Transformation & Tech · IT Risk & Technology Assurance
Cyber & Information Security Assessments
Most cyber security assessments are written by technologists for technologists — long on vulnerability scan output, short on what the Board, the statutory auditor, or the regulator actually needs to see.
Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986
Most cyber security assessments are written by technologists for technologists — long on vulnerability scan output, short on what the Board, the statutory auditor, or the regulator actually needs to see. PNPC Global assesses your cyber security posture the way a practising CA firm assesses risk: technically rigorous, but translated into business impact, control gaps, financial exposure, and regulatory obligation — under the IT Act 2000, CERT-In directions, SEBI CSCRF (for listed and regulated entities), RBI guidelines (for NBFCs and regulated financial entities), and where relevant, UAE cybersecurity and data protection requirements. Since 1986 we have sat on the finance, audit, and governance side of hundreds of businesses; that is the vantage point that makes our cyber assessment different from a pure penetration-testing vendor's report — we tell you not just what is vulnerable, but what it means for your audit opinion, your Board's fiduciary duty, your cyber insurance renewal, and your next funding round.
What it costs
No hidden charges. The exact figure is set in your engagement letter.
A Cyber & Information Security Assessment, as delivered by PNPC Global, is a structured review of an organisation's technology environment, data handling practices, and information security controls, benchmarked against recognised frameworks (ISO/IEC 27001, NIST Cybersecurity Framework, CIS Controls) and against the specific statutory and regulatory obligations that apply to Indian (and, where relevant, UAE) entities. It typically includes a vulnerability assessment of external and internal-facing systems, a review of access controls and data governance practices, an evaluation of the organisation's incident response readiness, and a gap analysis against CERT-In's cyber security directions (issued under Section 70B of the IT Act 2000), which mandate incident reporting within 6 hours of detection for specified categories of cyber incidents, log retention for 180 days within Indian jurisdiction, and other obligations that apply broadly to bodies corporate operating in India.
The distinction from a pure technical penetration-testing engagement is where the assessment starts and what it is written for. A penetration test report is written for your IT team — a list of exploitable vulnerabilities ranked by CVSS score. PNPC's assessment is written for three audiences simultaneously: your technical team (who needs the vulnerability detail to remediate), your Board and leadership (who needs to understand business risk, financial exposure, and fiduciary obligation in plain language), and your compliance function (who needs to demonstrate to auditors, regulators, investors, or cyber insurers that a structured, documented assessment was performed and acted upon). For listed companies and market infrastructure institutions, SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) sets out specific structured requirements; for banks and NBFCs, RBI's cyber security framework and guidelines on outsourcing and IT governance apply; for most other bodies corporate, the IT Act 2000, the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, and CERT-In's directions form the baseline. Where the Digital Personal Data Protection Act, 2023 provisions and rules come into force and apply to a business's processing of personal data, data protection obligations layer on top of the cyber security assessment.
We deliberately assess cyber risk the way we assess financial risk — materiality-driven, control-focused, and documented in a way that survives scrutiny from a statutory auditor, an investor's technical due diligence team, or a regulator's examination. A vulnerability that a pure technical vendor rates 'medium' on a CVSS scale might be a 'high' business risk if it sits on the system that processes customer payment data or investor KYC records — and a 'low' technical finding might carry outsized reputational or contractual risk if it breaches a specific client's data-processing agreement. We assess both dimensions together, because a report that only speaks the language of vulnerability scanners is not one your Board, your auditor, or your cyber insurer can actually act on.
A cyber security assessment is distinct from — but closely related to — cyber insurance readiness, SOC 2 or ISO 27001 certification preparation, and Digital Personal Data Protection Act compliance advisory. Many clients engage PNPC for the assessment first, then use its findings as the foundation for a certification roadmap, an insurance application, or a formal data protection compliance programme, since the underlying control gaps identified are frequently the same across all three.
