ISNP Audit Prerequisite Checklist
Insurance Self-Networking Platform (ISNP) audits fail most often because the customer doesn't have the evidence pack ready when the auditor arrives. This checklist lists everything an IRDAI auditor expects to find on day-1 of the engagement — so you spend audit time on findings, not on hunting for documents.
The Checklist
Documentation pack (have ready on day 1)
- IRDAI registration / ISNP authorisation letter
- Latest annual return filed with IRDAI
- Information security policy signed by CEO / board
- Privacy notice (customer-facing) with last review date
- Data classification policy + applied labels
- Acceptable use policy for employees and agents
- Vendor risk management policy + active vendor register
ISNP scope inventory
- Diagram of customer-facing app(s), agent / POSP portal, admin / underwriting console, claims, payment flows
- Integration diagram with each insurer (API contracts, data fields, frequency)
- Data-flow map for policyholder PII and policy data
- List of third-parties handling customer data (TPAs, KYC providers, payment gateway, hosting)
- Insurance product catalogue served via the ISNP
Technical security evidence
- VAPT report from CERT-In Empanelled auditor < 12 months, with closure evidence
- Penetration test scope including customer app, agent portal, admin console, APIs
- MFA enforcement on all admin / agent / underwriter access
- Encryption inventory: data-at-rest, data-in-transit, key management
- Endpoint protection rollout report on employee + admin devices
- Email security (SPF/DKIM/DMARC) and advanced threat-protection evidence
Data localisation evidence
- Hosting infrastructure evidence (region, AZ) for customer data
- Payment data localisation evidence per RBI requirements (where applicable)
- Backup location evidence (within India for regulated data classes)
- DPA agreements with hosting providers (AWS / Azure / GCP India regions)
- Cross-border data-flow evidence — explicit business justification + consent
Operational controls
- Joiners / Movers / Leavers process evidence (last quarter sample)
- Quarterly access reviews of admin / agent users
- Patch management evidence (scanner + remediation tickets)
- Incident management runbook + incident register
- Phishing simulation report (last quarter)
- Customer-grievance redressal SLA + monthly reports
Business continuity
- BCP document with named owners and last review date < 12 months
- DR fire-drill report — full failover, timed against RTO/RPO
- Backup-restore test evidence (last quarter)
- Vendor concentration risk assessment (single-cloud, single-KYC, single-payment-gateway exposure)
Frequently asked questions
Who needs an ISNP audit?
Any entity operating a digital insurance distribution platform under IRDAI's ISNP regulations — including direct ISNPs, web aggregators, online insurance brokers, POSP platforms and insurer-run online platforms. Annual cybersecurity audit is mandatory.
Is a CERT-In Empanelled auditor required?
Yes — IRDAI relies on CERT-In's empanelment list. Audit reports signed by non-empanelled auditors are typically rejected during IRDAI inspections.
How long does a full ISNP audit take?
Mid-sized ISNP: 4-6 weeks (gap-assessment + VAPT + reporting + 30-day re-test). Larger multi-product platforms: 8-10 weeks. Having this checklist's evidence ready saves 1-2 weeks.
Does the audit cover POSP and bancassurance flows?
Yes — POSP, bancassurance, broker and aggregator distribution channels are all in-scope. Each channel has its own data-flow + control review.
What's the most common reason ISNP audits fail?
Inadequate logging on policy modifications and claim approvals. IRDAI inspectors look for who approved what, when, with what justification — and 60%+ of platforms can't evidence this.
Need help executing this?
Talk to Digital Defense — India's CERT-In Empanelled cybersecurity team.
Book a consultationDigital Defense
Online | Typically replies instantly
Hi there! 👋 Welcome to Digital Defense. I'm here to help you with your cybersecurity needs. How can I assist you today?