a gate that identifies which auditors are authorised to perform certain regulator-required assessments. Two empanelled firms can deliver very different work; the empanelment only confirms that both met CERT-In’s minimum bar.
Why empanelment matters for Indian buyers
Empanelment matters in three concrete ways for any Bangalore organisation buying security services. Each maps to a specific regulatory or commercial requirement.
1. Tender eligibility for BFSI, government, and capital-markets
Most banking, NBFC, payment-aggregator, government, telecom, and capital-markets RFPs include a clause requiring the auditor to be CERT-In empanelled. The clause is usually located in the technical-eligibility section of the tender document. Non-empanelled vendors are filtered out before the financial bid is evaluated; the price quoted does not even get read.
2. Sectoral regulatory requirements
The Reserve Bank of India’s Master Direction on Outsourcing of Information Technology Services (April 2023) explicitly references CERT-In empanelment as a requirement for vendors performing security assessments for regulated entities. SEBI’s CSCRF framework repeats the requirement for Market Infrastructure Institutions, Qualified REs, and other regulated participants. IRDAI’s information-security guidelines for the insurance sector follow the same pattern. The throughline is that for any Indian regulated entity, the audit needs to come from an empanelled firm.
3. CERT-In incident-reporting framework
Direction No. 20(3)/2022, issued on 28 April 2022, obliges Indian organisations to report specific cyber-security incidents to CERT-In within six hours of noticing. The reporting framework presupposes a documented audit relationship and an incident-response plan reviewed against current best practice — relationships easiest to establish through an empanelled auditor. Our own operational experience is that incidents handled by empanelled firms move faster through the CERT-In-side workflow because the regulator-facing relationships are pre-established.
How the empanelment list is structured
CERT-In publishes the empanelment list on its official site at cert-in.org.in/auditors (a relative URL kept current here so search engines can index the reference). The list is structured by service category — different categories of auditing work require different empanelment status, and a firm may be empanelled for some categories but not others.
The current category structure (subject to refinement at each empanelment cycle):
- Information Security Audit Services
- Application Security Audits
- ISO 27001 / ISMS implementation and assessment
- Penetration Testing and Vulnerability Assessment
- ICT Audits
- Source Code Audits
- Wireless Network Audits
- Network Security Audits
A vendor’s empanelment status is category-specific. When verifying a vendor’s empanelment, confirm not only that the firm is on the list but that it is on the list for the specific category your engagement requires. A firm empanelled for ISO 27001 implementation but not for VAPT cannot lawfully perform CERT-In-required VAPT under a regulator’s expectation.
Verify empanelment — the 90-second checklist
If you are actively shortlisting auditors and need to confirm a vendor’s status, do this:
- Open cert-in.org.in/auditors in a fresh browser tab.
- Locate the most recent published list (PDF or web page; format varies by quarter).
- Search the document for the firm’s exact registered name.
- Confirm the empanelment number matches what the firm provided.
- Confirm the service category matches your engagement scope.
- Confirm the validity period spans the date of your engagement kickoff and projected completion.
- If the firm is listed but with a different name (post-merger, post-rebranding), require written confirmation from CERT-In or the firm itself that the empanelment carries through.
That is all. Verifying takes well under two minutes if you have the firm’s empanelment number; ten minutes if you need to search the list for partial-match. The bigger procurement teams maintain their own internal “verified vendor” register that they refresh quarterly against CERT-In’s published list.
What changes in 2026
The empanelment cycle that opened in 2023 is approaching end-of-period for many initially-empanelled firms. The 2026 outlook:
- Renewal cycle is active. Several initially-empanelled firms are mid-renewal as of Q2 2026. Procurement teams should re-verify any vendor whose empanelment number begins with a 2023 cohort identifier.
- Tighter category alignment. CERT-In has signalled in industry consultations that category boundaries will be more strictly enforced — a firm empanelled for VAPT may not be acceptable for an ISO 27001 implementation review unless additionally empanelled for that category.
- Expanded reporting expectation. Direction 20(3)/2022 reporting obligations are increasingly being audited as part of the empanelled-firm engagement, not as a separate compliance item. Empanelled firms are expected to assist with the incident-reporting workflow as a standard part of the engagement.