When a Cyber & Information Security Assessment adds real value
You have never had a structured, documented security assessment performed, and leadership, your Board, or an investor is now asking what your actual cyber risk exposure looks like
You are preparing for a funding round, acquisition, or major enterprise/government client contract, and technical due diligence or vendor security questionnaires are now a real part of the process
You process customer payment data, health records, investor KYC documents, or other sensitive personal data, and want to understand your obligations under the IT Act, SPDI Rules, and the Digital Personal Data Protection Act framework as it comes into force
You are applying for cyber insurance for the first time, or renewing a policy, and the insurer is requesting evidence of a security assessment and defined controls before underwriting
A CERT-In-reportable incident (or a near-miss) has occurred, or you want to establish incident response readiness proactively before one does — CERT-In directions require reporting within 6 hours of detection for specified incident categories
You are a listed company, market intermediary, bank, or NBFC subject to SEBI CSCRF or RBI cyber security guidelines, and need a structured assessment to demonstrate compliance to your Board and regulator
You are scaling technology infrastructure (new cloud environment, new SaaS vendors, new India-UAE data flows) and want a baseline security posture assessment before, not after, a breach forces the conversation
When this is not the right engagement
You need a specific, narrow technical penetration test of a single application with a fixed technical deliverable and no business/compliance translation layer — a specialist pen-testing vendor working to a fixed technical scope may be more cost-effective for that narrow need alone
You are looking for 24x7 Security Operations Centre (SOC) monitoring, managed detection and response, or continuous threat-hunting services — PNPC's assessment is a structured point-in-time (or periodic) review, not a continuous managed security service; we can recommend and coordinate with specialist MDR/SOC providers where that is the actual need
You need hands-on remediation — patching servers, rewriting insecure code, reconfiguring firewalls — PNPC identifies and prioritises the gaps; the technical remediation itself is typically performed by your in-house IT team or a technical implementation partner, which we can help you select and oversee
You are a very early-stage business with no customer data, no funding round in sight, and minimal technology footprint — a lighter-touch security hygiene review may be more proportionate than a full structured assessment at this stage
You require formal ISO/IEC 27001 or SOC 2 Type II certification audit services from an accredited certification body — PNPC can prepare you for that certification and identify gaps against the standard, but the formal certification audit itself must be performed by an accredited certification body, which is a separate, subsequent engagement
Approaches to cyber security assessment — how they compare
| Approach | Who Leads It | Business/Compliance Translation | Typical Deliverable | Best Suited For |
|---|---|---|---|---|
| Automated vulnerability scanner (self-run) | Internal IT team using an off-the-shelf scanning tool | None — raw technical output only, no business risk or regulatory framing | A list of flagged vulnerabilities with CVSS scores, unranked by business impact | Ongoing technical hygiene monitoring by an already-mature in-house IT/security team |
| Pure penetration testing vendor | Technical security specialists, engagement scoped narrowly to systems tested | Low — report is written for a technical audience, not the Board or auditor | Technical vulnerability report ranked by exploitability, limited business/regulatory context | Businesses that already have in-house or advisory-level compliance translation and only need the technical testing layer |
| Big-4 / large cyber consultancy | Large advisory firm's dedicated cyber practice | High, but typically at a cost structure scaled for large enterprise engagements | Comprehensive report with governance framing, often bundled with broader technology advisory | Large enterprises and listed companies with the budget and internal bandwidth for an enterprise-scale engagement |
| PNPC Cyber & Information Security Assessment | Practising CA firm, technically rigorous and compliance/business-literate | High — every finding translated into IT Act/CERT-In/SEBI CSCRF/RBI obligation, financial exposure, and Board-level language, scoped proportionately to your size | Assessment report readable by technical staff, the Board, your statutory auditor, and your cyber insurer, with a prioritised remediation roadmap | Owner-managed businesses, startups, and mid-sized enterprises across India and the UAE that need rigour without an enterprise-scale price tag |
| Do nothing / defer | No one | N/A | No documented assessment — exposure is unquantified and undocumented | Not a sustainable posture for any business handling customer data, seeking investment, or subject to sectoral regulation |
This table is directional. The right approach depends on your sector, regulatory obligations (SEBI CSCRF, RBI guidelines, or general IT Act/CERT-In baseline), technology footprint, and whether a specific trigger (funding round, insurance renewal, incident, contract requirement) is driving the engagement. A scoping conversation with a PNPC CA is the right starting point.
