Extension of empanelment beyond May 2008 : Notice for Review

Current empanelment of information security auditing organizations by CERT-In is due to expire by May 31, 2008. Accordingly, CERT-In is now working on a process for continuation of empanelment for a further period of 2 years beyond May 2008.

As part of the process for continuation of empanelment by CERT-In, it is proposed to seek a certain set of information from the existing empanelled information security auditing organizations, which comes in two parts:

Part I - Updating of snap-shot information that is already available with CERT-In and displayed on CERT-In’s website to enable user organizations in making informed judgment about selection of information security auditing organisations.

Part II - Current information on the professional activities, skills and competence of the information security auditing organizations.

In order to determine the continuing suitability of information security auditing organizations for empanelment by CERT-In, as envisaged in Part II above, it is necessary that an information security auditing organization must be:

• Professionally active in line with its declared abilities. This can be demonstrated by:
1. No. of information security audits conducted ever since empanelment;
2. No. of information security audits in last 12 months (if the empanelment is for a duration of more than 12 months);
3. Specific audit details (download format 1 for Information System auditing organisations / format 2 for IT security auditing organisations) of any two information security audits conducted within last 12 months, in line with declared abilities (Please note that at this stage it is not required to provide us copies of the information security audit reports. However, CERT-In might choose to seek the copies of the information security audit reports at later stage if deemed necessary).
4. Feedback from the customers of auditee organisations (download the format) mentioned in Para (iii) above regarding service quality levels (Information security auditing organizations can collect the feedback forms from their customers and forward to CERT-In or advice them to send the feedback in time to CERT-In directly).


• Engaged in actions that can uphold professional commitment & competence. This can be demonstrated by:
1. Professional accreditation / certification of the organization that can give confidence to the customers regarding systematic functioning of internal processes; Example - (a) Accreditation by UKAS, UK; RVA, Netherlands; QCI, India; etc.; (b) Certification such as ISO 27001, ISO 9000, ISO 20000, etc.
2. Organized professional training (external / In-house) aimed at enhancement of skills & capabilities.
3. Any other means of continuing education for professional development & competence.

The format for providing the necessary information by the empanelled information security auditing organizations for continuation of empanelment may be download from the link provided here.

It is expected to gather the responses from the empanelled information security auditing organizations by April 30, 2008, following which CERT-In will compile a fresh list of organizations that have provided the requisite information as per the format. Following the concurrence of the Technical Evaluation Committee (TEC) and approval by competent authority, the final list of information security auditing organizations will be displayed on CERT-In’s website with a validity period of two years beyond May, 2008.

The organizations that have not met re-empanelment criteria completely or yet to respond will be notified accordingly and would be provided with information on the further action. These organizations would be considered for re-empanelment with the same validity period as above, as and when they are able to provide CERT-In with requisite information.

All the existing empanelled information security auditing organizations have also been intimated individually by post regarding the above. All are requested to send the requisite information along with the Consent Form by April 30, 2008 to enable us to complete the process of re-empanelment well in time prior to the expiry of current validity period. Please feel free to contact Sh. Omveer Singh (), should you require any assistance or clarifications in this regard.