- Increased regulator-coordination intensity. Empanelled firms are increasingly being asked to attend regulator-led coordination meetings on sectoral cyber-resilience drills. Smaller empanelled firms unable to support that coordination may struggle in the next renewal cycle.
Common verification mistakes
Across our 11 years of regulator-engagement work, we see the same verification mistakes recur often enough to flag them.
Mistake 1 — Trusting the vendor’s marketing claim without checking the list
A surprising fraction of “CERT-In empanelled” claims on vendor marketing pages are either out-of-date (the empanelment lapsed at the last renewal cycle) or scope-mismatched (the firm is empanelled for one category but is being engaged for another). Always verify on the live list, not the vendor’s website.
Mistake 2 — Assuming empanelment is a quality signal
It is not. Empanelment is a gate; quality is independent. The right diligence is empanelment-verification plus technical-quality assessment plus engagement-track-record review. We have seen procurement teams accept any empanelled vendor on price alone, then receive deliverables thin on actual security findings. The empanelment was met; the audit was useless.
Mistake 3 — Ignoring category mismatch
A firm empanelled for “Information Security Audit Services” generally is not empanelled for “Source Code Audits” without separate listing. For source-code review or specialised wireless audit work, confirm the specific category. Generic empanelment does not transfer.
Mistake 4 — Not re-verifying at engagement renewal
Empanelment can lapse; a firm that was empanelled when initially engaged may not be empanelled at renewal. Re-verify at every contract renewal touchpoint.
Choosing among empanelled firms
Once you have a shortlist of empanelled vendors, the differentiation moves to qualitative factors. The questions worth asking:
- Manual-effort percentage. What fraction of the engagement is senior-engineer manual analysis vs automated scanner output? See our VAPT methodology page for the breakdown we publish.
- Engagement-track record in your specific sector. A firm empanelled and active across BFSI is structurally better-positioned than a firm empanelled but with a portfolio of non-BFSI clients.
- Partner-level accountability. Who specifically signs the engagement report? Are they the same partner who attends the regulator-coordination meetings? Are they Bangalore-based for in-person review meetings?
- Pricing transparency. Can the vendor publish pricing? Will they fix the engagement fee in writing before kickoff?
- Re-test and remediation policy. Are re-tests included in the SOW, or billed separately? Vendors that bill separately are typically pricing for low-quality first-cycle delivery.
We answer all five specifically and in writing during scoping. They are good diligence questions regardless of which empanelled firm you ultimately engage.
Empanelment beyond the list — regulator engagement
The most-experienced empanelled firms operate beyond the formal list — they participate in CERT-In-led industry-coordination forums, contribute to sectoral cyber-resilience drills, support specific regulator engagements, and feed threat-intelligence into the CERT-In coordination function. This regulator-engagement layer is invisible from the published list but is the single largest indicator of a firm’s substantive capability.
For Indian buyers, the practical implication is that an empanelled firm whose partners are personally known to CERT-In’s sectoral coordinators will resolve incidents and clarify regulatory ambiguity materially faster than an empanelled firm without that relationship. The empanelment list says who is allowed; the regulator-network depth says who actually delivers.
Empanelment and adjacent regulatory frameworks
Empanelment intersects with several adjacent frameworks Indian buyers should be aware of:
- DPDP Act 2023. The Data Protection Board may require independent audit of Significant Data Fiduciaries. CERT-In empanelment is a strong proxy for the auditor’s qualification, though DPB may publish its own qualification list separately. See our DPDP service page.
- SEBI CSCRF. The framework explicitly references CERT-In empanelment for the audit auditor. Cross-reference with our SEBI CSCRF page.
- RBI cybersecurity guidance. The 2023 outsourcing master direction expects empanelled auditors for periodic VAPT cycles. RBI may issue separate empanelment expectations for specific entity types.
- FIU-IND VDA framework. Virtual Digital Asset Service Providers register with FIU-IND for AML/CFT obligations; the security-audit obligations under that framework reference CERT-In empanelment. See our crypto exchange page.