| # | Stage & What PNPC Does | Why This Matters (What Pure Technical Vendors Miss) | Timeline |
|---|---|---|---|
| 1 | Scoping & Regulatory Mapping — identifying which frameworks actually apply to you | We ask what a generic scanning vendor does not: are you a listed entity or market intermediary subject to SEBI CSCRF? A bank or NBFC subject to RBI cyber security guidelines? Do you process personal data at a scale that brings the Digital Personal Data Protection Act framework into clearer focus? Do you have a UAE entity with its own data protection obligations? These answers determine assessment scope and which control benchmarks apply — before any scan is run. | Week 1 |
| 2 | Asset & Data Inventory — mapping systems, data flows, and third-party vendors | We map not just your servers and applications but where sensitive data actually lives — customer PII, payment data, investor KYC, employee records — and which third-party SaaS vendors and cloud providers touch it. A technical scan of your infrastructure alone misses data sitting in an unassessed third-party tool that carries the same regulatory exposure. | Week 1–2 |
| 3 | External & Internal Vulnerability Assessment — technical scanning of internet-facing and internal systems | We run recognised scanning methodologies against your external attack surface (websites, APIs, exposed services) and, where in scope, internal network segments — but the technical output is only the starting point of our report, not the whole of it. | Week 2–3 |
| 4 | Access Control & Identity Review — who can access what, and how that access is governed | A vulnerability scan does not catch a departed employee's account still active six months later, or an admin-level credential shared across an entire team with no individual accountability. We review access provisioning, de-provisioning, and privilege escalation controls — a frequent source of real-world breaches that scanners do not detect. | Week 2–3, run in parallel with technical scanning |
| 5 | Policy & Governance Review — written information security policies, or the absence of them | We review (or note the absence of) an information security policy, an acceptable use policy, a data retention and disposal policy, a vendor risk management process, and a documented incident response plan. Regulators, auditors, and insurers ask for these documents by name — a technically secure environment with no written policy still fails that evidentiary test. | Week 3 |
| 6 | Incident Response Readiness Assessment — can you actually meet the CERT-In 6-hour reporting window? | CERT-In's directions under Section 70B of the IT Act require reporting of specified cyber incidents within 6 hours of detection, and mandate that ICT system logs be maintained and stored securely for a rolling period of 180 days within Indian jurisdiction. Most organisations without a prior structured assessment cannot actually meet this window because no one has defined who detects, who decides, and who reports. We test this readiness explicitly. | Week 3–4 |
| 7 | Regulatory Gap Analysis — mapping findings against IT Act, CERT-In, SEBI CSCRF, RBI guidelines, and DPDP Act as applicable | This is where a pure technical report stops short. We map every material finding to the specific statutory or regulatory obligation it relates to, so your Board and compliance function see not just 'this port is open' but 'this gap creates exposure under [specific regulatory obligation]'. | Week 4 |
| 8 | Risk Rating & Business Impact Translation — every finding scored for business, not just technical, severity | We re-rank findings by business materiality, not CVSS score alone — a medium-severity technical finding on a system holding customer payment data is treated as high priority; a critical-severity finding on an isolated, non-sensitive test environment is deprioritised accordingly. | Week 4–5 |
| 9 | Draft Report & Management Presentation — walked through with leadership, not just emailed | We present findings directly to founders, the Board, or the relevant leadership function — explaining what each finding means in plain business language, what the realistic remediation cost and timeline look like, and which findings are genuinely urgent versus which can be sequenced over a longer roadmap. | Week 5 |
| 10 | Prioritised Remediation Roadmap — sequenced by risk, dependency, and cost | We do not hand over an undifferentiated list of 40 findings and leave you to sequence it. We sequence remediation by realistic risk reduction per unit of effort and cost, so limited budget and IT bandwidth are spent on the highest-impact items first. | Week 5–6 |
| 11 | Policy & Documentation Support — drafting or updating the written policies your assessment identified as missing | Where the assessment identifies missing or outdated policies (information security policy, incident response plan, data retention policy, vendor risk management process), PNPC drafts or substantially updates these documents as part of the engagement, rather than simply flagging their absence and leaving you to draft them. | Week 6–8, scoped per client need |
| 12 | Remediation Verification — re-testing after fixes are implemented | A finding marked 'remediated' by an internal team without independent verification is a common source of false assurance. We re-test critical and high findings after remediation is reported complete, to confirm the fix actually closes the gap rather than merely masking the symptom. | 4–8 weeks after remediation begins, scoped per finding |
| 13 | Ongoing Advisory — periodic reassessment and readiness for the next milestone | Cyber risk is not a one-time assessment. New vendors, new cloud environments, regulatory updates (DPDP Act rules coming into force, CERT-In direction updates, SEBI CSCRF revisions), and business growth events (funding round, new UAE entity, new product line) each warrant a reassessment. We recommend a periodic cadence rather than treating the first assessment as a permanent state of assurance. | Recommended annually, or at major milestones — PNPC on call |
Realistic end-to-end timeline for a full assessment: 5–8 weeks from scoping to final report and remediation roadmap for a mid-sized single-entity business; shorter for a narrowly scoped assessment, longer for multi-entity or India-UAE scope with SEBI CSCRF or RBI-regulated obligations layered in. Remediation verification and policy drafting are typically scoped as a follow-on phase after the initial assessment concludes.
