Knowledge Base

What is CERT-IN Certification and How to Obtain One?

Updated on: November 20, 2023

What is CERT-IN Certification and How to Obtain One?

Ever come across the term ‘CERT-IN certification’ and wondered about its implications for your company’s cybersecurity policies? CERT-IN, or the Indian Computer Emergency Response Team, is a government-approved organization for upholding information technology (IT) security. It was initiated in 2004 by the Department of Information Technology to implement the provisions of the 2008 Information Technology Amendment Act. 

CERT-IN is majorly responsible for:

  • Responding to incidents of computer security
  • Collecting, analyzing, and distributing information on cybersecurity attacks and vulnerabilities
  • Putting in place emergency responses for handling cybersecurity attacks
  • Preparing forecasts and alerts for any security problems observed
  • Heading cyber incident response activities and their coordination
  • Issuing notices, guidelines on dealing with attacks, advisories, or whitepapers. This could be in the fields of information security, prevention of attacks, responses, and reporting practices
  • Vulnerability reporting and management 
  • Ensuring holistic and efficient IT security policies throughout India. 

CERT organizations are present throughout the world, with the first one being formed in the USA. They mostly function independently with only a few coordinated activities reported.

What does CERT-IN certification entail?

In simple words, a CERT-IN certification is a certificate provided by a CERT Empanelled Security Auditor after conducting a detailed security audit. Such an audit will necessarily include all components of the organization’s network – websites, systems, applications, etc. The entire process will be conducted according to the rules and regulations under specific guidelines for CERT-IN tests in IT security audits. After completion of the testing procedure, the certificate is provided to show that all requirements were met. 

It is one small security loophole v/s your entire website or web application

Get your web app audited with Astra’s Continuous Pentest Solution

What do CERT-IN guidelines talk about?

There are some official rules on how security auditors should deal with companies seeking CERT-IN certification. Some of the parameters of the auditing process are:

  • Introduction
  • Components of the audit – with characteristics
  • Expectations of the company getting audited
  • General rules of the process
  • Snapshot – includes information of the process and details on technical manpower
  • Details of the third-party hosting service provider
  • Define the relationship between the auditor and the auditee
  • Disclaimers (if applicable)

When looking to obtain CERT-IN certification, ensure that your security auditor meets world-class standards and follows best practices. There are certain benchmarks that your company may require under the CERT-IN guidelines, which your auditor should be aware of. 

The ideal solution would be to conduct adequate research on both your company’s requirements and the auditor’s credentials and expertise. Certain standards you may look out for include ISO 27001 (for data security measures) and ISO 9001 (quality management). Other features that they should offer within the testing can include:

  • Technical testing for internal vulnerabilities – This specific kind of vulnerability assessment works best on your networks, devices, and servers. They will correctly recognize the loopholes within the IT infrastructure for further remediation.
  • Auditing for penetration testing – The auditor must include penetration testing of web applications, networks of the company, government, and other stakeholders, etc. It is best to include the networks and servers of organizations that undergo Information Security audits annually.
  • Boosting client credibility – Obtaining CERT-IN certification from reputed security auditors allows them to remain on top. Routinely identifying possible security risks and rectifying them increases customer and partner trust.

Let experts find security gaps in your web application

Pen-testing results that comes without a 100 emails, 250 google searches and painstaking PDFs.

Types of organizations that require CERT-IN certification

CERT-IN certifications are one of the efficient ways to attest to the security of Indian organizations, and hence are beneficial to most Indian organizations. Here’s a list of organizations that can particularly gain from this certification standard:

  • RBI and Banks – Companies or those who use the software as mandated by:
    RBI – Cybersecurity Framework for Banks
    RBI – Cybersecurity Framework for Urban Cooperative Banks
    RBI Guidelines for Cybersecurity in the NBFC sector
  • RBI and online payments – Companies and software that come under RBI Guidelines for Payment Aggregators and Payment Gateways
  • Companies who conduct business related to software, hardware, or other related cyber services with the Government of India
  • SEBI and companies – Companies and related software that fall under the rulebook of SEBI Cybersecurity and Cyber Resilience Framework
  • Those companies hosting applications or portals online using the National Informatics Center (NIC)
  • Companies or those using software that follow the rules of the UIDAI – AUA KUA Compliance
  • If you’re selling, providing licenses, or just deploying relevant software and services for organizations for the ISNP Security Audit (under the IRDA mandate).

NOTE: ISNP Security Audit is for insurance companies attempting to set electronic platforms for their services. This is in accordance with the rules and regulations of the Insurance Regulatory and Development Authority of India (IRDAI). 

What’s the process to get a CERT-IN Certificate?

Here’s a basic overview of the steps you can expect from a basic CERT-IN certification process:

Basic and detailed audit of the system

The security auditor will conduct a comprehensive level 1 audit of all aspects of your organization including –  websites, applications, and the entire network. Once this is done, a detailed VAPT report covering all strategies and results is submitted.

Re-testing audit

When the vulnerabilities discovered from the level 1 auditing of the entire system are patched, we move onto level 2. This will include testing the system again to find out if the patches and fixes have worked out fine. It will also cover new vulnerabilities that may have popped up and anything else that was missed. 

Issuing the certificate after the final checks

After verifying that everything has gone according to plan, the CERT-IN Security Certificate is issued. There will be supporting documentation along with the certificate and compliance reports that your customers and/or partners could request. 

While the entire process may seem to concisely fit into three steps, it should not be forgotten that vulnerabilities are many, unique, and hidden. Instead of taking this exercise as a mandatory burden, companies should take the opportunity to strengthen their system. This will help them build long-term security.


The CERT-IN department under the Government of India deals with a variety of topics related to cybersecurity. As such, gaining certification from such reputed organizations will definitely increase the security barriers of your organization. In fact, in some cases, it is mandatory to obtain a CERT-IN certificate for legal reasons. However, the testing process is delicate and needs to be handled by certified auditors with adequate expertise. Astra Security is empanelled by CERT-In for providing information security auditing service. Issues that may compromise the system can be detected and the right steps can be taken to address and remedy them.

Astra Pentest is built by the team of experts that secured Microsoft, Adobe, Facebook, and Buffer

We are also available on weekends 😊

Was this post helpful?


Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany