Can you handle the full RBI System Audit Report (SAR)?

Yes — Macksofy regularly delivers SARs for RBI-regulated entities including NBFCs, payment aggregators and stock brokers, in the format SEBI / RBI accept.

What about UIDAI / Aadhaar audits?

We perform AUA / KUA / ASA audits per the UIDAI Aadhaar Authentication Operating Model.

What is your turnaround for last-minute regulatory deadlines?

We can compress engagements for last-minute deadlines (within 15–25 working days for typical scopes). Talk to us — we've helped clients meet 30-day-out RBI / SEBI deadlines successfully.

Government of India · MeitY · CERT-In Empanelled

Authority Page

CERT-In Empanelled Audit

The audit your regulator will accept on the first read.

Macksofy is empanelled by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology. Our audits are accepted by SEBI, RBI, UIDAI, IRDAI, payment system operators and every major Indian regulator and certification body — without rework.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Government of India · Ministry of Electronics & IT

CERT-In Empanelled
Information Security Auditor

Authorized to perform regulator-grade audits in India·SEBI · RBI · UIDAI · IRDAI accepted

Why this matters

Compliance is leverage, not paperwork.

CERT-In empanelment is the gold standard for cybersecurity auditors in India. For BFSI entities, payment aggregators, government contractors, regulated fintechs and any organization handling sensitive Indian data, a CERT-In empanelled audit is the only one that satisfies regulator inspection. Macksofy holds active empanelment with the requisite scope to perform information security audits.

Applicability

BFSI: Banks, NBFCs, brokers, AMCs, custodians, RTAs, RIAs
Payment Aggregators / Payment Gateways (RBI authorized)
Government / PSU IT systems (annual audits)
UIDAI Aadhaar ecosystem entities (AUAs, KUAs, ASAs)
Critical Information Infrastructure (CII) per CERT-In
Healthcare entities (NDHM / ABDM)

Methodology

How we run a CERT-In Audit engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 6

1 · Empanelment letter + scoping

3 activities

CERT-In empanelment confirmation to client
Scope per regulator requirement (e.g., RBI System Audit Report)
Engagement letter + RoE

01
1 · Empanelment letter + scoping
- CERT-In empanelment confirmation to client
- Scope per regulator requirement (e.g., RBI System Audit Report)
- Engagement letter + RoE
02
2 · Technical audit (VAPT)
- Annual VAPT per regulator schedule
- Network, application, mobile, cloud as applicable
- Manual exploitation of high-severity findings
03
3 · Process + governance audit
- Information security policy review
- Access management, change management
- Incident response evidence
- Third-party risk management
04
4 · Compliance attestation
- Mapping to specific regulator framework
- Gap identification + closure plan
- Management acceptance + risk treatment
05
5 · Regulator-format report
- CERT-In format report
- RBI System Audit Report (where applicable)
- SEBI cybersecurity attestation (where applicable)
06
6 · Closure + retest
- Free retest of remediated findings within 30 days
- Final closure letter + Macksofy attestation
- Ongoing advisory included in engagement

Deliverables

Everything you need to satisfy auditors.

CERT-In empanelment letter for the engagement
Audit report in regulator-prescribed format
Findings register with risk + ETA + management response
Free retest of remediated findings
Closure letter / Macksofy attestation
Ongoing advisory for regulator inspections

Recent engagements

RBI-regulated Stock Broker (Mumbai)

Annual System Audit Report

Outcome: Submitted to SEBI in CERT-In format inside 12 working days; zero rework

Payment Aggregator (RBI-authorized)

Annual cybersecurity audit per RBI guidelines

Outcome: All controls validated; remediation closed within 60 days

At a glance

The shape of a CERT-In Audit engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0+ yrs

Years CERT-In empanelment

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Governance & policy review3 pts
Technical security audit3 pts
Incident-response readiness3 pts
Third-party & supply chain3 pts
Audit pack & evidence3 pts
Continuous monitoring uplift3 pts

Pillar 01

Governance & policy review

Board-level accountability through to operator-level execution.

InfoSec policy, charter, RACI
Risk-management framework alignment
Asset & data classification review

Pillar 02

Technical security audit

Hands-on testing against the production estate — not a paper review.

External + internal VAPT in CERT-In format
Configuration & patch-management evidence
Vulnerability backlog with CVSS 3.1 + remediation effort

Pillar 03

Incident-response readiness

Validating that CERT-In's 6-hour reporting rule actually fires.

IR plan + playbook walk-through
Detection-and-response capability assessment
CERT-In incident-reporting drill

Pillar 04

Third-party & supply chain

Vendor and cloud-provider exposure mapped end to end.

Vendor security questionnaire & contract review
Cloud-shared-responsibility evidence
Critical SaaS dependency mapping

Pillar 05

Audit pack & evidence

Submission-ready artefacts in the format CERT-In actually reads.

CERT-In format executive + technical report
Evidence vault keyed to control statements
Remediation tracker + 30-day retest letter

Pillar 06

Continuous monitoring uplift

What you keep running once the audit ships.

SOC use-case backlog seeded from audit findings
Quarterly self-attestation template
Year-2 readiness roadmap

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a CERT-In Audit engagement. Click any station for detail in the methodology section above.

Week 1

Empanelment letter + scoping

Week 2

Technical audit (VAPT)

Week 3

Process + governance audit

Week 4

Compliance attestation

Week 5

Regulator-format report

Week 6

Closure + retest

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

Yes — Macksofy Technologies holds active CERT-In empanelment for information security audits in India. Empanelment letter is provided at engagement kickoff.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.