Confirmation of entity type and sector — listed company, market intermediary, bank/NBFC, general body corporate, or UAE entity — to determine which regulatory framework (SEBI CSCRF, RBI guidelines, general IT Act/CERT-In baseline, UAE cybersecurity requirements) applies
List of jurisdictions in which the business operates and processes data, including any UAE or other overseas entity
Any existing cyber insurance policy, including the insurer's questionnaire or renewal requirements, if this assessment is being driven by an insurance application or renewal
Details of any prior security incident, near-miss, or regulatory notice received, even informally described
List of all internet-facing systems — website, customer portal, APIs, any publicly accessible applications — including hosting provider and domain details
Network architecture overview or diagram, even if informal — internal segments, cloud environments (AWS/Azure/GCP), on-premise infrastructure
List of all SaaS vendors and third-party tools that store or process business or customer data (accounting software, CRM, HR/payroll systems, communication tools)
Inventory of endpoints (laptops, servers, mobile devices) and whether they are centrally managed (MDM/endpoint protection) or unmanaged
Description of what categories of sensitive data the business collects, stores, or processes — customer PII, payment card data, health records, investor KYC, employee data
Current access control approach — who has administrative access to key systems, and whether access is reviewed periodically
Any existing data retention or data disposal practice, formal or informal
List of employees or contractors who have left in the past 12 months and confirmation of whether their system access was formally revoked
Any existing information security policy, acceptable use policy, or IT usage guidelines, even in draft form
Any existing incident response plan or breach notification procedure
Any existing vendor risk management process or third-party due diligence checklist used when onboarding new SaaS/technology vendors
Any prior security assessment, penetration test report, or audit finding related to technology or data security
A plain-language statement of what triggered this assessment — funding round, insurance application, client/vendor security questionnaire, incident, proactive governance, or regulatory requirement
Any specific client, investor, or regulator deadline this assessment needs to meet
Growth plans for the next 12–24 months (new markets, new data types, new UAE or overseas operations) that the assessment scope should anticipate
Budget range available for remediation, so the roadmap PNPC proposes is realistic rather than aspirational
For listed companies/market intermediaries: prior SEBI CSCRF compliance documentation, Board-approved cyber security policy, and details of the designated Chief Information Security Officer (CISO) or equivalent role, where applicable
For banks/NBFCs: prior RBI cyber security framework self-assessment, IT outsourcing policy, and Board IT Strategy Committee minutes, where applicable
For UAE entities: details of any UAE data protection or cybersecurity registration/compliance already undertaken (relevant free zone or federal requirements), and the UAE entity's own data flows to/from India
| Phase | Triggered By | PNPC CA Guidance | Risk If Ignored |
|---|---|---|---|
| Initial Assessment (Week 1–6) | First structured review, or a specific trigger (funding, insurance, contract, incident) | Scoping and regulatory mapping, technical vulnerability assessment, access and governance review, business-impact-translated report with prioritised remediation roadmap. | Undocumented, unquantified cyber risk; inability to answer investor/insurer/regulator questions about security posture with evidence. |
| Remediation (Month 2–4) | Assessment findings accepted and prioritised | Sequenced remediation roadmap by risk and cost; policy and documentation drafting for identified gaps; coordination with your internal IT team or a technical implementation partner. | Findings acknowledged but not acted upon — the single most common reason an assessment fails to reduce actual risk, and a poor look if surfaced later in due diligence or a regulatory examination. |
| Verification (Month 3–5) | Remediation reported complete by internal/technical team | Independent re-testing of critical and high findings to confirm the fix actually closes the gap, not merely masks the symptom. | False assurance — a finding marked 'fixed' internally without independent verification can remain exploitable, discovered only during an actual incident or a subsequent formal audit. |
| Incident Readiness Drill | Post-remediation, or proactively at any stage | Testing whether the organisation can actually meet the CERT-In 6-hour reporting window for specified incident categories — who detects, who decides, who reports, and to whom. | A real incident is the wrong time to discover that no one knows the reporting obligation exists, or that log retention does not meet the 180-day requirement under CERT-In directions. |
| Certification Roadmap (If Pursued) | Business decides to pursue ISO/IEC 27001 or SOC 2 Type II certification | Gap analysis against the specific certification standard, building on the initial assessment's findings; coordination toward engaging an accredited certification body for the formal audit. | Pursuing certification without addressing the underlying control gaps identified in the initial assessment typically results in a failed or significantly delayed certification audit. |
| Funding Round / Due Diligence Event | Term sheet or acquisition interest | Assessment report and remediation evidence packaged for technical due diligence; gap closure on any finding likely to surface as a diligence red flag. | Unaddressed security findings surfacing for the first time during investor technical due diligence can delay, reprice, or in serious cases derail a funding round. |
| Recurring Reassessment | Annual, or at major milestones (new vendor, new cloud environment, new entity, regulatory update) | Periodic reassessment scoped to what has changed since the last review — new SaaS vendors, new data types, DPDP Act rule updates, SEBI CSCRF or RBI guideline revisions. | A point-in-time assessment that is never repeated becomes stale; new vendors and new data flows introduce risk that the original assessment never covered. |
| Post-Incident Review | An actual security incident occurs | Incident response coordination, CERT-In reporting support within the 6-hour window where applicable, root-cause analysis, and revised remediation roadmap informed by what actually happened. | Inadequate or delayed incident response and reporting compounds regulatory exposure on top of the underlying breach, and a poorly documented incident response can itself become a compliance finding. |
What exactly does a Cyber & Information Security Assessment from a CA firm cover — is this the same as a penetration test?
