HomeServicesTransformation & TechCyber & Information Security Assessments

Transformation & Tech · IT Risk & Technology Assurance

Cyber & Information Security Assessments

Most cyber security assessments are written by technologists for technologists — long on vulnerability scan output, short on what the Board, the statutory auditor, or the regulator actually needs to see.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Most cyber security assessments are written by technologists for technologists — long on vulnerability scan output, short on what the Board, the statutory auditor, or the regulator actually needs to see. PNPC Global assesses your cyber security posture the way a practising CA firm assesses risk: technically rigorous, but translated into business impact, control gaps, financial exposure, and regulatory obligation — under the IT Act 2000, CERT-In directions, SEBI CSCRF (for listed and regulated entities), RBI guidelines (for NBFCs and regulated financial entities), and where relevant, UAE cybersecurity and data protection requirements. Since 1986 we have sat on the finance, audit, and governance side of hundreds of businesses; that is the vantage point that makes our cyber assessment different from a pure penetration-testing vendor's report — we tell you not just what is vulnerable, but what it means for your audit opinion, your Board's fiduciary duty, your cyber insurance renewal, and your next funding round.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What Cyber & Information Security Assessments is

A Cyber & Information Security Assessment, as delivered by PNPC Global, is a structured review of an organisation's technology environment, data handling practices, and information security controls, benchmarked against recognised frameworks (ISO/IEC 27001, NIST Cybersecurity Framework, CIS Controls) and against the specific statutory and regulatory obligations that apply to Indian (and, where relevant, UAE) entities. It typically includes a vulnerability assessment of external and internal-facing systems, a review of access controls and data governance practices, an evaluation of the organisation's incident response readiness, and a gap analysis against CERT-In's cyber security directions (issued under Section 70B of the IT Act 2000), which mandate incident reporting within 6 hours of detection for specified categories of cyber incidents, log retention for 180 days within Indian jurisdiction, and other obligations that apply broadly to bodies corporate operating in India.

The distinction from a pure technical penetration-testing engagement is where the assessment starts and what it is written for. A penetration test report is written for your IT team — a list of exploitable vulnerabilities ranked by CVSS score. PNPC's assessment is written for three audiences simultaneously: your technical team (who needs the vulnerability detail to remediate), your Board and leadership (who needs to understand business risk, financial exposure, and fiduciary obligation in plain language), and your compliance function (who needs to demonstrate to auditors, regulators, investors, or cyber insurers that a structured, documented assessment was performed and acted upon). For listed companies and market infrastructure institutions, SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) sets out specific structured requirements; for banks and NBFCs, RBI's cyber security framework and guidelines on outsourcing and IT governance apply; for most other bodies corporate, the IT Act 2000, the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, and CERT-In's directions form the baseline. Where the Digital Personal Data Protection Act, 2023 provisions and rules come into force and apply to a business's processing of personal data, data protection obligations layer on top of the cyber security assessment.

We deliberately assess cyber risk the way we assess financial risk — materiality-driven, control-focused, and documented in a way that survives scrutiny from a statutory auditor, an investor's technical due diligence team, or a regulator's examination. A vulnerability that a pure technical vendor rates 'medium' on a CVSS scale might be a 'high' business risk if it sits on the system that processes customer payment data or investor KYC records — and a 'low' technical finding might carry outsized reputational or contractual risk if it breaches a specific client's data-processing agreement. We assess both dimensions together, because a report that only speaks the language of vulnerability scanners is not one your Board, your auditor, or your cyber insurer can actually act on.

A cyber security assessment is distinct from — but closely related to — cyber insurance readiness, SOC 2 or ISO 27001 certification preparation, and Digital Personal Data Protection Act compliance advisory. Many clients engage PNPC for the assessment first, then use its findings as the foundation for a certification roadmap, an insurance application, or a formal data protection compliance programme, since the underlying control gaps identified are frequently the same across all three.

When a Cyber & Information Security Assessment adds real value

You have never had a structured, documented security assessment performed, and leadership, your Board, or an investor is now asking what your actual cyber risk exposure looks like

You are preparing for a funding round, acquisition, or major enterprise/government client contract, and technical due diligence or vendor security questionnaires are now a real part of the process

You process customer payment data, health records, investor KYC documents, or other sensitive personal data, and want to understand your obligations under the IT Act, SPDI Rules, and the Digital Personal Data Protection Act framework as it comes into force

You are applying for cyber insurance for the first time, or renewing a policy, and the insurer is requesting evidence of a security assessment and defined controls before underwriting

A CERT-In-reportable incident (or a near-miss) has occurred, or you want to establish incident response readiness proactively before one does — CERT-In directions require reporting within 6 hours of detection for specified incident categories

You are a listed company, market intermediary, bank, or NBFC subject to SEBI CSCRF or RBI cyber security guidelines, and need a structured assessment to demonstrate compliance to your Board and regulator

You are scaling technology infrastructure (new cloud environment, new SaaS vendors, new India-UAE data flows) and want a baseline security posture assessment before, not after, a breach forces the conversation

When this is not the right engagement

You need a specific, narrow technical penetration test of a single application with a fixed technical deliverable and no business/compliance translation layer — a specialist pen-testing vendor working to a fixed technical scope may be more cost-effective for that narrow need alone

You are looking for 24x7 Security Operations Centre (SOC) monitoring, managed detection and response, or continuous threat-hunting services — PNPC's assessment is a structured point-in-time (or periodic) review, not a continuous managed security service; we can recommend and coordinate with specialist MDR/SOC providers where that is the actual need

