Skip to main content
CERT-In Empanelled Since 2008 — One of the earliest empanelled auditors in India, mandatory for IRDAI audits

IRDAI Cybersecurity Compliance: Insurance Companies, ISNP Audit & Broker/TPA Assessments

End-to-end IRDAI compliance for life, general, health insurers, ISNP platforms, insurance brokers, and TPAs. CERT-In empanelled auditor delivering regulator-ready reports, gap assessments, and remediation support across every IRDAI cyber mandate.

Request a Scoping Call Our Methodology
107+
Insurance Clients
IRDAI-Aligned
Methodology
ISNP-Ready
Audit Coverage
Since 2008
CERT-In Empanelled

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Assess

Comprehensive gap assessment against IRDAI Information and Cybersecurity Guidelines, mapping your current controls, policies, and technical posture to every regulatory requirement applicable to your entity type.

STEP 02

Remediate

Prioritized remediation roadmap with practical guidance on closing gaps. Security Brigade supports you through policy development, technical hardening, architecture changes, and evidence preparation.

STEP 03

Certify

Final compliance audit by our CERT-In empanelled team, producing a regulator-ready audit report with control attestation, evidence documentation, and executive summary for your board and IRDAI submission.

What is IRDAI Cybersecurity Compliance?

IRDAI cybersecurity compliance refers to the mandatory information security and cyber resilience requirements imposed by the Insurance Regulatory and Development Authority of India on insurance companies, Insurance Self-Network Platforms (ISNPs), insurance brokers, and Third-Party Administrators.

Insurance Companies: IRDAI Information and Cybersecurity Guidelines

Life insurers, general insurers, health insurers, and reinsurers under the IRDAI cybersecurity mandate

Cybersecurity Governance

Board-approved information security policy, CISO appointment, cybersecurity committee, and governance reporting structure.

VAPT and IS Audit

Periodic vulnerability assessment, penetration testing, and information systems audit of core insurance and IT systems.

Business Continuity and DR

BCP and disaster recovery planning with documented testing, recovery time objectives, and failover validation.

Incident Response

Documented incident response plan, CERT-In notification readiness, escalation procedures, and forensic investigation capability.

Policyholder Data Protection

Controls for protecting customer PII, policy data, health records, claims information, and nominee details across systems.

Vendor and Third-Party Risk

Assessment of third-party service providers, outsourced IT, cloud vendors, and integration partners handling insurance data.

Methodology

6 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Scoping and Regulatory Mapping

Identify entity type, applicable IRDAI guidelines, audit scope, systems in scope, third-party integrations, and regulatory submission timeline. For ISNP audits, scope includes the complete platform architecture and pre-launch requirements.

02

Document and Policy Review

Review information security policies, cybersecurity governance documentation, BCP/DR plans, incident response procedures, vendor agreements, and prior audit reports against IRDAI requirements.

Testing
03

Technical Assessment

Vulnerability assessment and penetration testing of in-scope applications, networks, infrastructure, and cloud environments. Application security testing for core insurance platforms, ISNP portals, claims systems, and broker management tools.

04

Controls Validation and Evidence Collection

Validate implementation of access controls, encryption, logging, monitoring, patch management, change management, backup and recovery, and incident response. Collect evidence through system demonstrations, configuration review, and interviews.

Delivery
05

Gap Analysis and Remediation Support

Document gaps with risk ratings, provide prioritized remediation roadmap with practical implementation guidance, and support your team through closure of critical and high findings.

06

Regulator-Ready Report and Attestation

Final audit report structured for IRDAI submission including scope, methodology, control status, findings, evidence references, remediation status, and compliance attestation signed by the CERT-In empanelled auditor.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Indian Private Sector Bank

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Structured Evidence Collection

Centralized evidence repository linked to each IRDAI control requirement, eliminating last-minute evidence scrambles.

Findings and Remediation Tracking

Every finding is logged with severity, owner, deadline, and status. Remediation progress is visible to your team in real time.

Multi-Tier Review Workflow

Findings and reports pass through L1, L2, and L3 review stages before reaching you, ensuring audit quality and consistency.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

VAPT and Application Security
Web, mobile, API, and network penetratio
Information Systems Audit
Comprehensive IS audit covering IT gover
BCP and DR Assessment
Business continuity plan review, disaste
Incident Response Readiness
IR plan review, CERT-In notification rea
Vendor Risk Assessment
Third-party and outsourced IT provider s
Policy and Process Review
Information security policy, acceptable
Cloud Security Assessment
AWS, Azure, or cloud configuration revie
ISNP Pre-Launch Certification
Complete ISNP security audit including a

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

IRDAI Compliance Audit Report

The primary regulator-submission document covering scope, methodology, control assessment, findings, evidence, and compliance attestation signed by CERT-In empanelled auditor.

Gap Analysis Report

Detailed gap assessment mapping each IRDAI requirement to current compliance status, risk rating, evidence gaps, and recommended remediation.

VAPT and Technical Assessment Reports

Vulnerability assessment, penetration testing, and application security reports for in-scope systems with proof-of-concept, severity, and remediation guidance.

Remediation Roadmap

Prioritized remediation plan with owner assignment, target closure dates, severity-based prioritization, and practical implementation guidance.

Executive Summary and Board Pack

Management presentation summarizing compliance posture, key risks, remediation progress, and recommended next steps for board and audit committee.

Closure Validation Report

Post-remediation revalidation report confirming that identified gaps have been closed, with evidence of successful remediation.

ISNP Pre-Launch Certification Report

For ISNP engagements, the dedicated pre-launch certification artifact required for IRDAI approval before the platform goes live.