- UAE VARA. While VARA is its own regulator, Indian-origin VASPs operating in both jurisdictions typically maintain CERT-In empanelment for the Indian-side compliance and engage UAE-licensed firms for the VARA-side. See our UAE VASP page.
How API4SOC2 thinks about empanelment
Empanelment is the floor for our work, not the ceiling. We were among the empanelled firms in the 2018 cohort and have been continuously empanelled across the 2018, 2021, and 2024 cycles. Our partners have personally attended CERT-In sectoral-coordination events for over a decade and maintain working relationships with the technical-supervision teams.
That said, we are conscious that empanelment can become a marketing claim rather than a delivery commitment. We treat it as the start of the engagement-quality conversation, not the end. Procurement teams that have asked the harder questions — manual-effort percentage, partner-level accountability, retest policy, pricing transparency — typically get materially better outcomes than teams that stopped at the empanelment-tick checkbox.
Practical next steps
If you are mid-RFP and need to verify an auditor’s empanelment, the 90-second checklist above is the operational answer. If you are building a vendor diligence framework for the next 12 months, layer empanelment verification with the qualitative differentiators discussed in Choosing among empanelled firms. If you are about to scope a new VAPT engagement, our VAPT services page walks through the methodology and our pricing transparency for context.
For organisations that want a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope and fixed price in INR before kickoff, the empanelment number printed on the audit certificate, and direct partner-level relationship through the engagement.
Frequently asked questions about CERT-In empanelment
How long is a CERT-In empanelment valid for? Empanelment is granted for a defined period, typically three years, with provision for periodic compliance reviews during the period. At the end of the period, the firm must reapply for renewal, which triggers another full assessment. Some firms have been continuously empanelled across multiple cycles spanning a decade or more; others have lapsed and re-empanelled later.
Can a firm be empanelled for one category but not another? Yes. The empanelment is category-specific. A firm empanelled for “Information Security Audit Services” but not for “Penetration Testing and Vulnerability Assessment” cannot lawfully perform CERT-In-required VAPT under a regulator’s expectation. Always verify category-specific empanelment, not just general empanelment status.
What happens if I engage a non-empanelled firm for a regulator-required audit? The audit report will likely be rejected by the regulator. For RBI-regulated entities, this can trigger supervisory follow-up including additional inspection scope. For SEBI-regulated entities, it can create findings in the next thematic inspection. For government tenders, the bid is filtered out before financial evaluation.
Are international firms (Big-4 global, KPMG, EY, etc.) automatically empanelled? No. The empanelment is granted to specific Indian-resident legal entities, not to global firm names. KPMG India may be empanelled while KPMG US is not. Always verify the specific Indian entity name on the CERT-In list.
Can I see a sample CERT-In audit report before engaging? Most empanelled firms can share anonymised redacted samples under NDA. The sample should show: severity-graded findings with reproduction steps; CVSS scoring; remediation guidance; CERT-In-aligned reporting structure; signature of the empanelled lead auditor with their empanelment number printed on the certificate.
How do firms get empanelled in the first place? Empanelment requires a formal application to CERT-In including: technical capability documentation, financial-fitness review, sample audit verification, and ongoing compliance commitments. The application process typically takes 6–12 months. Firms must demonstrate specific technical credentials, staff qualifications, and methodology depth.
What is the difference between CERT-In empanelment and ISO 27001 certification? CERT-In empanelment is for the auditor (the firm conducting the audit). ISO 27001 is a certification that the audited organisation may hold. The two are independent: an ISO-27001-certified organisation may be audited by a CERT-In empanelled auditor; the auditor’s empanelment is what matters for the audit’s regulatory acceptability.
Can a smaller firm without Big-4 brand recognition still produce defensible reports? Yes, provided the firm holds current empanelment and the audit is delivered to professional standards. Brand recognition is rarely the operational differentiator; methodology depth, partner-level accountability, and India regulatory experience matter more. We routinely place reports with Tier-1 banks and major exchanges as a CERT-In empanelled firm without Big-4 branding.
