CERT-In Empanelment Verification
IRDAI mandates that all VAPT assessments must be conducted by a CERT-In empanelled audit firm. Using a non-empanelled firm renders the entire assessment non-compliant.
Verify the VAPT firm appears on the current CERT-In empanelled auditor list (updated annually)
Confirm the empanelment certificate is valid for the assessment period (not expired or under renewal)
Obtain a copy of the firm's CERT-In empanelment certificate for your records
Verify the specific auditors assigned to your engagement hold valid CERT-In credentials
Ensure the engagement letter explicitly references CERT-In empanelment status
Cross-check the firm's empanelment number against the CERT-In online directory
Compliance Risk
If your VAPT firm's empanelment lapses mid-assessment, the findings may be challenged by IRDAI during inspection. Verify empanelment validity before the engagement starts and confirm it covers the full assessment window.
Severity-Based Remediation Deadlines
IRDAI prescribes strict remediation timelines based on finding severity. These deadlines run from the date the VAPT report is formally delivered.
| Severity | Remediation Deadline | Evidence Required | Escalation |
|---|---|---|---|
| CRITICAL | 7 days | Re-test confirmation + closure report | CISO + Board immediate notification |
| HIGH | 30 days | Re-test confirmation + closure report | CISO notification within 48 hours |
| MEDIUM | 90 days | Closure evidence in IS Audit report | Tracked in quarterly review |
| LOW | Next VAPT cycle | Noted in next assessment | Risk acceptance documented if deferred |
Remediation tracker created within 24 hours of receiving VAPT report
CRITICAL findings assigned to remediation owners with 7-day deadline and daily status updates
HIGH findings assigned with 30-day deadline and weekly status tracking
MEDIUM findings included in quarterly remediation plan with 90-day deadline
LOW findings documented with risk acceptance rationale if deferred to next cycle
Re-testing scheduled for all CRITICAL and HIGH findings after remediation
Re-test results documented as formal closure evidence
Board Submission Timeline
The IS Audit report, including VAPT findings and remediation status, must be submitted to the Board within 90 days of the financial year end.
VAPT assessment completed before FY end (March 31) to allow 90-day board submission window
IS Audit report compiled incorporating VAPT findings, remediation status, and residual risk
Board submission deadline calculated: June 29 (90 days from March 31)
Board presentation deck prepared with executive summary of VAPT findings by severity
Board resolution recorded acknowledging the IS Audit report and VAPT findings
Board-attested copy of IS Audit report filed for IRDAI inspection readiness
Timeline evidence trail maintained: VAPT report date → remediation dates → board submission date
IRDAI.AUDIT.1 Closure Evidence Requirements
Each VAPT finding tagged under IRDAI.AUDIT.1 requires specific closure evidence. Incomplete evidence is treated as an open finding during inspection.
Re-test report from CERT-In empanelled firm confirming the vulnerability is resolved
Screenshot evidence showing the remediated state of the affected system
Configuration change record with before/after states documented
Patch deployment record with version numbers, deployment date, and affected systems
Risk acceptance memo (for deferred findings) signed by CISO and approved by Board/Risk Committee
Compensating control documentation if the vulnerability cannot be directly remediated
Closure sign-off by the VAPT firm and internal CISO/IT Head
IS Audit Report Format
The IS Audit report submitted to the Board and available for IRDAI inspection must follow a structured format:
Executive Summary — Overall security posture, key risk areas, and year-over-year comparison
Scope Statement — Systems, applications, and infrastructure covered in the VAPT assessment
Methodology — Testing approach (black box, grey box, white box), tools used, CERT-In empanelment reference
Findings Summary — Count by severity (Critical, High, Medium, Low) with trend analysis
Detailed Findings — Each finding with description, affected system, severity, evidence, and remediation recommendation
Remediation Status — Current status of each finding (Closed, In Progress, Deferred) with evidence references
Residual Risk Statement — Outstanding risks with compensating controls and risk acceptance approvals
Compliance Mapping — IRDAI cybersecurity guideline clause-to-finding mapping
Recommendations — Strategic and tactical recommendations for the next assessment cycle
Annexures — CERT-In empanelment certificate, re-test reports, board resolution, timeline evidence
RiskSage Capability
RiskSage by CreativeCyber automates IRDAI VAPT compliance tracking — severity-based remediation deadlines with automated escalation, IRDAI.AUDIT.1 closure evidence management, board submission timeline tracking, and IS Audit report generation in IRDAI-compliant format.
Request access to RiskSage →
Request access to RiskSage →