It includes technical vulnerability assessment (similar in method to what a penetration testing vendor performs), but goes further — access control review, policy and governance review, incident response readiness, and a regulatory gap analysis mapping findings to the IT Act 2000, CERT-In directions, and where applicable SEBI CSCRF or RBI guidelines. A pure penetration test report is written for your IT team; our assessment is written to also be usable by your Board, your statutory auditor, and your cyber insurer.
We are a small business with no dedicated IT team. Is this assessment relevant at our scale?
Often yes, if a real trigger exists — you process customer payment data, you are applying for cyber insurance, an enterprise client's vendor security questionnaire now requires evidence of an assessment, or you are raising a funding round. For a genuinely early-stage business with minimal technology footprint and no customer data at risk, a lighter-touch security hygiene review may be more proportionate, and we will recommend that scope rather than oversell a larger engagement.
What is CERT-In, and what are the reporting obligations under its directions?
CERT-In (the Indian Computer Emergency Response Team) is the national nodal agency for cyber security incident response, operating under Section 70B of the Information Technology Act, 2000. Its directions issued in 2022 require reporting of specified categories of cyber security incidents to CERT-In within 6 hours of detection or being brought to notice, and mandate that service providers, intermediaries, data centres, body corporates, and government organisations maintain and securely store specified ICT system logs for a rolling period of 180 days, within Indian jurisdiction. Specific incident categories covered are set out in the directions and include events such as data breaches, ransomware attacks, and unauthorised access to critical systems, among others.
Does the Digital Personal Data Protection Act, 2023 (DPDP Act) apply to our business, and how does that relate to this assessment?
The DPDP Act, 2023 establishes a framework for the processing of digital personal data in India, with obligations on 'Data Fiduciaries' (broadly, entities that determine the purpose and means of processing personal data) around consent, purpose limitation, data security safeguards, and breach notification. Applicability and the detailed compliance timeline depend on the rules and notifications issued to bring specific provisions into force, and businesses should verify current applicability rather than assume a fixed effective date. Where the Act's provisions apply to your data processing, the security safeguards required overlap substantially with the control areas our cyber security assessment already covers — access control, data governance, incident response, and breach notification readiness.
We are a listed company. Does SEBI's Cybersecurity and Cyber Resilience Framework (CSCRF) apply to us, and how does PNPC address it?
SEBI's CSCRF applies to specified categories of SEBI-regulated entities, including listed companies (in specified categories), market infrastructure institutions, and various intermediaries, and sets out structured requirements around governance, identification of critical systems, protection, detection, response, and recovery, along with reporting obligations. Applicability varies by the specific category of regulated entity, so the first step in our engagement for any SEBI-regulated client is confirming exactly which CSCRF requirements apply to your specific entity category. We map our assessment findings directly against the applicable CSCRF requirements so your Board and compliance officer can demonstrate structured compliance.
We are an NBFC/bank. What does RBI expect regarding cyber security?
RBI has issued cyber security frameworks and guidelines applicable to banks and, separately, to NBFCs, covering governance (Board-level oversight, often through an IT Strategy Committee), risk management, IT outsourcing due diligence, and incident reporting expectations. The specific requirements and thresholds vary by the category and scale of the regulated entity. Our assessment for RBI-regulated clients maps findings against the applicable RBI framework and helps prepare the documentation your Board and RBI examination process will expect to see.
How long does a Cyber & Information Security Assessment take?
A full assessment — scoping, technical testing, access and governance review, regulatory gap analysis, and a prioritised remediation roadmap — typically takes 5–8 weeks for a mid-sized single-entity business. A narrower, specifically scoped assessment (for example, addressing a single insurer's questionnaire) can be completed faster. Multi-entity engagements, or those layering in SEBI CSCRF or RBI-specific requirements, typically take longer. Remediation verification is a separate follow-on phase after the initial report.
What frameworks do you assess against — ISO 27001, NIST, something else?
We benchmark against internationally recognised frameworks — principally ISO/IEC 27001 control domains, the NIST Cybersecurity Framework, and CIS Controls — while layering in the specific statutory and regulatory obligations that actually apply to your entity under Indian law (IT Act 2000, CERT-In directions, SEBI CSCRF, RBI guidelines as applicable) and, for UAE entities, relevant UAE cybersecurity and data protection requirements. The framework blend is scoped to your sector and regulatory profile rather than applied as a single fixed checklist.
