Customers ask 'do we need CERT-In VAPT or ISO 27001?' as if they were alternatives. They aren't. One is a point-in-time technical audit; the other is a management-system certification. Buying the wrong one for your regulatory ask gets you rejected at the next RFP review. Here is what each actually proves in 2026, where they complement, and a 1-page checklist you can take to your CFO.
- Type: Technical audit (point-in-time)
- Issued by: CERT-In empanelled auditor (~150 firms on the panel)
- Proves: Vulnerabilities found and fixed in defined scope on a date
- Output: Signed audit certificate + findings report
- Recurrence: Typically annual + on material change
- Cost (India): ₹2L – ₹40L depending on scope
- Required by: RBI, SEBI, IRDAI, MeitY, sectoral regulators
- Type: Management-system certification
- Issued by: Accredited Certification Body (BSI, BV, DNV, TUV, etc.)
- Proves: You operate a documented ISMS that meets ISO 27001 controls
- Output: Certificate (3-year cycle) + Statement of Applicability
- Recurrence: Stage 1 + Stage 2 audit, annual surveillance, 3-year recertification
- Cost (India): ₹6L – ₹35L over 3 years
- Required by: Enterprise procurement, global B2B contracts, RFPs
The fundamental distinction: audit vs certification
A CERT-In audit certificate confirms that on a specific date, a CERT-In empanelled auditor performed VAPT against a defined scope and the findings were either closed or risk-accepted. It is technical, narrow, and time-bound. ISO 27001 certification confirms that your organisation operates an Information Security Management System (ISMS) — policies, processes, risk treatments, training, monitoring — that an accredited certification body has assessed against the ISO 27001:2022 standard. It is managerial, broad, and three-year-cycle.
Put differently: CERT-In tells a regulator 'these systems were tested and clean'. ISO 27001 tells a procurement officer 'this organisation manages security in a sustained, documented way'. Different audiences, different evidence, different price tags.
Side-by-side
| Dimension | CERT-In VAPT | ISO 27001:2022 |
|---|---|---|
| Mandate | Regulatory (sectoral) | Voluntary (driven by procurement / contractual) |
| Issuing body | CERT-In empanelled auditor | Accredited certification body |
| Scope | Specific assets — IPs, apps, AD, cloud workloads | Whole organisation or defined business unit |
| Effort | 5-25 person-days for a mid-size scope | 60-150 person-days incl. internal effort |
| Cost (India) | ₹2L – ₹40L | ₹6L – ₹35L (3-year cycle) |
| Frequency | Annual + on change | Stage 1 + Stage 2 + annual surveillance + 3-yr recert |
| Output | Audit certificate + technical findings report | Certificate + Statement of Applicability + audit reports |
| Validity | 12 months | 3 years (with annual surveillance) |
| Required by | RBI / SEBI / IRDAI / MeitY / power sector / health stack | Enterprise procurement, EU/US B2B contracts, BFSI vendor onboarding |
| Skill mix | Pen-testers + auditors | ISMS consultants + auditors + GRC |
| Renewal trigger | Annual or material change | Annual surveillance + 3-yr recertification |
CERT-In empanelled VAPT vs ISO 27001:2022 — 2026
What CERT-In empanelled VAPT actually proves
A CERT-In audit produces a Vulnerability Assessment & Penetration Testing report against the scope you signed. The empanelled auditor (an organisation, not an individual) submits a certificate confirming that the testing was performed and findings were tracked to closure. Indian regulators rely on this in three ways: (1) RBI requires CERT-In VAPT for digital banking platforms annually; (2) SEBI's CSCRF requires half-yearly VAPT for Qualified REs; (3) MeitY and sectoral CISOs cite CERT-In empanelment in tenders for government IT systems.
