CERT-In Empanelled Since 2008 — One of the earliest empanelled auditors in India, mandatory for IRDAI audits

IRDAI Cybersecurity Compliance: Insurance Companies, ISNP Audit & Broker/TPA Assessments

End-to-end IRDAI compliance for life, general, health insurers, ISNP platforms, insurance brokers, and TPAs. CERT-In empanelled auditor delivering regulator-ready reports, gap assessments, and remediation support across every IRDAI cyber mandate.

Request a Scoping Call Our Methodology

107+

Insurance Clients

IRDAI-Aligned

Methodology

ISNP-Ready

Audit Coverage

Since 2008

CERT-In Empanelled

The Insurance Regulatory and Development Authority of India (IRDAI) mandates cybersecurity controls across the entire insurance value chain. Whether you operate as an insurance company, run an Insurance Self-Network Platform (ISNP), or function as an insurance broker or Third-Party Administrator, IRDAI expects documented evidence of cybersecurity governance, technical controls, incident response readiness, and periodic audits by CERT-In empanelled auditors. Security Brigade has delivered IRDAI cybersecurity audits for insurers, ISNP platforms, and intermediaries, helping regulated entities achieve and maintain compliance without disrupting business operations.

Trusted by India's leading enterprises

STEP 01

Assess

Comprehensive gap assessment against IRDAI Information and Cybersecurity Guidelines, mapping your current controls, policies, and technical posture to every regulatory requirement applicable to your entity type.

STEP 02

Remediate

Prioritized remediation roadmap with practical guidance on closing gaps. Security Brigade supports you through policy development, technical hardening, architecture changes, and evidence preparation.

STEP 03

Certify

Final compliance audit by our CERT-In empanelled team, producing a regulator-ready audit report with control attestation, evidence documentation, and executive summary for your board and IRDAI submission.

What is IRDAI Cybersecurity Compliance?

IRDAI cybersecurity compliance refers to the mandatory information security and cyber resilience requirements imposed by the Insurance Regulatory and Development Authority of India on insurance companies, Insurance Self-Network Platforms (ISNPs), insurance brokers, and Third-Party Administrators.

Insurance Companies: IRDAI Information and Cybersecurity Guidelines

Life insurers, general insurers, health insurers, and reinsurers under the IRDAI cybersecurity mandate

Cybersecurity Governance

Board-approved information security policy, CISO appointment, cybersecurity committee, and governance reporting structure.

VAPT and IS Audit

Periodic vulnerability assessment, penetration testing, and information systems audit of core insurance and IT systems.

Business Continuity and DR

BCP and disaster recovery planning with documented testing, recovery time objectives, and failover validation.

Incident Response

Documented incident response plan, CERT-In notification readiness, escalation procedures, and forensic investigation capability.

Policyholder Data Protection

Controls for protecting customer PII, policy data, health records, claims information, and nominee details across systems.

Vendor and Third-Party Risk

Assessment of third-party service providers, outsourced IT, cloud vendors, and integration partners handling insurance data.

Methodology

6 stages. Audit-ready results.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Security Brigade follows a structured audit methodology designed for IRDAI-regulated entities. Each engagement is scoped to the entity type, whether insurance company, ISNP platform, insurance broker, or TPA, and mapped to the specific IRDAI guidelines and controls applicable to that entity. The methodology ensures that the audit is comprehensive, evidence-backed, and produces a report that meets IRDAI submission expectations while also being actionable for your technology and security teams.

Discovery

Scoping and Regulatory Mapping

Identify entity type, applicable IRDAI guidelines, audit scope, systems in scope, third-party integrations, and regulatory submission timeline. For ISNP audits, scope includes the complete platform architecture and pre-launch requirements.

Document and Policy Review

Review information security policies, cybersecurity governance documentation, BCP/DR plans, incident response procedures, vendor agreements, and prior audit reports against IRDAI requirements.

Testing

Technical Assessment

Vulnerability assessment and penetration testing of in-scope applications, networks, infrastructure, and cloud environments. Application security testing for core insurance platforms, ISNP portals, claims systems, and broker management tools.

Controls Validation and Evidence Collection

Validate implementation of access controls, encryption, logging, monitoring, patch management, change management, backup and recovery, and incident response. Collect evidence through system demonstrations, configuration review, and interviews.

Delivery

Gap Analysis and Remediation Support

Document gaps with risk ratings, provide prioritized remediation roadmap with practical implementation guidance, and support your team through closure of critical and high findings.

Regulator-Ready Report and Attestation

Final audit report structured for IRDAI submission including scope, methodology, control status, findings, evidence references, remediation status, and compliance attestation signed by the CERT-In empanelled auditor.

