Professional Documents
Culture Documents
The fresh applicant organizations are requested to submit following documents and annexures
duly signed and stamped by authorised person:
2. Annexure I: Background verification certificate from the organization (as per the Template)
4. Annexure III: Undertaking by the organization on code of conduct (as per the Template)
5. Annexure A: Detailed information regarding last 5 information security audits carried out by
organization during the last 3 years (as per the template)
6. Copy of two detailed information security audit reports carried out in last 3 years.
(Organisation may sanitize financial information only from the Information Security Audit
Reports)
The organizations are required to submit the information form to CERT-In in an envelope, duly
super –scribed “Application for empanelment of Information Security Auditing
Organisations” to the address given below:
Empanelment Group,
Indian Computer Emergency Response Team (CERT-In),
Ministry of Electronics and Information Technology,
Electronics Niketan, 6 C.G.O Complex,
Lodhi Road, New Delhi -110003
Note: Any discrepancies/ False Information/ Manipulated data in application submission may lead
to disqualification and blacklisting of the organization from current and future participation in the
empanelment process.
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Indian Computer Emergency Response Team (CERT-In)
No. 3(15)/2004-CERT-In
Government of India
Ministry of Electronics & Information Technology
Indian Computer Emergency Response Team (CERT-In)
Electronics Niketan, CGO Complex, Lodhi Road, New Delhi 110003
2. Address
…………………………………………………………………………………………..………
………………….………………………………………………………………………..………
………………………………………………......
……..……………………..……………………... PIN
7. Designation: .................................................................................................................................
8. Cellular/Mobile Phone
10. Other Indian Localities, from where the organisation’s IT security related activities are being
carried out: ...................................................................................................................................
.......................................................................................................................................................
......................................................................................................................................................
12. Whether organization has foreign tie-ups for services/ product offered by it?
If yes, please provide the details.
.....................................................................................................................................................................
.....................................................................................................................................................................
13. A Demand Draft / Pay Order No. …………… dated ……………. issued
by ……….....………….….. Bank ……………...…………. Branch, for Rs. 5000/-, in
favour of “PAO, MeitY, New Delhi”, payable at New Delhi is enclosed herewith as a fee
towards analysis, assessment and processing of the application and supporting
documents, submitted for empanelment by CERT-In as an Information Security Auditing
Organisation
14. Information security audit related activities, are being carried out continuously by our
organisation from (month, year):......................................................................................................
17. (a) No. of technical personnel involved in Information Security Auditing related activities:
……………………..
Specify in
S. Technical Place Working with Information Total Credential Self-signed copy Yes/No
No. Personnel’s of the Security related experience in s verified of Passport (if whether the
Name Posti organisation qualifications information by any) (Yes/No) person will be
(CISSP/ISMS
ng since (month LA security organizati deployed for
& year) / CISM/ CISA/ related on government and
ISA etc., state as activities (Yes/No) critical sector
applicable) (years) audits/projects
1.
2.
3.
4.
5.
6.
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Indian Computer Emergency Response Team (CERT-In)
All the professional deployed by the organisation must possess at least one of the
Information security related relevant qualifications or relevant information security
auditing experience. Out of these, preferably two personnel must possess either CISSP or
ISMS (Ex. BS7799/ISO17799/ISO27001) Lead Assessor certification or any other
information security qualifications. Please attach brief curriculum vitae / bio-data (1 page,
max.) of each of the personnel mentioned against clause 17 (b), along with the self-attested
supporting documentary evidences regarding their certifications and self-attested copy of
Indian passport. Please note that we are looking only the information security related
certifications / qualifications, as given above.