Can this assessment help us get cyber insurance, or get a better premium?
Yes, this is a common and specific trigger for engaging us. Cyber insurers increasingly request evidence of a structured security assessment, documented policies, and defined incident response readiness before underwriting or renewing a policy, and a demonstrably lower-risk posture can support more favourable terms. We scope the assessment to directly address the specific questionnaire or evidentiary requirements your insurer or broker has requested, where that is the driving trigger.
We are preparing for a funding round. Will investors actually ask about our cyber security posture?
Increasingly, yes — technical and security due diligence is now a standard component of institutional investor diligence, particularly for businesses handling customer data, payment information, or operating in regulated sectors. A documented, structured cyber security assessment with an accompanying remediation roadmap materially improves the diligence experience and reduces the risk of last-minute findings that delay or reprice a term sheet.
What does the assessment actually cost, and how is PNPC's fee structured?
Fees depend on scope — the number of systems and data flows in scope, the depth of technical testing required, whether SEBI CSCRF/RBI-specific mapping is needed, and whether policy drafting and remediation verification are included. We provide a written scope and fee proposal before any engagement begins; there is no fixed published price because the right scope varies significantly with business size, sector, and regulatory profile.
Do you perform the actual technical penetration testing yourselves, or subcontract it?
Our engagement combines PNPC-led scoping, business/regulatory translation, governance and policy review, and reporting, together with technical vulnerability testing performed to recognised methodology — either by our own technical resources or through a vetted technical testing partner, depending on the depth and specialisation the engagement requires (for example, specialised mobile application or IoT testing may call in a particular specialist). Regardless of who performs the technical testing component, PNPC leads the engagement, owns the regulatory mapping, and presents the final report and roadmap.
What is the difference between a vulnerability assessment and a penetration test, and which does PNPC perform?
A vulnerability assessment identifies and catalogues known weaknesses (misconfigurations, unpatched software, weak access controls) typically using automated scanning tools supplemented by manual review. A penetration test goes further — actively attempting to exploit identified vulnerabilities to demonstrate real-world impact, typically performed manually by a skilled tester. Our standard assessment includes a vulnerability assessment as a core component; deeper penetration testing (including exploitation) is scoped as an additional layer where the engagement's risk profile and budget justify it — we recommend the right depth rather than defaulting to the most expensive option.
Will the assessment disrupt our live systems or cause downtime?
We scope technical testing to minimise disruption risk — typically scheduling any testing likely to have production impact during low-traffic windows, and using non-destructive testing methodologies for production systems by default. Where deeper, potentially disruptive testing (such as certain exploitation techniques) is in scope, we agree this explicitly with you in advance, including timing and rollback expectations, rather than running it without prior agreement.
What happens if the assessment finds a critical vulnerability that is actively being exploited right now?
If we identify evidence of an active, ongoing compromise during the assessment — as opposed to a theoretical vulnerability — we notify you immediately, outside the normal reporting timeline, so you can begin incident response without waiting for the full assessment report. Where the incident meets CERT-In's reportable categories, we advise on the reporting obligation and timeline immediately.
Do you provide a written report, and who is it addressed to?
Yes — a written report structured in layers: an executive summary for the Board/leadership in plain business language, a regulatory gap analysis mapped to applicable frameworks, a detailed technical findings section for your IT team, and a prioritised remediation roadmap with realistic sequencing and cost guidance. The report is designed to be usable directly with your statutory auditor, your cyber insurer, or an investor's due diligence team without requiring translation.
How does PNPC prioritise which findings to fix first?
We rank findings by business materiality, not technical severity score alone — factoring in what data or system the vulnerability exposes, how easily it could realistically be exploited, what regulatory or contractual obligation it relates to, and the realistic cost and effort to remediate. A technically 'critical' finding on an isolated test environment with no sensitive data may be deprioritised below a 'medium' finding on a system processing customer payment data.
Can PNPC help us actually fix the issues the assessment identifies, or only diagnose them?
We do not perform hands-on technical remediation ourselves (patching servers, rewriting code, reconfiguring infrastructure) — that work is typically done by your in-house IT team or a technical implementation partner. What PNPC does provide is the prioritised roadmap, guidance on what 'good' looks like for each finding, drafting or updating of the policy and governance documents the assessment identifies as missing, and independent re-testing to verify that reported remediation actually closes the gap.
How often should a business repeat this assessment?