Data Flow and Architecture Annexure

Documentation of system architecture, data flows, third-party integrations, and storage locations for policyholder and claims data.

Continuous Compliance with ShadowMap

The audit gives you a snapshot. ShadowMap gives you the always-on view.

An annual audit proves your posture at a single point in time. Between audits, attack surfaces drift, credentials leak, sub-domains get added, vendors get breached. ShadowMap watches the boundary continuously so the next audit isn't a surprise.

Attack Surface Area

Continuous discovery of internet-facing assets — sub-domains, APIs, cloud resources, open ports, SSL certificates, technology stack.

Audits are point-in-time. ShadowMap watches your boundary daily.

Explore on ShadowMap

CART · Continuous Automated Red Teaming

Automated vulnerability detection and validation on your live attack surface — exploit context delivered, not just scanner noise.

Annual audits prove a moment. CART proves resilience 24/7.

Explore on ShadowMap
See the full ShadowMap platform 30-day POC available · Platform Only · Service Only · Hybrid

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
What is an ISNP audit and who needs it?+
An ISNP audit is a mandatory pre-launch security audit required by IRDAI for Insurance Self-Network Platforms, which are online insurance distribution platforms that sell and service insurance products digitally. Any insurer launching an ISNP must complete this audit by a CERT-In empanelled auditor before the platform is approved to go live. The audit covers application security, network architecture, data flows, payment integration, KYC and AML controls, and business continuity.
Is CERT-In empanelment mandatory for IRDAI cybersecurity audits?+
Yes, IRDAI requires cybersecurity audits to be conducted by CERT-In empanelled auditors. CERT-In empanelment is the national certification that validates an auditor's capability to perform security audits for government and regulated entities. Security Brigade has been CERT-In empanelled since 2008, making us one of the longest-standing empanelled cybersecurity auditors in India.
What are the IRDAI Information and Cybersecurity Guidelines?+
The IRDAI Information and Cybersecurity Guidelines are a comprehensive cybersecurity framework applicable to all insurance companies in India, including life, general, health insurers, and reinsurers. The guidelines mandate cybersecurity governance with board-level oversight, appointment of a CISO, periodic VAPT and IS audits, business continuity planning, incident response procedures, and annual security audits by CERT-In empanelled auditors.
How long does an IRDAI cybersecurity audit take?+
A typical IRDAI cybersecurity audit takes four to six weeks from scoping to final report delivery. The timeline depends on the entity type, scope of systems, and readiness of documentation. ISNP pre-launch audits can be completed in three to four weeks when the platform is ready for assessment. Engagements involving significant remediation before the final report may extend to eight weeks.
Do insurance brokers need to comply with IRDAI cybersecurity requirements?+
Yes, insurance brokers are expected to maintain cybersecurity controls proportionate to the policyholder data they handle. IRDAI extends its cybersecurity expectations to intermediaries including brokers and TPAs. Additionally, insurer partners increasingly require brokers to demonstrate cybersecurity compliance through vendor security assessments. Security Brigade delivers cybersecurity audits for brokers covering IT infrastructure, applications, access controls, and data protection.
What is the difference between an ISNP audit and an annual cybersecurity audit for insurance companies?+
An ISNP audit is a one-time pre-launch security audit specifically required before an Insurance Self-Network Platform can go live for online insurance sales. It focuses on the ISNP platform security including application testing, data flows, payment integration, and KYC controls. The annual cybersecurity audit is an ongoing requirement for insurance companies covering their entire IT environment, cybersecurity governance, controls, and incident response readiness. Both require CERT-In empanelled auditors.
What happens if an insurance company fails the IRDAI cybersecurity audit?+
If an IRDAI cybersecurity audit identifies significant gaps, the insurance company receives a detailed gap analysis and remediation roadmap. The company is expected to close identified gaps within a defined timeline and undergo revalidation. Persistent non-compliance can result in regulatory action including conditions on license renewal, restrictions on product launches, and financial penalties. For ISNP platforms, failure means the platform cannot receive approval to go live.
Does the IRDAI cybersecurity audit cover cloud-hosted insurance platforms?+
Yes, the IRDAI cybersecurity audit covers cloud-hosted insurance platforms including AWS, Azure, and other cloud environments. The audit assesses cloud configuration security, data residency, access controls, encryption, backup and recovery, and cloud vendor security controls. Many modern insurance platforms and ISNP portals are cloud-hosted, and the audit scope is adapted to cover the cloud infrastructure alongside application and network security.
Can Security Brigade help with both IRDAI compliance and other regulatory mandates?+
Yes, Security Brigade delivers compliance across multiple regulatory frameworks including IRDAI, RBI, SEBI, CERT-In, UIDAI, NPCI, DPDP Act, and international standards like ISO 27001, SOC 2, and PCI DSS. For insurance groups with multiple regulated entities, we can coordinate compliance across IRDAI cybersecurity guidelines, RBI mandates for bank-owned insurance arms, and SEBI requirements for listed insurance entities in a single coordinated engagement.
What does a TPA cybersecurity audit cover under IRDAI?+
A TPA cybersecurity audit covers IT infrastructure security, claims management system security, access controls and privileged access management, encryption of health records and claims data, network security, vendor risk assessment for hospital network integrations, business continuity and disaster recovery, and incident response readiness. TPAs handle sensitive medical and financial data, and the audit validates controls proportionate to this data sensitivity.

Ready to Achieve IRDAI Cybersecurity Compliance?

Talk to our compliance team to scope your IRDAI cybersecurity audit, ISNP pre-launch certification, or broker and TPA assessment

Request a Scoping Call

Typically responds within 1 business day · No commitment required

Request a Scoping Call