What ISO 27001:2022 actually proves
ISO 27001:2022 certification proves you operate an ISMS — that you have done a risk assessment, picked controls (the Annex A list updated in 2022 to 93 controls in 4 themes), written a Statement of Applicability, run the controls, monitored them, and submitted to external audit. The certificate is recognised globally. For Indian SaaS exporters, ISO 27001 is the procurement door-opener that DPDP and CERT-In are not. Enterprise customers in the US, EU and Middle East will not sign master service agreements without it.
Where they complement
- ISO 27001 Annex A control 8.8 ('Management of technical vulnerabilities') is operationally satisfied by recurring CERT-In VAPT — one feeds the other
- ISO 27001 control 5.7 ('Threat intelligence') maps to CERT-In advisories and the CERT-In incident reporting flow
- CERT-In annual audit can be the technical evidence inside your ISO surveillance audit
- An ISO-certified vendor still needs a CERT-In audit for RBI/SEBI workloads — they are not substitutes
- Inside DPDP audit prep, both feed Significant Data Fiduciary annual data audit obligations
Common procurement scenarios
| Scenario | What you need | Why |
|---|---|---|
| Indian fintech selling to RBI-regulated banks | Both | RBI mandates CERT-In; bank procurement mandates ISO 27001 |
| Indian SaaS selling to EU enterprise customers | ISO 27001 primarily; SOC 2 commonly added | EU buyers reference ISO; CERT-In is not relevant cross-border |
| Indian SaaS selling to Indian BFSI only | CERT-In + ISO 27001 | ISO door-opens, CERT-In satisfies the regulator |
| Government Tender (MeitY / state IT) | CERT-In empanelled | Tender clause explicitly references CERT-In empanelment |
| Healthcare tech (Indian hospitals) | CERT-In + HIPAA-equivalent + ISO 27001 | Sectoral + procurement + global expectations |
| UAE-only SaaS with India operations | ISO 27001 + DESC/ISR (UAE) + CERT-In for India workloads | UAE regulators recognise ISO; India workloads need CERT-In |
Cost timeline for a mid-sized Indian SaaS
A ₹100-crore-revenue Indian SaaS firm we worked with in 2025 sequenced its compliance stack as follows: Year 1 — CERT-In VAPT for product app + internal infra (₹8 lakh); ISO 27001 Stage 1 + Stage 2 (₹14 lakh consulting + ₹6 lakh certification body). Year 2 — CERT-In VAPT (₹8 lakh) + ISO surveillance (₹4 lakh) + SOC 2 Type 1 (₹12 lakh). Year 3 — CERT-In VAPT (₹8 lakh) + ISO surveillance (₹4 lakh) + SOC 2 Type 2 (₹14 lakh) + DPDP SDF readiness (₹18 lakh). Total 3-year compliance run-rate: ₹96 lakh. Below this band, you are under-investing for an Indian SaaS targeting BFSI.
How to vet a CERT-In empanelled auditor
- Verify the firm appears on the current CERT-In empanelment list — the list is refreshed periodically and lapses do happen
- Ask for the lead auditor CV — at least one OSCP/CEH + ISO 27001 LA combination is the baseline you should expect
- Demand the proposed scope-of-work in writing — vague 'web + network VAPT' clauses are how you end up with a ticked checklist instead of an audit
- Confirm reporting standard — CVSS v3.1 or v4.0, CWE mapping, OWASP Top 10 mapping where applicable
- Insist on retest within 30-45 days of remediation — without retest, your audit certificate is paper
UAE comparable: where ISR / NESA fit
Indian companies operating in the UAE will be asked for the Information Security Regulation (Dubai Government), the UAE Information Assurance Standards (TDRA), and increasingly DESC's Cybersecurity Standard. None of these are exact CERT-In analogues — they sit closer to ISO 27001 in framing. The cleanest cross-border architecture is ISO 27001:2022 as the management-system spine, with CERT-In VAPT layered for India workloads and ISR/NESA mapping for UAE workloads.
Macksofy's CERT-In VAPT and ISO 27001 dual-track is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.