You need hands-on remediation — patching servers, rewriting insecure code, reconfiguring firewalls — PNPC identifies and prioritises the gaps; the technical remediation itself is typically performed by your in-house IT team or a technical implementation partner, which we can help you select and oversee

You are a very early-stage business with no customer data, no funding round in sight, and minimal technology footprint — a lighter-touch security hygiene review may be more proportionate than a full structured assessment at this stage

You require formal ISO/IEC 27001 or SOC 2 Type II certification audit services from an accredited certification body — PNPC can prepare you for that certification and identify gaps against the standard, but the formal certification audit itself must be performed by an accredited certification body, which is a separate, subsequent engagement

Structure Comparison

Approaches to cyber security assessment — how they compare

ApproachWho Leads ItBusiness/Compliance TranslationTypical DeliverableBest Suited For
Automated vulnerability scanner (self-run)Internal IT team using an off-the-shelf scanning toolNone — raw technical output only, no business risk or regulatory framingA list of flagged vulnerabilities with CVSS scores, unranked by business impactOngoing technical hygiene monitoring by an already-mature in-house IT/security team
Pure penetration testing vendorTechnical security specialists, engagement scoped narrowly to systems testedLow — report is written for a technical audience, not the Board or auditorTechnical vulnerability report ranked by exploitability, limited business/regulatory contextBusinesses that already have in-house or advisory-level compliance translation and only need the technical testing layer
Big-4 / large cyber consultancyLarge advisory firm's dedicated cyber practiceHigh, but typically at a cost structure scaled for large enterprise engagementsComprehensive report with governance framing, often bundled with broader technology advisoryLarge enterprises and listed companies with the budget and internal bandwidth for an enterprise-scale engagement
PNPC Cyber & Information Security AssessmentPractising CA firm, technically rigorous and compliance/business-literateHigh — every finding translated into IT Act/CERT-In/SEBI CSCRF/RBI obligation, financial exposure, and Board-level language, scoped proportionately to your sizeAssessment report readable by technical staff, the Board, your statutory auditor, and your cyber insurer, with a prioritised remediation roadmapOwner-managed businesses, startups, and mid-sized enterprises across India and the UAE that need rigour without an enterprise-scale price tag
Do nothing / deferNo oneN/ANo documented assessment — exposure is unquantified and undocumentedNot a sustainable posture for any business handling customer data, seeking investment, or subject to sectoral regulation

This table is directional. The right approach depends on your sector, regulatory obligations (SEBI CSCRF, RBI guidelines, or general IT Act/CERT-In baseline), technology footprint, and whether a specific trigger (funding round, insurance renewal, incident, contract requirement) is driving the engagement. A scoping conversation with a PNPC CA is the right starting point.

How it works
#Stage & What PNPC DoesWhy This Matters (What Pure Technical Vendors Miss)Timeline
1Scoping & Regulatory Mapping — identifying which frameworks actually apply to youWe ask what a generic scanning vendor does not: are you a listed entity or market intermediary subject to SEBI CSCRF? A bank or NBFC subject to RBI cyber security guidelines? Do you process personal data at a scale that brings the Digital Personal Data Protection Act framework into clearer focus? Do you have a UAE entity with its own data protection obligations? These answers determine assessment scope and which control benchmarks apply — before any scan is run.Week 1
2Asset & Data Inventory — mapping systems, data flows, and third-party vendorsWe map not just your servers and applications but where sensitive data actually lives — customer PII, payment data, investor KYC, employee records — and which third-party SaaS vendors and cloud providers touch it. A technical scan of your infrastructure alone misses data sitting in an unassessed third-party tool that carries the same regulatory exposure.Week 1–2
3External & Internal Vulnerability Assessment — technical scanning of internet-facing and internal systemsWe run recognised scanning methodologies against your external attack surface (websites, APIs, exposed services) and, where in scope, internal network segments — but the technical output is only the starting point of our report, not the whole of it.Week 2–3
4Access Control & Identity Review — who can access what, and how that access is governedA vulnerability scan does not catch a departed employee's account still active six months later, or an admin-level credential shared across an entire team with no individual accountability. We review access provisioning, de-provisioning, and privilege escalation controls — a frequent source of real-world breaches that scanners do not detect.Week 2–3, run in parallel with technical scanning
5Policy & Governance Review — written information security policies, or the absence of themWe review (or note the absence of) an information security policy, an acceptable use policy, a data retention and disposal policy, a vendor risk management process, and a documented incident response plan. Regulators, auditors, and insurers ask for these documents by name — a technically secure environment with no written policy still fails that evidentiary test.Week 3
6Incident Response Readiness Assessment — can you actually meet the CERT-In 6-hour reporting window?CERT-In's directions under Section 70B of the IT Act require reporting of specified cyber incidents within 6 hours of detection, and mandate that ICT system logs be maintained and stored securely for a rolling period of 180 days within Indian jurisdiction. Most organisations without a prior structured assessment cannot actually meet this window because no one has defined who detects, who decides, and who reports. We test this readiness explicitly.Week 3–4
7Regulatory Gap Analysis — mapping findings against IT Act, CERT-In, SEBI CSCRF, RBI guidelines, and DPDP Act as applicableThis is where a pure technical report stops short. We map every material finding to the specific statutory or regulatory obligation it relates to, so your Board and compliance function see not just 'this port is open' but 'this gap creates exposure under [specific regulatory obligation]'.Week 4
8Risk Rating & Business Impact Translation — every finding scored for business, not just technical, severityWe re-rank findings by business materiality, not CVSS score alone — a medium-severity technical finding on a system holding customer payment data is treated as high priority; a critical-severity finding on an isolated, non-sensitive test environment is deprioritised accordingly.Week 4–5
9Draft Report & Management Presentation — walked through with leadership, not just emailedWe present findings directly to founders, the Board, or the relevant leadership function — explaining what each finding means in plain business language, what the realistic remediation cost and timeline look like, and which findings are genuinely urgent versus which can be sequenced over a longer roadmap.Week 5
10Prioritised Remediation Roadmap — sequenced by risk, dependency, and costWe do not hand over an undifferentiated list of 40 findings and leave you to sequence it. We sequence remediation by realistic risk reduction per unit of effort and cost, so limited budget and IT bandwidth are spent on the highest-impact items first.Week 5–6
11Policy & Documentation Support — drafting or updating the written policies your assessment identified as missingWhere the assessment identifies missing or outdated policies (information security policy, incident response plan, data retention policy, vendor risk management process), PNPC drafts or substantially updates these documents as part of the engagement, rather than simply flagging their absence and leaving you to draft them.Week 6–8, scoped per client need
12Remediation Verification — re-testing after fixes are implementedA finding marked 'remediated' by an internal team without independent verification is a common source of false assurance. We re-test critical and high findings after remediation is reported complete, to confirm the fix actually closes the gap rather than merely masking the symptom.4–8 weeks after remediation begins, scoped per finding
13Ongoing Advisory — periodic reassessment and readiness for the next milestoneCyber risk is not a one-time assessment. New vendors, new cloud environments, regulatory updates (DPDP Act rules coming into force, CERT-In direction updates, SEBI CSCRF revisions), and business growth events (funding round, new UAE entity, new product line) each warrant a reassessment. We recommend a periodic cadence rather than treating the first assessment as a permanent state of assurance.Recommended annually, or at major milestones — PNPC on call

