CERT-In empanelled information & cyber security audits mapped to the IRDAI Information and Cyber Security Guidelines, 2023 — for insurers, reinsurers and insurance intermediaries. We deliver the annual assurance audit, the prescribed report and certificate, and the VAPT that the guidelines require.
The Insurance Regulatory and Development Authority of India sets detailed information and cyber security expectations for the entities it regulates — and requires an independent, comprehensive assurance audit each year to demonstrate that those controls are in place and effective.
The IRDAI Information and Cyber Security Guidelines, 2023 consolidated and strengthened the earlier 2017 framework and its 2020 and 2022 amendments, extending coverage across the insurance value chain and prescribing the audit report format, auditor eligibility and certificate. Our practice delivers that audit end to end: governance and control assessment, VAPT, the prescribed report and certificate, and support through your IRDAI submission.
As a CERT-In empanelled auditing organization, we meet the auditor-eligibility expectations of the guidelines and bring a structured, insurance-sector audit methodology so nothing in the framework is missed.
The 2023 guidelines apply across the insurance value chain. Intermediaries are categorised by gross insurance revenue, which shapes the depth of their obligations.
| Regulated entity | Applicability under the 2023 Guidelines | Assurance |
|---|---|---|
| Life, General & Health Insurers | Full guidelinesNIST framework (Annexure I) | Annual + VAPT 2×/yr |
| Reinsurers & Foreign Reinsurance Branches | Full guidelines | Annual + VAPT 2×/yr |
| Insurance Brokers & Corporate Agents | Per classificationBy gross revenue (Annexure II) | Annual |
| Web Aggregators & Insurance Marketing Firms | Per classification | Annual |
| Third-Party Administrators (TPAs) | Applicable | Annual + VAPT |
| Insurance Repositories & ISNP | Applicable | Annual + VAPT |
| MISPs, Corporate Surveyors & CSCs | Applicable | Periodic |
| Insurance Information Bureau (IIB) | Applicable | Annual |
| Agents, PoSPs & Individual Surveyors | Outside direct scopeVia insurer's minimum framework | Through insurer |
Applicability and cadence are indicative and depend on the current IRDAI guidelines and your intermediary classification. Insurance agents, micro-insurance agents, point-of-sale persons and individual surveyors are outside the direct scope, but insurers must ensure they follow a minimum security framework. We confirm exact scope during planning.
We map your audit to each obligation the IRDAI framework imposes.
The consolidated 2023 framework, superseding the 2017 guidelines and the 2020 and 2022 amendments, covering insurers and intermediaries across the value chain.
An annual information & cyber security audit, overseen by the Risk Management Committee, conducted by an auditor meeting the prescribed eligibility criteria.
Vulnerability assessment and penetration testing at least twice a year, with critical findings remediated within 30 days.
Controls aligned to the NIST Cybersecurity Framework, applied to all regulated entities as set out in the guidelines.
A board-approved information & cyber security policy, a designated CISO, and audit reporting to the Audit Committee or Board.
Cyber Crisis Management Plan, incident reporting to CERT-In and IRDAI, and the audit report submitted to IRDAI within 90 days of the financial year-end.
A full sweep of the information and cyber security control domains the guidelines examine.
Board-approved policy, CISO function, Information Security Committee and oversight.
Information-asset inventory, classification and the cyber-risk management framework.
Least-privilege access, privileged-access control and segregation of duties.
Segmentation, perimeter defences and secure network architecture.
Secure development, application controls and assessment of policyholder-facing systems.
Encryption, retention discipline and protection of policyholder data.
Semi-annual vulnerability assessment and penetration testing with 30-day critical closure.
Security operations, SIEM and continuous monitoring of systems processing policyholder data.
Cyber Crisis Management Plan and incident reporting to CERT-In and IRDAI.
BCP and disaster recovery with defined RTO/RPO and DR-drill evidence.
Outsourcing governance, vendor risk and cloud-environment controls (IAM, storage, security groups).
Awareness training, cyber-drill participation and the prescribed IRDAI audit report and certificate.
A compliance-first lifecycle that produces the prescribed report and certificate.
We confirm your entity type and, for intermediaries, your classification by gross insurance revenue.
Board-approved policy, CISO and committee oversight, prior audit reports and action-taken records.
Design and operating-effectiveness testing across every control domain, aligned to the NIST framework.
Vulnerability assessment and penetration testing of in-scope applications and infrastructure.
Non-compliances documented and risk-rated in the IRDAI-prescribed audit report format.
Audit certificate issued, board presentation supported, and remediation tracked to closure.
The first prepares you for the engagement; the second is the control-domain checklist we assess against.
Your audit is mapped to the IRDAI guidelines and supporting standards.
IT and information-security audits for banks, NBFCs and HFCs.
Learn more →Regulator-aligned vulnerability assessment and penetration testing.
Learn more →Back to the full regulatory audit pillar.
View pillar →Talk to our CERT-In empanelled team about an assurance audit scoped to your entity type and classification.
