The number of Indian Computer Emergency Response Team (CERT-In) empanelled information security organisations has been reduced  from 90 to 33. Companies that are no longer CERT-In empanelled include IBM India, HCL Comnet, Wipro, Ernst & Young, Tech Mahindra and many others. The empanelment of the information security organisations is valid from November 1, 2020 to October 31, 2023.

We have reached out to CERT-In to find out what caused the significant reduction in the number of empanelled auditors — did the companies not apply or were more companies rejected? We have also asked CERT-In what will happen to existing contracts and tenders that were won on the basis of an entity’s CERT-In empanelled status.

CERT-In empanelled organisations, which currently include three government organisations — Centre for Development of Advanced Computing (C-DAC), Standardisation Testing and Quality Certification (STQC) Directorate of Ministry of Electronics and Information Technology (MEITY), and Madhya Pradesh Agency for Promotion of Information Technology which is a registered society of Department of Science and Technology, Government of Madhya Pradesh — test computer systems, networks and applications of government agencies and private companies for vulnerabilities and risks.

To win government contracts, private companies have to have their information security systems audited by these CERT-In empanelled auditors. Often, when private companies enter partnerships with other software companies, they rely on an audit report by CERT-In empanelled auditors.

No clarity on why the number reduced

We reached out to multiple companies that are no longer there on the list to find if they had applied to be empanelled or not. One of them, Lucideus Tech Private Limited, said that it had “shifted its focus from being a pure-play Vulnerability Assessment & Penetration Testing (VAPT) Company to a cybersecurity and business risk quantification product company”. “It has been over a year that the company took down its vulnerability assessment (and any other services) from its website, and made it focused only on our product. A cybersecurity product does not need an empanelment of any to sell in India [sic],” the written statement said. The company spokesperson refused to say whether it meant that Lucideus had not applied for empanelment at all. We are awaiting responses from other companies.

Another information security company that is no longer CERT-In empanelled is CyberRoot Risk Advisory Pvt Ltd. Last month, an Iranian-American businessman had accused CyberRoot and another Indian company, BellTroX Info, of hacking into his email accounts and publishing his emails on the internet, in a lawsuit filed in North Carolina.

Dropped companies have done significant audits in the past

A number of companies that are no longer empanelled with CERT-In have done significant audits in the past (not all of them may have been as CERT-In empanelled auditors at the time of conducting those audits):

  • Wipro has in the past conducted audits for National Informatics Centre (NIC), National Payments Corporation of India (NPCI), State Bank of India (SBI), and Delhi International Airport Limited (DIAL).
  • Ernst & Young audited the State Wide Area Network (SWAN) and State Data Centres, both of which are important elements of the national e-Governance Plan (NeGP) infrastructure, which involved testing more than 500 devices for vulnerabilities.
  • HCL Comnet, a subsidiary of HCL, did the security audit for SBI at a cost of ₹46 crore.
  • Tech Mahindra earned $2.59 million from an Australian retail company for conducting more than 250 security audits in Australia and Mumbai, $7 million for testing the security of more than 198 web applications for an American telco in USA and Mumbai, and $1 million for testing more than 2,000 web applications for an oil company in USA and Mumbai.
  • NPCI had contracted at least two other dropped auditors apart from Wipro to carry out security audits or information security work — Zulon Consulting and Vista InfoSec
  • Kochar Consultants, had done at least four EKYC audits as per UIDAI guidelines.
  • HKIT Security Solutions has been involved in Aadhaar Enrollment Application in the past.

List of current CERT-In empanelled auditors

Here is the complete list of 33 organisations that are now CERT-In empanelled auditors until October 31, 2023:

  1. AAA Technologies Pvt Ltd
  2. Accedere Limited *#
  3. AKS Information Technology Services Pvt Ltd *
  4. Allied Boston Consultants India Pvt Ltd
  5. AQM Technologies Pvt Ltd
  6. Bharat Electronics Limited
  7. Centre for Development of Advance Computing (C-DAC)
  8. Crossbow Labs LLP #
  9. CyberQ Consulting Pvt Ltd
  10. CyRAAC Services Pvt Ltd
  11. Deloitte Touche Tohmatsu India LLP
  12. Grant Thornton India LLP
  13. KPMG Assurance and Consulting Services LLP
  14. Madhya Pradesh Agency for Promotion of Information Technology (A registered Society of Department of Science and Technology, Government of Madhya Pradesh)
  15. Mahindra Special Services Group
  16. Maverick Quality Advisory Services Private Limited
  17. Mirox Cyber Security & Technology Pvt Ltd
  18. Net-Square Solutions Pvt Ltd
  19. Network Intelligence India Pvt Ltd *
  20. Paladion Networks
  21. Payatu Technologies Pvt Ltd
  22. PricewaterhouseCoopers Pvt Ltd
  23. Qseap InfoTech Pvt Ltd
  24. RSM Astute Consulting Pvt Ltd
  25. SecureLayer7 Technologies Private Limited
  26. SecurEyes Techno Services Pvt Ltd
  27. Security Brigade InfoSec Pvt Ltd
  28. STQC Directorate, MeitY, Government of India
  29. Sysman Computers Pvt Ltd
  30. TAC InfoSec Private Limited
  31. TATA Communications Ltd
  32. Xiarch Solutions Pvt Ltd *
  33. Yoganandh & Ram LLP *
    *: This organisation’s empanelment is subject to the outcome of background verification (five such companies)
    #: Newly empanelled organisations (two such companies)

List of former CERT-In empanelled auditors

List of 59 companies that are no longer empanelled auditors:

  1. AUDITime Information Systems (I) Ltd
  2. Aujas Networks Pvt Ltd
  3. AGC Networks
  4. ANB Solutions Pvt Ltd
  5. BDO India LLP
  6. Briskinfosec Technology and Consulting Pvt Ltd
  7. CMS IT Services Pvt Ltd
  8. Control Case International Pvt Ltd
  9. Cyber Security Works Pvt Ltd
  10. Cigital Asia Pvt Ltd
  11. CyberRoot Risk Advisory Pvt Ltd
  12. Code Decode Labs Pvt Ltd
  13. Crossbow Labs LLP
  14. Deccan Infotech Pvt Ltd
  15. Digital Age Strategies Pvt Ltd
  16. Ernst & Young Pvt Ltd
  17. Esec Forte Technologies Pvt Ltd
  18. e.com Infotech I Ltd
  19. Finest Minds Infotech Pvt Ltd
  20. HCL Comnet Ltd
  21. Haribhakti & Company LLP, Chartered Accountants
  22. HKIT Security Solutions
  23. isec Services Pvt Ltd
  24. Indusface Pvt Ltd
  25. Imperium Solutions
  26. IBM India Pvt Ltd
  27. Kochar Consultants Private Limited
  28. LTI (A Larsen & Tuobro Group Company)
  29. Lucideus Tech Provate limited
  30. Locuz Enterprise Solutions Ltd
  31. Netmagic IT Services Pvt Ltd
  32. Netrika Consulting Pvt Ltd
  33. NSEIT Ltd
  34. Panacea InfoSec Pvt Ltd
  35. Protiviti India Member Private Limited
  36. Pyramid Cyber Security & Forensic Pvt Ltd
  37. ProgIST Solutions LLP
  38. Qadit Sstems & Solutions (P) Ltd
  39. Recon Business Advisory Pvt Lts
  40. Robert Bosch Engineering and Business Solutions Private Limited
  41. Sumeru Software Solutions Pvt Ltd
  42. SISA Information Security Pvt Ltd
  43. Suma Soft Pvt Ltd
  44. Sigy Technologies Limited
  45. Sandrock eSecurities Pvt Ltd
  46. Sonata Software Limited
  47. Torrid Networks Pvt Ltd
  48. TÜV SÜD South Asia Private Limited
  49. TCG Digital Solutions Private Limited
  50. Tech Mahindra Ltd
  51. Talakunchi Networks Pvt Ltd
  52. Trusted Info Systems Private Ltd
  53. Varutra Consulting Private Ltd
  54. ValueMentor Consulting LLP
  55. Vista Infosec Pvt Ltd
  56. Wipro Ltd
  57. Wings2i IT Solutions Pvt Ltd
  58. Xysec Labs Private Limited
  59. Zulon Consulting