Realistic end-to-end timeline for a full assessment: 5–8 weeks from scoping to final report and remediation roadmap for a mid-sized single-entity business; shorter for a narrowly scoped assessment, longer for multi-entity or India-UAE scope with SEBI CSCRF or RBI-regulated obligations layered in. Remediation verification and policy drafting are typically scoped as a follow-on phase after the initial assessment concludes.

Document Checklist
Organisational & Regulatory Context

Confirmation of entity type and sector — listed company, market intermediary, bank/NBFC, general body corporate, or UAE entity — to determine which regulatory framework (SEBI CSCRF, RBI guidelines, general IT Act/CERT-In baseline, UAE cybersecurity requirements) applies

List of jurisdictions in which the business operates and processes data, including any UAE or other overseas entity

Any existing cyber insurance policy, including the insurer's questionnaire or renewal requirements, if this assessment is being driven by an insurance application or renewal

Details of any prior security incident, near-miss, or regulatory notice received, even informally described

Technology Infrastructure Inventory

List of all internet-facing systems — website, customer portal, APIs, any publicly accessible applications — including hosting provider and domain details

Network architecture overview or diagram, even if informal — internal segments, cloud environments (AWS/Azure/GCP), on-premise infrastructure

List of all SaaS vendors and third-party tools that store or process business or customer data (accounting software, CRM, HR/payroll systems, communication tools)

Inventory of endpoints (laptops, servers, mobile devices) and whether they are centrally managed (MDM/endpoint protection) or unmanaged

Data & Access Governance

Description of what categories of sensitive data the business collects, stores, or processes — customer PII, payment card data, health records, investor KYC, employee data

Current access control approach — who has administrative access to key systems, and whether access is reviewed periodically

Any existing data retention or data disposal practice, formal or informal

List of employees or contractors who have left in the past 12 months and confirmation of whether their system access was formally revoked

Existing Policies & Documentation

Any existing information security policy, acceptable use policy, or IT usage guidelines, even in draft form

Any existing incident response plan or breach notification procedure

Any existing vendor risk management process or third-party due diligence checklist used when onboarding new SaaS/technology vendors

Any prior security assessment, penetration test report, or audit finding related to technology or data security

Business Context & Triggers

A plain-language statement of what triggered this assessment — funding round, insurance application, client/vendor security questionnaire, incident, proactive governance, or regulatory requirement

Any specific client, investor, or regulator deadline this assessment needs to meet

Growth plans for the next 12–24 months (new markets, new data types, new UAE or overseas operations) that the assessment scope should anticipate

Budget range available for remediation, so the roadmap PNPC proposes is realistic rather than aspirational

For SEBI-Regulated, RBI-Regulated, or UAE-Entity Engagements (Additional)

For listed companies/market intermediaries: prior SEBI CSCRF compliance documentation, Board-approved cyber security policy, and details of the designated Chief Information Security Officer (CISO) or equivalent role, where applicable

For banks/NBFCs: prior RBI cyber security framework self-assessment, IT outsourcing policy, and Board IT Strategy Committee minutes, where applicable

For UAE entities: details of any UAE data protection or cybersecurity registration/compliance already undertaken (relevant free zone or federal requirements), and the UAE entity's own data flows to/from India