We generally recommend an annual reassessment as a baseline, with an additional review triggered by significant change events — a new major SaaS vendor or cloud environment, a new UAE or overseas entity, a funding round or acquisition, or a relevant regulatory update (new CERT-In direction, SEBI CSCRF revision, DPDP Act rules coming into force). A one-time assessment that is never repeated becomes stale as your technology environment and the regulatory landscape both evolve.
We already have an in-house IT/security team. Is an external assessment still worth it?
Yes, frequently — an independent, external assessment provides a second opinion that internal teams, however skilled, cannot fully replicate for themselves, both because of genuine blind spots and because Boards, auditors, investors, and insurers generally place more evidentiary weight on an independent assessment than on an internal team's self-assessment. In these engagements, PNPC often works collaboratively with the internal team rather than duplicating their day-to-day work — validating their existing controls and identifying gaps they may not have prioritised.
We operate in both India and the UAE. How does PNPC handle cross-border data and security considerations?
With offices in Chennai, Bangalore, Hyderabad, and Dubai, we assess both the Indian entity's obligations (IT Act, CERT-In, SEBI CSCRF or RBI guidelines where applicable, and the DPDP Act as it comes into force) and the UAE entity's cybersecurity and data protection obligations, plus the cross-border data flow between them, as a single coordinated assessment rather than two disconnected reviews handled by unrelated firms in each jurisdiction.
What is the difference between this service and PNPC's Digital Transformation Advisory?
Digital Transformation Advisory is broader — it covers technology roadmap planning, ERP/accounting software selection, and finance/compliance process design, with basic access-control and data-governance hygiene addressed as one component of that broader control design. Cyber & Information Security Assessment is a focused, deeper review specifically of your security posture, technical vulnerabilities, and regulatory cyber obligations. In practice, the two are complementary — a Digital Transformation Advisory engagement will often flag the need for a dedicated cyber assessment, and a cyber assessment's findings frequently inform a subsequent technology roadmap.
Does the assessment cover cloud environments (AWS, Azure, GCP), or only on-premise infrastructure?
Yes — cloud environment configuration is a core component of the assessment for any business using cloud infrastructure, given how common cloud misconfiguration (overly permissive storage bucket access, exposed management consoles, weak identity and access management configuration) is as a real-world breach cause. We review cloud configuration against the relevant cloud provider's security best practices and the same regulatory framework applied to the rest of the assessment.
Can this assessment help us respond to a specific client's or partner's vendor security questionnaire?
Yes — this is a common and specific trigger. Enterprise and institutional clients increasingly require vendor security questionnaires or SOC 2/ISO 27001 evidence before onboarding a new supplier. We can scope the assessment specifically to generate the evidence and documentation your counterparty's questionnaire requires, rather than a full generic assessment, where that is the actual driving need.
Who at PNPC actually delivers this assessment — is it a CA, or a separate technology team?
The engagement is led by a practising Chartered Accountant with governance, risk, and compliance experience, working alongside technical security resources (in-house or a vetted technical partner) who perform the hands-on vulnerability testing. The distinguishing feature of our approach is that the same governance and regulatory lens applied to your statutory audit and compliance work is applied consistently to the cyber assessment — not handed off between disconnected teams that never reconcile their findings.
What is the realistic cost range for remediating the findings from a typical assessment?
This varies enormously depending on the number and severity of findings and whether remediation requires new tooling, additional headcount, or simply configuration changes to existing systems — there is no single realistic figure that applies broadly. What we commit to is giving you a specific, itemised, and honestly sequenced remediation roadmap with cost guidance per item, so you can make an informed prioritisation decision within your actual budget rather than facing an undifferentiated wall of findings.
Does PNPC issue a formal certification that our systems are 'secure' after the assessment?
No. We provide our professional assessment, a documented gap analysis against the frameworks and regulations applicable to you, and a remediation roadmap — this is not equivalent to a formal ISO/IEC 27001 or SOC 2 Type II certification, which must be issued by an accredited certification body following its own separate, formal audit process. Where certification is the ultimate goal, our assessment is a strong preparatory step — closing the gaps we identify meaningfully improves your readiness for that formal certification audit.
What if our business has already had a data breach — can PNPC help after the fact?
Yes. Post-incident, our role shifts to incident response coordination (including CERT-In reporting support within the applicable window where the incident is reportable), root-cause analysis of how the breach occurred, and a revised remediation roadmap informed by the actual incident rather than a hypothetical assessment. We also advise on any onward notification obligations to affected individuals or regulators that may apply depending on the nature of the data involved and applicable law.
Is employee training and phishing-awareness part of this assessment?