Download methodology whitepaper →

"We have SAP, SCADA, 200+ web apps, and factories running legacy systems. Most security firms understand IT or OT — not both. Security Brigade tested our corporate network, our plant floor, our SAP interfaces, and our cloud migration path in one engagement with one methodology. The OT findings alone justified the engagement, but the real value was having everything in a single risk register."

VP Security, Manufacturing Conglomerate

Vice President — Information Security

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847

LEMON

DashboardD

CoverageC

FindingsF

ReportsR

TimelineT

PROJECT PRJ-2847

Coverage Validation — acmecorp.com

94% covered

Endpoints

247 / 263

Parameters

1,847

Auth Flows

12 / 12

JS Routes

38 / 41

AI flagged 3 undiscovered endpoints

/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck

L1 Complete

L2 In Review

L3 Pending

Structured Evidence Collection

Centralized evidence repository linked to each IRDAI control requirement, eliminating last-minute evidence scrambles.

Findings and Remediation Tracking

Every finding is logged with severity, owner, deadline, and status. Remediation progress is visible to your team in real time.

Multi-Tier Review Workflow

Findings and reports pass through L1, L2, and L3 review stages before reaching you, ensuring audit quality and consistency.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by Indian regulators and meet global framework requirements.

VAPT and Application Security

Web, mobile, API, and network penetratio

Information Systems Audit

Comprehensive IS audit covering IT gover

BCP and DR Assessment

Business continuity plan review, disaste

Incident Response Readiness

IR plan review, CERT-In notification rea

Vendor Risk Assessment

Third-party and outsourced IT provider s

Policy and Process Review

Information security policy, acceptable

Cloud Security Assessment

AWS, Azure, or cloud configuration revie

ISNP Pre-Launch Certification

Complete ISNP security audit including a

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss

Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk

ManufacturingMahindra, Asian Paints, L&T, Hindalco

Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant

Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax

HealthcareCloudNine, Pharmeasy, Wave Health

Quality Assurance

L1, L2, L3 Audit Quality Assurance

Every IRDAI audit report passes through three levels of review before delivery

Regulatory audit reports carry the weight of your compliance status. A report with inconsistencies, missing evidence references, or inaccurate control assessments creates problems with regulators and erodes trust with your board. Security Brigade enforces a three-tier quality assurance process on every engagement to ensure the audit report you receive is accurate, complete, and regulator-ready.

L1: Consultant Review

The primary auditor validates all findings against evidence, confirms severity ratings, and ensures methodology was followed consistently.

L2: Technical Lead Review

A senior technical lead reviews findings for accuracy, completeness, and consistency. Validates that all in-scope controls have been assessed.

L3: Approval and Sign-Off

Final review by the engagement manager ensures regulatory alignment, report structure, evidence linkages, and CERT-In empanelled auditor attestation.

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

IRDAI Compliance Audit Report

The primary regulator-submission document covering scope, methodology, control assessment, findings, evidence, and compliance attestation signed by CERT-In empanelled auditor.

Gap Analysis Report

Detailed gap assessment mapping each IRDAI requirement to current compliance status, risk rating, evidence gaps, and recommended remediation.

VAPT and Technical Assessment Reports

Vulnerability assessment, penetration testing, and application security reports for in-scope systems with proof-of-concept, severity, and remediation guidance.

Remediation Roadmap

Prioritized remediation plan with owner assignment, target closure dates, severity-based prioritization, and practical implementation guidance.

Executive Summary and Board Pack

Management presentation summarizing compliance posture, key risks, remediation progress, and recommended next steps for board and audit committee.

Closure Validation Report

Post-remediation revalidation report confirming that identified gaps have been closed, with evidence of successful remediation.

ISNP Pre-Launch Certification Report

For ISNP engagements, the dedicated pre-launch certification artifact required for IRDAI approval before the platform goes live.

Data Flow and Architecture Annexure

Documentation of system architecture, data flows, third-party integrations, and storage locations for policyholder and claims data.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Attack Surface Area

Continuous discovery of internet-facing assets — sub-domains, APIs, cloud resources, open ports, SSL certificates, technology stack.

Audits are point-in-time. ShadowMap watches your boundary daily.

Explore on ShadowMap

CART · Continuous Automated Red Teaming

Automated vulnerability detection and validation on your live attack surface — exploit context delivered, not just scanner noise.

Annual audits prove a moment. CART proves resilience 24/7.