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Initial Assessment (Week 1–6)First structured review, or a specific trigger (funding, insurance, contract, incident)Scoping and regulatory mapping, technical vulnerability assessment, access and governance review, business-impact-translated report with prioritised remediation roadmap.Undocumented, unquantified cyber risk; inability to answer investor/insurer/regulator questions about security posture with evidence.
Remediation (Month 2–4)Assessment findings accepted and prioritisedSequenced remediation roadmap by risk and cost; policy and documentation drafting for identified gaps; coordination with your internal IT team or a technical implementation partner.Findings acknowledged but not acted upon — the single most common reason an assessment fails to reduce actual risk, and a poor look if surfaced later in due diligence or a regulatory examination.
Verification (Month 3–5)Remediation reported complete by internal/technical teamIndependent re-testing of critical and high findings to confirm the fix actually closes the gap, not merely masks the symptom.False assurance — a finding marked 'fixed' internally without independent verification can remain exploitable, discovered only during an actual incident or a subsequent formal audit.
Incident Readiness DrillPost-remediation, or proactively at any stageTesting whether the organisation can actually meet the CERT-In 6-hour reporting window for specified incident categories — who detects, who decides, who reports, and to whom.A real incident is the wrong time to discover that no one knows the reporting obligation exists, or that log retention does not meet the 180-day requirement under CERT-In directions.
Certification Roadmap (If Pursued)Business decides to pursue ISO/IEC 27001 or SOC 2 Type II certificationGap analysis against the specific certification standard, building on the initial assessment's findings; coordination toward engaging an accredited certification body for the formal audit.Pursuing certification without addressing the underlying control gaps identified in the initial assessment typically results in a failed or significantly delayed certification audit.
Funding Round / Due Diligence EventTerm sheet or acquisition interestAssessment report and remediation evidence packaged for technical due diligence; gap closure on any finding likely to surface as a diligence red flag.Unaddressed security findings surfacing for the first time during investor technical due diligence can delay, reprice, or in serious cases derail a funding round.
Recurring ReassessmentAnnual, or at major milestones (new vendor, new cloud environment, new entity, regulatory update)Periodic reassessment scoped to what has changed since the last review — new SaaS vendors, new data types, DPDP Act rule updates, SEBI CSCRF or RBI guideline revisions.A point-in-time assessment that is never repeated becomes stale; new vendors and new data flows introduce risk that the original assessment never covered.
Post-Incident ReviewAn actual security incident occursIncident response coordination, CERT-In reporting support within the 6-hour window where applicable, root-cause analysis, and revised remediation roadmap informed by what actually happened.Inadequate or delayed incident response and reporting compounds regulatory exposure on top of the underlying breach, and a poorly documented incident response can itself become a compliance finding.
Frequently asked
What exactly does a Cyber & Information Security Assessment from a CA firm cover — is this the same as a penetration test?

It includes technical vulnerability assessment (similar in method to what a penetration testing vendor performs), but goes further — access control review, policy and governance review, incident response readiness, and a regulatory gap analysis mapping findings to the IT Act 2000, CERT-In directions, and where applicable SEBI CSCRF or RBI guidelines. A pure penetration test report is written for your IT team; our assessment is written to also be usable by your Board, your statutory auditor, and your cyber insurer.

Practitioner noteWe are frequently engaged after a client has already commissioned a technical penetration test from a specialist vendor and then found the report unusable for a Board presentation or an investor's due diligence questionnaire — because it speaks only the language of CVSS scores. We translate that same technical rigour into business and regulatory language.
We are a small business with no dedicated IT team. Is this assessment relevant at our scale?

Often yes, if a real trigger exists — you process customer payment data, you are applying for cyber insurance, an enterprise client's vendor security questionnaire now requires evidence of an assessment, or you are raising a funding round. For a genuinely early-stage business with minimal technology footprint and no customer data at risk, a lighter-touch security hygiene review may be more proportionate, and we will recommend that scope rather than oversell a larger engagement.

Practitioner noteWe scope every assessment to actual risk and actual triggers. A 13-stage full assessment is right for a business processing sensitive data at scale; a smaller business with a narrow trigger may only need a subset of that process, at a correspondingly smaller fee.
What is CERT-In, and what are the reporting obligations under its directions?

CERT-In (the Indian Computer Emergency Response Team) is the national nodal agency for cyber security incident response, operating under Section 70B of the Information Technology Act, 2000. Its directions issued in 2022 require reporting of specified categories of cyber security incidents to CERT-In within 6 hours of detection or being brought to notice, and mandate that service providers, intermediaries, data centres, body corporates, and government organisations maintain and securely store specified ICT system logs for a rolling period of 180 days, within Indian jurisdiction. Specific incident categories covered are set out in the directions and include events such as data breaches, ransomware attacks, and unauthorised access to critical systems, among others.

Practitioner noteThe 6-hour window is genuinely tight, and most organisations without a prior structured assessment discover during an actual incident that no one had defined who detects, who decides to report, and who actually files the report. We test this readiness as a specific stage of our assessment, before an incident forces the question.
Does the Digital Personal Data Protection Act, 2023 (DPDP Act) apply to our business, and how does that relate to this assessment?

The DPDP Act, 2023 establishes a framework for the processing of digital personal data in India, with obligations on 'Data Fiduciaries' (broadly, entities that determine the purpose and means of processing personal data) around consent, purpose limitation, data security safeguards, and breach notification. Applicability and the detailed compliance timeline depend on the rules and notifications issued to bring specific provisions into force, and businesses should verify current applicability rather than assume a fixed effective date. Where the Act's provisions apply to your data processing, the security safeguards required overlap substantially with the control areas our cyber security assessment already covers — access control, data governance, incident response, and breach notification readiness.

Practitioner noteWe treat the DPDP Act as an evolving compliance layer on top of the existing IT Act/CERT-In baseline rather than a fully separate exercise — much of what a well-executed cyber security assessment identifies and remediates also strengthens DPDP Act readiness. We flag DPDP-specific gaps explicitly where they diverge from general cyber security practice.
We are a listed company. Does SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) apply to us, and how does PNPC address it?

SEBI's CSCRF applies to specified categories of SEBI-regulated entities, including listed companies (in specified categories), market infrastructure institutions, and various intermediaries, and sets out structured requirements around governance, identification of critical systems, protection, detection, response, and recovery, along with reporting obligations. Applicability varies by the specific category of regulated entity, so the first step in our engagement for any SEBI-regulated client is confirming exactly which CSCRF requirements apply to your specific entity category. We map our assessment findings directly against the applicable CSCRF requirements so your Board and compliance officer can demonstrate structured compliance.

Practitioner noteCSCRF applicability and specific requirements differ meaningfully by entity category — we do not apply a one-size-fits-all checklist. Confirming your exact regulatory category is the first, non-negotiable step before we scope a CSCRF-aligned assessment.
We are an NBFC/bank. What does RBI expect regarding cyber security?

RBI has issued cyber security frameworks and guidelines applicable to banks and, separately, to NBFCs, covering governance (Board-level oversight, often through an IT Strategy Committee), risk management, IT outsourcing due diligence, and incident reporting expectations. The specific requirements and thresholds vary by the category and scale of the regulated entity. Our assessment for RBI-regulated clients maps findings against the applicable RBI framework and helps prepare the documentation your Board and RBI examination process will expect to see.

Practitioner noteRBI-regulated clients should treat cyber security assessment as a Board governance matter, not purely an IT department exercise — RBI's framework places real emphasis on demonstrated Board-level oversight, which is a documentation and governance requirement as much as a technical one.
How long does a Cyber & Information Security Assessment take?

A full assessment — scoping, technical testing, access and governance review, regulatory gap analysis, and a prioritised remediation roadmap — typically takes 5–8 weeks for a mid-sized single-entity business. A narrower, specifically scoped assessment (for example, addressing a single insurer's questionnaire) can be completed faster. Multi-entity engagements, or those layering in SEBI CSCRF or RBI-specific requirements, typically take longer. Remediation verification is a separate follow-on phase after the initial report.

Practitioner noteThe most common timeline variable is not the technical testing — it is how quickly the client's internal team can produce the asset inventory, existing policy documents (or confirm their absence), and access to systems that need to be reviewed. We build the project plan around your organisation's actual readiness to provide this information.
What frameworks do you assess against — ISO 27001, NIST, something else?

We benchmark against internationally recognised frameworks — principally ISO/IEC 27001 control domains, the NIST Cybersecurity Framework, and CIS Controls — while layering in the specific statutory and regulatory obligations that actually apply to your entity under Indian law (IT Act 2000, CERT-In directions, SEBI CSCRF, RBI guidelines as applicable) and, for UAE entities, relevant UAE cybersecurity and data protection requirements. The framework blend is scoped to your sector and regulatory profile rather than applied as a single fixed checklist.

Practitioner noteWe are explicit with clients about which framework elements are 'good practice benchmarking' versus 'mandatory legal/regulatory obligation' — the distinction matters when prioritising remediation budget, because regulatory obligations carry direct compliance consequences that pure best-practice gaps do not.
Can this assessment help us get cyber insurance, or get a better premium?

Yes, this is a common and specific trigger for engaging us. Cyber insurers increasingly request evidence of a structured security assessment, documented policies, and defined incident response readiness before underwriting or renewing a policy, and a demonstrably lower-risk posture can support more favourable terms. We scope the assessment to directly address the specific questionnaire or evidentiary requirements your insurer or broker has requested, where that is the driving trigger.

Practitioner noteWe ask to see the insurer's actual application questionnaire early in scoping wherever insurance is the trigger — this lets us make sure the assessment produces the specific evidence the insurer is asking for, rather than a generically thorough report that still leaves gaps against that particular questionnaire.
We are preparing for a funding round. Will investors actually ask about our cyber security posture?

Increasingly, yes — technical and security due diligence is now a standard component of institutional investor diligence, particularly for businesses handling customer data, payment information, or operating in regulated sectors. A documented, structured cyber security assessment with an accompanying remediation roadmap materially improves the diligence experience and reduces the risk of last-minute findings that delay or reprice a term sheet.

Practitioner noteWe have seen technical due diligence findings — an unpatched critical vulnerability, no access control discipline, no incident response plan — surface late in a funding process and create real friction at exactly the wrong moment. Addressing this proactively, months ahead of an active fundraise, is far less disruptive.
What does the assessment actually cost, and how is PNPC's fee structured?

Fees depend on scope — the number of systems and data flows in scope, the depth of technical testing required, whether SEBI CSCRF/RBI-specific mapping is needed, and whether policy drafting and remediation verification are included. We provide a written scope and fee proposal before any engagement begins; there is no fixed published price because the right scope varies significantly with business size, sector, and regulatory profile.

Practitioner noteWe deliberately scope and price to the actual risk and regulatory profile in front of us — a single-entity startup with a narrow web application and no regulated-sector obligations requires meaningfully less work than a listed NBFC subject to both SEBI CSCRF and RBI guidelines. Ask for a scoping conversation before assuming cost from a generic price list.
Do you perform the actual technical penetration testing yourselves, or subcontract it?

Our engagement combines PNPC-led scoping, business/regulatory translation, governance and policy review, and reporting, together with technical vulnerability testing performed to recognised methodology — either by our own technical resources or through a vetted technical testing partner, depending on the depth and specialisation the engagement requires (for example, specialised mobile application or IoT testing may call in a particular specialist). Regardless of who performs the technical testing component, PNPC leads the engagement, owns the regulatory mapping, and presents the final report and roadmap.

Practitioner noteWe are transparent about which parts of any given engagement are performed directly by PNPC and which involve a vetted technical partner — clients should always know exactly who touched their systems and under what confidentiality and scope terms.
What is the difference between a vulnerability assessment and a penetration test, and which does PNPC perform?