A basic assessment of human-factor risk — whether staff have received any security awareness training, and whether policies like acceptable use and password practices are actually communicated and enforced, not just documented — is included as part of our governance review. Structured, ongoing phishing-simulation and security-awareness training programmes are typically scoped as a separate, recurring engagement (often delivered by a specialist training provider we can help you select), since that is an ongoing programme rather than a point-in-time assessment activity.
How does this assessment interact with our statutory audit?
A structured cyber security assessment, with documented findings and evidence of remediation, can materially support your statutory auditor's evaluation of IT general controls and, where relevant, their assessment of going-concern and risk factors — auditors increasingly consider cyber risk as part of overall enterprise risk assessment. We design our report to be directly usable as supporting evidence in that context, since PNPC's assessment methodology applies the same rigour and documentation discipline as our audit work.
Can a very small startup with just a handful of employees still benefit from this, or is it overkill?
It can be genuinely useful even at a small scale if a real trigger exists — handling customer payment data through a payment gateway integration, applying for cyber insurance, or facing a first enterprise client's vendor questionnaire. For a very small team with no sensitive data and no near-term trigger, we would likely recommend a lighter security hygiene review rather than the full structured assessment, and we say so rather than defaulting to the larger, more expensive engagement.
Do you offer a fixed-fee retainer for ongoing cyber security advisory, or is every engagement a one-off project?
Both models are available. Many clients begin with a one-off structured assessment and then move to a periodic retainer — typically an annual reassessment cycle plus advisory availability when a new vendor, system, or regulatory question arises in between. We scope whichever structure fits your situation and are transparent about the trade-offs of each before you commit.
| Feature | Pure Penetration Testing Vendor | Large Enterprise Cyber Consultancy | PNPC Global |
|---|---|---|---|
| Regulatory/Compliance Translation | Low — report speaks the language of CVSS scores, not IT Act/CERT-In/SEBI obligations | High, but often bundled at enterprise-scale pricing not proportionate to smaller businesses | High — every finding mapped to the specific statutory/regulatory obligation, scoped proportionately to your size |
| Board/Leadership-Readable Reporting | Rarely a focus — technical audience only | Generally strong, as part of a broader advisory offering | Layered report — executive summary, regulatory gap analysis, and technical detail in one document |
| CERT-In Incident Readiness Testing | Not typically assessed | Usually covered, at enterprise engagement scope and cost | Explicitly tested — can you actually meet the 6-hour reporting window and 180-day log retention requirement |
| SEBI CSCRF / RBI Framework Mapping | Not typically addressed | Available, usually as a large-scale dedicated engagement | Scoped precisely to your specific regulated-entity category where applicable |
| Statutory Audit & Governance Fluency | Not applicable — pure technical vendor | Present, at large-firm scale and pricing | Native — same CA firm that understands your audit, tax, and Board governance obligations |
| India-UAE Coordination | Rare, unless specifically a cross-border security firm | Available at large multinational firms, at correspondingly higher cost | Native — offices in Chennai, Bangalore, Hyderabad, and Dubai coordinate both sides as one engagement |
| Proportionate Scoping for Smaller Businesses | Varies — some vendors have fixed minimum packages | Typically scaled for large enterprise budgets | Deliberately right-sized — we recommend a smaller scope when that is genuinely what fits, not the largest engagement we could sell |
| Ongoing Relationship | Project-based, typically ends at report delivery | Available, at retainer pricing | Frequently continues into an annual reassessment cadence or broader compliance/advisory retainer |
What the PNPC package includes
- 01
Scoping and regulatory mapping to confirm exactly which frameworks apply — IT Act/CERT-In baseline, SEBI CSCRF, RBI guidelines, or UAE cybersecurity requirements
- 02
External and internal vulnerability assessment using recognised technical methodology
- 03
Access control, identity governance, and privilege review — a frequent real-world breach source that automated scanners miss
- 04
Policy and governance review, including drafting or updating an information security policy, incident response plan, and data retention policy where these are found missing
- 05
Explicit CERT-In incident response readiness testing against the 6-hour reporting window and 180-day log retention requirement
- 06
Business-impact-translated findings — every technical finding re-ranked by realistic business and regulatory risk, not CVSS score alone
- 07
Layered report readable by your technical team, your Board, your statutory auditor, and your cyber insurer without requiring translation
- 08
Prioritised, cost-guided remediation roadmap sequenced for realistic risk reduction per unit of effort
- 09
Independent re-testing of critical and high findings after remediation to verify the fix actually closes the gap
- 10
India-UAE coordinated assessment for group entities with cross-border data flows
- 11
Direct access to your engagement CA — not a support ticket queue or a generic account manager
Speak directly with a PNPC Chartered Accountant who assesses cyber risk the way we assess financial risk — technically rigorous, regulator-literate, and translated into language your Board, your auditor, and your investors can actually act on.