18. Whether outsourcing the information security auditing work to the External Security Auditing
Experts or other Information security auditing organisations on contract basis for carrying out
the same on your organisation’s behalf ? : Not applicable / Yes
19. (a) Acceptance of the condition for background checks of all the technical personnel:
Agree / Disagree
(b) Background verification certificate from the organisation for the technical personnel
mentioned against clause 17(b) above (Annexure-I). Attached/ Not Attached
21. (a) Detailed information regarding last 5 information security audits carried out by our
organisation during the last 3 years is attached (as per format given) at Annexure A:
Attached / Not Attached
(b) One copy each of the two information security audit reports for any of the two
Information Security Audits carried out, out of the 5 Information Security Audits
enlisted in clause 21 (a) above, along with the applicable relevant information /
documents are also attached. (Organisation may sanitize financial information only from
the InformationSecurity Audit Reports. CERT-In, MeitY will provide undertaking for
non-disclosure of the acquired information from the information security audit reports,if
required (as per theTemplate-NDA Form): Attached / Not Attached
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Annexure-I
We, M/s ……………......… <Organization’s name, location and address > ………………………..,
certify that following technical employees are working with this organization and necessary
background checks have been made. We assure that, only following employees will be deployed
for government and critical sector related audit/projects. We also agree that any change in the
manpower, to be deployed for Government and Critical Sector, will be informed to CERT-In with
all the required details.
M/s ……………………………………
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Indian Computer Emergency Response Team (CERT-In)
Annexure-II
We, M/s ……………......… < Organization’s name, location and address > ………………………..,
having submitted information as required by CERT-In, do hereby declare that:
1. We comply with all the applicable requirements and have submitted the latest and
accurate information for empanelment.
2. We possess necessary tools, skills and capabilities to carry out the following tasks (strike
out those not applicable):
• Information Security Testing
• Process Security Testing
• Internet Technology Security Testing
• Communications Security Testing
• Application security testing
• Wireless Security Testing
• Physical Access Controls & Security Testing
• Network Security Testing
• Software Vulnerability Assessment
• Penetration Testing
• ICS/SCADA Assessment
• Compliance Assessments
• Assessment against Cyber Security Audit Baseline Requirements
3. We agree to provide the Information Security Auditing Services in accordance with the
terms and conditions of empanelment, as issued by CERT-In.
4. We agree to share generic information related to Information Security Audits with CERT-
In, as and when required.
5. We hereby agree that we will inform to CERT-In about any changes in manpower status
immediately.
6. We agree to abide by all the applicable terms and conditions of empanelment stipulated by
the CERT-In and auditee organizations for assigned projects. We also agree to provide an
undertaking with regard to the code of conduct.
M/s ……………………………………
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Indian Computer Emergency Response Team (CERT-In)
Annexure-III
I/ We agree to enter into Non-Disclosure Agreement (NDA) with the auditee organization from
Government & critical sector organization before beginning of audit assignment for which we will
be engaged. We also confirm that NDA will have following features:-
• Will be legally enforceable.
• Will detail the obligations and responsibilities of the parties and what constitutes a breach
of the contract including maintenance of confidentiality of information received during
course of security audit.
• Will bring out the penalties that could be attracted in the event of breach of contractual
terms, such as termination of the contract, debarment from future engagement for a
stipulated period as well as compensation or liquidated damages for loss to the auditee
organization.
• Provision for sharing information with Government agencies mandated under the law
including CERT-In etc. if and when called upon to do so with prior written information to
the auditee organization.
We further undertake and agree that only manpower declared to CERT-In will be deployed for
government and critical sector organizations projects.
(signature)
(Prop./ Partner/ Director)
Seal of Organization
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Indian Computer Emergency Response Team (CERT-In)
Annexure ‘A’
Details of an Information Security Audit carried out during the last 3 Years
(Please use five copies of this format for providing details of each of the five information
security audits)
Whether Vulnerability Assessment was carried out for all the systems/servers and applications? :
Yes/ No
(Signature)
Authorised Signatory’s Name:
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Dated : Auditing organisation’s name with Seal
STATUTORY DECLARATION
We agree to provide the Information Security Auditing services in accordance with the commercial
contract, to be entered into with the auditeeorganisations and abide by all the terms and conditions
of the empanelment as well as service delivery. Further, it is also certified that we meet all the
stipulated terms and conditions, as stated in the “Guidelines for empanelment of Information
Security Auditing Organisations” document. The information stated herein as well as in the
annexed documents is true to the best of our knowledge & belief and nothing has been concealed
or falsely stated. We understand that in case of any information is found to be wrong or falsely
stated at any time; our empanelment status will be withdrawn with immediate effect without any
further consideration in this regard.
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Indian Computer Emergency Response Team (CERT-In)
Date :
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021
Empanelment of Information Security Auditing Organisation: Documentation round Version 4.1, June, 2021