A vulnerability assessment identifies and catalogues known weaknesses (misconfigurations, unpatched software, weak access controls) typically using automated scanning tools supplemented by manual review. A penetration test goes further — actively attempting to exploit identified vulnerabilities to demonstrate real-world impact, typically performed manually by a skilled tester. Our standard assessment includes a vulnerability assessment as a core component; deeper penetration testing (including exploitation) is scoped as an additional layer where the engagement's risk profile and budget justify it — we recommend the right depth rather than defaulting to the most expensive option.

Practitioner noteFor most owner-managed businesses and startups, a well-executed vulnerability assessment combined with governance and access review delivers most of the practical risk reduction at a fraction of the cost of full exploitation-based penetration testing — we are candid about this trade-off rather than always upselling the deeper (and more expensive) testing depth.
Will the assessment disrupt our live systems or cause downtime?

We scope technical testing to minimise disruption risk — typically scheduling any testing likely to have production impact during low-traffic windows, and using non-destructive testing methodologies for production systems by default. Where deeper, potentially disruptive testing (such as certain exploitation techniques) is in scope, we agree this explicitly with you in advance, including timing and rollback expectations, rather than running it without prior agreement.

Practitioner noteWe ask clients directly whether any system in scope is business-critical with zero tolerance for even brief disruption, and adjust our testing methodology and timing accordingly — this is a scoping conversation we have explicitly before testing begins, not an assumption we make.
What happens if the assessment finds a critical vulnerability that is actively being exploited right now?

If we identify evidence of an active, ongoing compromise during the assessment — as opposed to a theoretical vulnerability — we notify you immediately, outside the normal reporting timeline, so you can begin incident response without waiting for the full assessment report. Where the incident meets CERT-In's reportable categories, we advise on the reporting obligation and timeline immediately.

Practitioner noteThis has happened in practice — an assessment intended as a routine, proactive exercise uncovering signs of an existing, undetected compromise. Immediate escalation outside the normal reporting cadence is standard practice for us in that scenario, not an exception we make reluctantly.
Do you provide a written report, and who is it addressed to?

Yes — a written report structured in layers: an executive summary for the Board/leadership in plain business language, a regulatory gap analysis mapped to applicable frameworks, a detailed technical findings section for your IT team, and a prioritised remediation roadmap with realistic sequencing and cost guidance. The report is designed to be usable directly with your statutory auditor, your cyber insurer, or an investor's due diligence team without requiring translation.

Practitioner noteWe have seen technical-only reports from other vendors sit unread by the people who actually needed to act on them — a founder or Board member who cannot parse a CVSS-scored vulnerability list will not act on it. Our layered report format exists specifically to solve that problem.
How does PNPC prioritise which findings to fix first?

We rank findings by business materiality, not technical severity score alone — factoring in what data or system the vulnerability exposes, how easily it could realistically be exploited, what regulatory or contractual obligation it relates to, and the realistic cost and effort to remediate. A technically 'critical' finding on an isolated test environment with no sensitive data may be deprioritised below a 'medium' finding on a system processing customer payment data.

Practitioner noteWe explicitly walk clients through the reasoning behind our prioritisation, not just the ranked list — because leadership needs to understand why item 3 outranks item 1 on a pure technical severity scale, in order to trust and act on the sequencing we recommend.
Can PNPC help us actually fix the issues the assessment identifies, or only diagnose them?

We do not perform hands-on technical remediation ourselves (patching servers, rewriting code, reconfiguring infrastructure) — that work is typically done by your in-house IT team or a technical implementation partner. What PNPC does provide is the prioritised roadmap, guidance on what 'good' looks like for each finding, drafting or updating of the policy and governance documents the assessment identifies as missing, and independent re-testing to verify that reported remediation actually closes the gap.

Practitioner noteWe deliberately keep assessment and hands-on technical remediation separated where possible — an assessor who also implements the fix and then verifies their own work creates a conflict of interest. Independent verification is more credible to a Board, auditor, or investor when the same firm did not also do the remediation.
How often should a business repeat this assessment?

We generally recommend an annual reassessment as a baseline, with an additional review triggered by significant change events — a new major SaaS vendor or cloud environment, a new UAE or overseas entity, a funding round or acquisition, or a relevant regulatory update (new CERT-In direction, SEBI CSCRF revision, DPDP Act rules coming into force). A one-time assessment that is never repeated becomes stale as your technology environment and the regulatory landscape both evolve.

Practitioner noteWe flag this explicitly in every engagement's final report — a cyber security assessment is a snapshot, not a permanent certification of safety. Clients who treat the first assessment as a one-time exercise are, in our experience, the ones most likely to be caught out by a subsequently introduced vendor or system that was never assessed.
We already have an in-house IT/security team. Is an external assessment still worth it?

Yes, frequently — an independent, external assessment provides a second opinion that internal teams, however skilled, cannot fully replicate for themselves, both because of genuine blind spots and because Boards, auditors, investors, and insurers generally place more evidentiary weight on an independent assessment than on an internal team's self-assessment. In these engagements, PNPC often works collaboratively with the internal team rather than duplicating their day-to-day work — validating their existing controls and identifying gaps they may not have prioritised.

Practitioner noteAn internal IT/security lead is very often the person who requests this engagement — not from lack of confidence in their own work, but because an independent, documented assessment carries more weight with the Board, auditors, and outside parties than an internal self-certification, and because a second set of eyes genuinely does catch things.
We operate in both India and the UAE. How does PNPC handle cross-border data and security considerations?

With offices in Chennai, Bangalore, Hyderabad, and Dubai, we assess both the Indian entity's obligations (IT Act, CERT-In, SEBI CSCRF or RBI guidelines where applicable, and the DPDP Act as it comes into force) and the UAE entity's cybersecurity and data protection obligations, plus the cross-border data flow between them, as a single coordinated assessment rather than two disconnected reviews handled by unrelated firms in each jurisdiction.