Explore on ShadowMap

See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

What is an ISNP audit and who needs it?+

An ISNP audit is a mandatory pre-launch security audit required by IRDAI for Insurance Self-Network Platforms, which are online insurance distribution platforms that sell and service insurance products digitally. Any insurer launching an ISNP must complete this audit by a CERT-In empanelled auditor before the platform is approved to go live. The audit covers application security, network architecture, data flows, payment integration, KYC and AML controls, and business continuity.

Is CERT-In empanelment mandatory for IRDAI cybersecurity audits?+

Yes, IRDAI requires cybersecurity audits to be conducted by CERT-In empanelled auditors. CERT-In empanelment is the national certification that validates an auditor's capability to perform security audits for government and regulated entities. Security Brigade has been CERT-In empanelled since 2008, making us one of the longest-standing empanelled cybersecurity auditors in India.

What are the IRDAI Information and Cybersecurity Guidelines?+

The IRDAI Information and Cybersecurity Guidelines are a comprehensive cybersecurity framework applicable to all insurance companies in India, including life, general, health insurers, and reinsurers. The guidelines mandate cybersecurity governance with board-level oversight, appointment of a CISO, periodic VAPT and IS audits, business continuity planning, incident response procedures, and annual security audits by CERT-In empanelled auditors.

How long does an IRDAI cybersecurity audit take?+

A typical IRDAI cybersecurity audit takes four to six weeks from scoping to final report delivery. The timeline depends on the entity type, scope of systems, and readiness of documentation. ISNP pre-launch audits can be completed in three to four weeks when the platform is ready for assessment. Engagements involving significant remediation before the final report may extend to eight weeks.

Do insurance brokers need to comply with IRDAI cybersecurity requirements?+

Yes, insurance brokers are expected to maintain cybersecurity controls proportionate to the policyholder data they handle. IRDAI extends its cybersecurity expectations to intermediaries including brokers and TPAs. Additionally, insurer partners increasingly require brokers to demonstrate cybersecurity compliance through vendor security assessments. Security Brigade delivers cybersecurity audits for brokers covering IT infrastructure, applications, access controls, and data protection.

What is the difference between an ISNP audit and an annual cybersecurity audit for insurance companies?+

An ISNP audit is a one-time pre-launch security audit specifically required before an Insurance Self-Network Platform can go live for online insurance sales. It focuses on the ISNP platform security including application testing, data flows, payment integration, and KYC controls. The annual cybersecurity audit is an ongoing requirement for insurance companies covering their entire IT environment, cybersecurity governance, controls, and incident response readiness. Both require CERT-In empanelled auditors.

What happens if an insurance company fails the IRDAI cybersecurity audit?+

If an IRDAI cybersecurity audit identifies significant gaps, the insurance company receives a detailed gap analysis and remediation roadmap. The company is expected to close identified gaps within a defined timeline and undergo revalidation. Persistent non-compliance can result in regulatory action including conditions on license renewal, restrictions on product launches, and financial penalties. For ISNP platforms, failure means the platform cannot receive approval to go live.

Does the IRDAI cybersecurity audit cover cloud-hosted insurance platforms?+

Yes, the IRDAI cybersecurity audit covers cloud-hosted insurance platforms including AWS, Azure, and other cloud environments. The audit assesses cloud configuration security, data residency, access controls, encryption, backup and recovery, and cloud vendor security controls. Many modern insurance platforms and ISNP portals are cloud-hosted, and the audit scope is adapted to cover the cloud infrastructure alongside application and network security.

Can Security Brigade help with both IRDAI compliance and other regulatory mandates?+

Yes, Security Brigade delivers compliance across multiple regulatory frameworks including IRDAI, RBI, SEBI, CERT-In, UIDAI, NPCI, DPDP Act, and international standards like ISO 27001, SOC 2, and PCI DSS. For insurance groups with multiple regulated entities, we can coordinate compliance across IRDAI cybersecurity guidelines, RBI mandates for bank-owned insurance arms, and SEBI requirements for listed insurance entities in a single coordinated engagement.

What does a TPA cybersecurity audit cover under IRDAI?+

A TPA cybersecurity audit covers IT infrastructure security, claims management system security, access controls and privileged access management, encryption of health records and claims data, network security, vendor risk assessment for hospital network integrations, business continuity and disaster recovery, and incident response readiness. TPAs handle sensitive medical and financial data, and the audit validates controls proportionate to this data sensitivity.

Ready to Achieve IRDAI Cybersecurity Compliance?

Talk to our compliance team to scope your IRDAI cybersecurity audit, ISNP pre-launch certification, or broker and TPA assessment

Request a Scoping Call

Typically responds within 1 business day · No commitment required