Does empanelment cover incident-response work specifically? Yes, for firms empanelled in the relevant categories. CERT-In Direction 20(3)/2022 reporting and post-incident forensics work generally fall under “Information Security Audit Services” empanelment, with some incident-specific work also touching “Penetration Testing” empanelment. Confirm category coverage before engaging for incident-response retainers.
How do I know if my tender’s empanelment requirement applies to a specific scope? Read the tender clause carefully. Common phrasings: “The auditor shall be CERT-In empanelled” (general); “The auditor shall be CERT-In empanelled for Penetration Testing and Vulnerability Assessment” (category-specific). When in doubt, ask the tender authority to clarify before submitting; the answer affects vendor shortlisting.
What recourse do I have if my empanelled vendor under-delivers? First, escalate within the firm to partner-level. Second, document the under-delivery and consider termination. Third, in egregious cases, file a complaint with CERT-In which can trigger empanelment review. The empanelment status is a privilege contingent on continued professional conduct.
Does the empanelment requirement apply to internal audit teams? No. The empanelment requirement applies to external auditors performing regulator-required assessments. Internal audit teams conducting internal reviews do not require individual empanelment, though the organisation’s overall security programme may still need an external empanelled audit at the prescribed cadence.
How to switch CERT-In empanelled auditors well
For organisations transitioning from one empanelled auditor to another (often at empanelment renewal or after engagement-quality issues), specific transition practices reduce continuity risk.
Document the prior auditor’s findings status. Open findings, closed findings, and findings still under remediation should be documented before the auditor change. The new auditor will reference this status in their first engagement.
Transfer the evidence base. Most empanelled auditors maintain evidence repositories. Coordinate transfer to the new auditor or to your internal repository so the historical evidence remains accessible.
Schedule the transition between audit cycles, not during. Switching auditors mid-cycle creates findings-status ambiguity. The cleanest transitions happen between annual or quarterly audit cycles.
Brief the new auditor on regulatory engagement history. Prior interactions with sectoral regulators, prior incident-response coordination, prior CERT-In submissions should all be documented for the new auditor.
Maintain continuity through the transition. A 2–4 week overlap where both auditors have access produces smoother transition than a hard cut-over.
CERT-In coordination beyond the audit relationship
Empanelled auditor relationships extend beyond the formal engagement. Mature auditor relationships involve ongoing CERT-In coordination that benefits the audited organisation indirectly.
CERT-In advisories and threat intelligence. Empanelled auditors typically receive CERT-In advisories before public release and incorporate them into ongoing client work. Organisations whose auditor has strong CERT-In coordination benefit from earlier visibility.
Sectoral coordination forums. CERT-In facilitates sectoral coordination — banking sector, capital markets, telecom, healthcare. Empanelled auditors active in these forums bring sectoral context to client engagements.
Industry incident analysis. Empanelled auditors handling material incidents contribute lessons-learned to CERT-In’s broader threat-analysis function, indirectly benefiting other organisations through advisory updates.
Direct CERT-In engagement on regulatory questions. When clients face regulatory ambiguity, empanelled auditors can typically obtain CERT-In-side clarification faster than direct client outreach.
The qualitative differentiator between empanelled firms is often the depth of these informal coordination mechanisms rather than the formal audit deliverable quality. Procurement teams evaluating empanelled firms should consider this dimension explicitly.
What to track in your CERT-In empanelment register
Procurement teams managing multiple empanelled-auditor relationships benefit from a structured register tracking:
Vendor name and registered legal entity. Specific Indian-resident legal entity (not parent firm name).
Empanelment number. Unique identifier on CERT-In list.
Empanelment categories. Specific service categories the firm is empanelled for.
Empanelment period. Validity dates for each empanelment cycle.
Last verification date. When you last verified the empanelment status on the live CERT-In list.
Engagement history. Past engagements with this firm, including dates, scope, and outcome quality.
Partner-level contacts. Named partners with their contact information.
Compliance-history flags. Any concerns about the firm’s compliance posture or service quality from past engagements.
Regularly-refreshed empanelment registers reduce procurement risk and accelerate vendor selection cycles.