Practitioner noteWe frequently find India-UAE groups have assessed each entity's security posture separately, with no one having reviewed the data flow and access arrangements between the two — which is often where the most material, and most overlooked, risk actually sits.
What is the difference between this service and PNPC's Digital Transformation Advisory?

Digital Transformation Advisory is broader — it covers technology roadmap planning, ERP/accounting software selection, and finance/compliance process design, with basic access-control and data-governance hygiene addressed as one component of that broader control design. Cyber & Information Security Assessment is a focused, deeper review specifically of your security posture, technical vulnerabilities, and regulatory cyber obligations. In practice, the two are complementary — a Digital Transformation Advisory engagement will often flag the need for a dedicated cyber assessment, and a cyber assessment's findings frequently inform a subsequent technology roadmap.

Practitioner noteWe do not force clients into one framing over the other. If your immediate concern is specifically security and regulatory cyber risk, this is the right engagement; if the concern is broader systems and process design with security as one component, Digital Transformation Advisory may be the better starting point. We will recommend whichever fits your actual need.
Does the assessment cover cloud environments (AWS, Azure, GCP), or only on-premise infrastructure?

Yes — cloud environment configuration is a core component of the assessment for any business using cloud infrastructure, given how common cloud misconfiguration (overly permissive storage bucket access, exposed management consoles, weak identity and access management configuration) is as a real-world breach cause. We review cloud configuration against the relevant cloud provider's security best practices and the same regulatory framework applied to the rest of the assessment.

Practitioner noteCloud misconfiguration — not sophisticated external attack — is the single most common root cause we encounter in real-world incidents among our client base and in the broader industry. We treat cloud configuration review as a mandatory component, not an optional add-on, for any client using cloud infrastructure.
Can this assessment help us respond to a specific client's or partner's vendor security questionnaire?

Yes — this is a common and specific trigger. Enterprise and institutional clients increasingly require vendor security questionnaires or SOC 2/ISO 27001 evidence before onboarding a new supplier. We can scope the assessment specifically to generate the evidence and documentation your counterparty's questionnaire requires, rather than a full generic assessment, where that is the actual driving need.

Practitioner noteWe ask to see the actual questionnaire early in scoping wherever a specific counterparty's requirement is the trigger — questionnaires vary significantly in what they actually ask for, and scoping precisely to the real requirement avoids both under-delivery and unnecessary over-scoping.
Who at PNPC actually delivers this assessment — is it a CA, or a separate technology team?

The engagement is led by a practising Chartered Accountant with governance, risk, and compliance experience, working alongside technical security resources (in-house or a vetted technical partner) who perform the hands-on vulnerability testing. The distinguishing feature of our approach is that the same governance and regulatory lens applied to your statutory audit and compliance work is applied consistently to the cyber assessment — not handed off between disconnected teams that never reconcile their findings.

Practitioner noteWe deliberately avoid the model where a purely technical vendor delivers a scanner printout and a separate compliance team is left to interpret its regulatory relevance months later. One accountable, CA-led team owns the assessment from scoping through the final Board presentation.
What is the realistic cost range for remediating the findings from a typical assessment?

This varies enormously depending on the number and severity of findings and whether remediation requires new tooling, additional headcount, or simply configuration changes to existing systems — there is no single realistic figure that applies broadly. What we commit to is giving you a specific, itemised, and honestly sequenced remediation roadmap with cost guidance per item, so you can make an informed prioritisation decision within your actual budget rather than facing an undifferentiated wall of findings.

Practitioner noteWe resist giving a generic remediation cost estimate before an assessment is even scoped, because doing so is either meaningless or misleading — the actual figure depends entirely on what we find, and we would rather under-promise a number upfront than anchor a client to an estimate that has no basis yet.
Does PNPC issue a formal certification that our systems are 'secure' after the assessment?

No. We provide our professional assessment, a documented gap analysis against the frameworks and regulations applicable to you, and a remediation roadmap — this is not equivalent to a formal ISO/IEC 27001 or SOC 2 Type II certification, which must be issued by an accredited certification body following its own separate, formal audit process. Where certification is the ultimate goal, our assessment is a strong preparatory step — closing the gaps we identify meaningfully improves your readiness for that formal certification audit.

Practitioner noteWe are explicit with every client that 'assessed by PNPC' and 'ISO 27001 certified' are different things carrying different evidentiary weight with different audiences — an investor's technical diligence team may accept our assessment report; a large enterprise procurement process may specifically require the formal accredited certification. We help clients understand which one their specific situation actually requires.
What if our business has already had a data breach — can PNPC help after the fact?

Yes. Post-incident, our role shifts to incident response coordination (including CERT-In reporting support within the applicable window where the incident is reportable), root-cause analysis of how the breach occurred, and a revised remediation roadmap informed by the actual incident rather than a hypothetical assessment. We also advise on any onward notification obligations to affected individuals or regulators that may apply depending on the nature of the data involved and applicable law.

Practitioner noteThe single most valuable thing we can do in a live incident is help leadership move quickly and correctly on the reporting timeline — the CERT-In 6-hour window is unforgiving, and decisions made in the first few hours of incident discovery materially affect both the regulatory outcome and the practical containment of the breach.
Is employee training and phishing-awareness part of this assessment?

A basic assessment of human-factor risk — whether staff have received any security awareness training, and whether policies like acceptable use and password practices are actually communicated and enforced, not just documented — is included as part of our governance review. Structured, ongoing phishing-simulation and security-awareness training programmes are typically scoped as a separate, recurring engagement (often delivered by a specialist training provider we can help you select), since that is an ongoing programme rather than a point-in-time assessment activity.

Practitioner noteHuman error and social engineering remain among the most common real-world breach vectors, arguably more so than sophisticated technical exploitation for most owner-managed businesses. We flag the absence of any security awareness programme as a material finding even though the recurring training itself sits outside this specific engagement's core scope.
How does this assessment interact with our statutory audit?

A structured cyber security assessment, with documented findings and evidence of remediation, can materially support your statutory auditor's evaluation of IT general controls and, where relevant, their assessment of going-concern and risk factors — auditors increasingly consider cyber risk as part of overall enterprise risk assessment. We design our report to be directly usable as supporting evidence in that context, since PNPC's assessment methodology applies the same rigour and documentation discipline as our audit work.

Practitioner noteWe have seen a well-documented, independent cyber assessment materially ease a statutory auditor's IT controls review in the year it was performed — auditors are naturally more comfortable when a structured, professional assessment already exists rather than having to raise the topic themselves as a fresh finding.
Can a very small startup with just a handful of employees still benefit from this, or is it overkill?

It can be genuinely useful even at a small scale if a real trigger exists — handling customer payment data through a payment gateway integration, applying for cyber insurance, or facing a first enterprise client's vendor questionnaire. For a very small team with no sensitive data and no near-term trigger, we would likely recommend a lighter security hygiene review rather than the full structured assessment, and we say so rather than defaulting to the larger, more expensive engagement.

Practitioner noteWe turn down or meaningfully right-size more engagements on this basis than clients might expect. Recommending a smaller, proportionate scope when that is genuinely what is needed is part of building the kind of long-term client relationship PNPC is built around, not a missed upsell opportunity.
Do you offer a fixed-fee retainer for ongoing cyber security advisory, or is every engagement a one-off project?

Both models are available. Many clients begin with a one-off structured assessment and then move to a periodic retainer — typically an annual reassessment cycle plus advisory availability when a new vendor, system, or regulatory question arises in between. We scope whichever structure fits your situation and are transparent about the trade-offs of each before you commit.

Practitioner noteWe generally recommend the retainer model for clients in regulated sectors (SEBI CSCRF, RBI-regulated entities) or those with an active, evolving technology footprint, since cyber risk in those situations genuinely does not stay static for a full year between one-off assessments.
Why PNPC Global
FeaturePure Penetration Testing VendorLarge Enterprise Cyber ConsultancyPNPC Global
Regulatory/Compliance TranslationLow — report speaks the language of CVSS scores, not IT Act/CERT-In/SEBI obligationsHigh, but often bundled at enterprise-scale pricing not proportionate to smaller businessesHigh — every finding mapped to the specific statutory/regulatory obligation, scoped proportionately to your size
Board/Leadership-Readable ReportingRarely a focus — technical audience onlyGenerally strong, as part of a broader advisory offeringLayered report — executive summary, regulatory gap analysis, and technical detail in one document
CERT-In Incident Readiness TestingNot typically assessedUsually covered, at enterprise engagement scope and costExplicitly tested — can you actually meet the 6-hour reporting window and 180-day log retention requirement
SEBI CSCRF / RBI Framework MappingNot typically addressedAvailable, usually as a large-scale dedicated engagementScoped precisely to your specific regulated-entity category where applicable
Statutory Audit & Governance FluencyNot applicable — pure technical vendorPresent, at large-firm scale and pricingNative — same CA firm that understands your audit, tax, and Board governance obligations
India-UAE CoordinationRare, unless specifically a cross-border security firmAvailable at large multinational firms, at correspondingly higher costNative — offices in Chennai, Bangalore, Hyderabad, and Dubai coordinate both sides as one engagement
Proportionate Scoping for Smaller BusinessesVaries — some vendors have fixed minimum packagesTypically scaled for large enterprise budgetsDeliberately right-sized — we recommend a smaller scope when that is genuinely what fits, not the largest engagement we could sell
Ongoing RelationshipProject-based, typically ends at report deliveryAvailable, at retainer pricingFrequently continues into an annual reassessment cadence or broader compliance/advisory retainer

What the PNPC package includes

  1. 01

    Scoping and regulatory mapping to confirm exactly which frameworks apply — IT Act/CERT-In baseline, SEBI CSCRF, RBI guidelines, or UAE cybersecurity requirements

  2. 02

    External and internal vulnerability assessment using recognised technical methodology

  3. 03

    Access control, identity governance, and privilege review — a frequent real-world breach source that automated scanners miss

  4. 04

    Policy and governance review, including drafting or updating an information security policy, incident response plan, and data retention policy where these are found missing

  5. 05

    Explicit CERT-In incident response readiness testing against the 6-hour reporting window and 180-day log retention requirement

  6. 06

    Business-impact-translated findings — every technical finding re-ranked by realistic business and regulatory risk, not CVSS score alone

  7. 07

    Layered report readable by your technical team, your Board, your statutory auditor, and your cyber insurer without requiring translation

  8. 08

    Prioritised, cost-guided remediation roadmap sequenced for realistic risk reduction per unit of effort

  9. 09

    Independent re-testing of critical and high findings after remediation to verify the fix actually closes the gap

  10. 10

    India-UAE coordinated assessment for group entities with cross-border data flows

  11. 11

    Direct access to your engagement CA — not a support ticket queue or a generic account manager

Speak directly with a PNPC Chartered Accountant who assesses cyber risk the way we assess financial risk — technically rigorous, regulator-literate, and translated into language your Board, your auditor, and your investors can actually act on.

← Back to Transformation & Tech
Talk to a CA