Knowledge Center / CERT-In Audit Policy
CERT-In, MeitY · India

CERT-In Comprehensive Cyber Security Audit

Cyber security audit under CERT-In’s 2025 audit policy guidelines.

Introduction: The CERT-In Comprehensive Cyber Security Audit

The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), is the national nodal agency for responding to computer security incidents under Section 70B of the Information Technology Act, 2000. A CERT-In Comprehensive Cyber Security Audit is a structured, evidence-driven assessment of an organisation's information technology infrastructure, applications, networks, cloud environments and processes against recognised security baselines, conducted by an auditing organisation empanelled by CERT-In. It is not merely a vulnerability scan; it is a holistic examination of technical controls, governance, incident readiness and regulatory conformance that produces an auditor's opinion and a prioritised remediation roadmap.

This guide is written for two audiences simultaneously. For the auditor, it lays out the assessment methodology, the control-by-control verification steps, and the specific evidence to demand and inspect. For the implementer, it explains what to build, harden and document so that an audit passes on the first attempt. Throughout, we anchor the guidance to the real CERT-In instruments that give the audit its authority: the CERT-In Directions dated 28 April 2022 issued under Section 70B(6), the Guidelines on Information Security Practices for Government Entities (2023), the CERT-In empanelment framework for security auditing organisations, and the sector-specific mandates issued by the RBI, SEBI, UIDAI, NPCI, PFRDA and IFSCA that require CERT-In-empanelled audits.

Copyright and source note
CERT-In directions, guidelines and advisories are Government of India instruments published by MeitY. This guide is original explanatory content prepared by CyberSigma and does not reproduce the copyrighted text of CERT-In directions, RBI/SEBI/UIDAI/NPCI circulars, or any licensed standard such as ISO/IEC 27001 or the PCI DSS. Always refer to the authoritative source documents (cert-in.org.in and the respective regulator portals) for binding requirements. Control identifiers and clause numbers cited here are provided for navigation and mapping and must be verified against the current published versions.

What is the CERT-In Audit Policy

The 'CERT-In Audit Policy' is the collective framework of directions, guidelines, empanelment rules and audit methodology under which cyber security audits are commissioned and delivered in India when CERT-In empanelment is required. It has four interlocking layers.

  • Legal basis: Section 70B of the IT Act, 2000 empowers CERT-In to call for information, issue directions, and require audits. The IT (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 operationalise this.
  • Binding directions: The CERT-In Directions of 28 April 2022 mandate 180-day log retention within Indian jurisdiction, synchronisation of all ICT system clocks to NPL/NIC NTP servers, mandatory reporting of 20 categories of cyber incidents within 6 hours of noticing, KYC and record-keeping for data centres/VPS/cloud/VPN providers, and specific record-keeping for virtual asset service providers.
  • Guidelines: The CERT-In Guidelines on Information Security Practices for Government Entities (June 2023) provide baseline controls across governance, network, application, cloud, endpoint, identity, data and third-party security, and are widely used as the audit baseline for public-sector and CII-adjacent entities.
  • Empanelment and methodology: CERT-In maintains a panel of empanelled Information Security Auditing Organisations. An audit under this policy follows a defined lifecycle - scoping, information gathering, vulnerability assessment, penetration testing, configuration and process review, reporting, and re-audit/closure verification.

An audit conducted under this policy typically covers vulnerability assessment and penetration testing (VAPT) of externally and internally exposed assets, secure configuration review, source code and application security review, cloud security posture review, network architecture review, and a governance/process review mapped to the directions and any applicable sectoral circular. The deliverable is a signed audit report with a risk-rated findings register, evidence annexures, and a closure/re-audit certificate once high and critical findings are remediated.

Who must comply

CERT-In-empanelled cyber security audits are mandatory or strongly expected for a broad set of organisations, driven either by the CERT-In directions directly or by sector regulators who cite CERT-In empanelment in their own circulars.

Entity / sectorTrigger for CERT-In auditGoverning instrument
All body corporates, government and service providers in IndiaIncident reporting, log retention (180 days in India), NTP syncCERT-In Directions, 28 April 2022 (S.70B)
Government entities and ministries/departmentsBaseline security controls and periodic auditCERT-In Guidelines for Government Entities, 2023
Banks, NBFCs, cooperative banks, payment operatorsAnnual VAPT and IS audit by CERT-In-empanelled auditorRBI Cyber Security Framework 2016; RBI Master Direction on IT Governance 2023
Stock brokers, depository participants, market infra (MIIs)Systems audit and VAPT before go-live and periodicallySEBI CSCRF 2024; SEBI Cyber Security & Cyber Resilience circulars
AUA/KUA and Aadhaar ecosystem entitiesAadhaar data vault and security audit by empanelled auditorUIDAI Aadhaar Data Security regulations / circulars
Banks and members connecting to UPI/IMPS/NFS/RuPayCertification and security audit of switch and appsNPCI security compliance and certification circulars
Pension fund intermediaries (CRA, PoP, aggregators)Periodic IS audit and VAPTPFRDA cyber security and systems audit circulars
IFSC (GIFT City) regulated entitiesCyber security framework compliance and auditIFSCA cyber security and resilience framework
Data centres, VPS, cloud and VPN service providersKYC, 5-year record retention, incident cooperationCERT-In Directions, 28 April 2022
Virtual asset / crypto exchanges and custodians5-year transaction and KYC record retentionCERT-In Directions, 28 April 2022
Critical Information Infrastructure (CII) operatorsAudit and reporting to NCIIPC in addition to CERT-InIT Act S.70; NCIIPC guidelines

Structure of the CERT-In Audit Policy

For audit execution, the framework is best expressed as a set of control domains, each decomposed into control families and individual verifiable controls. The table below sets out the domain structure CyberSigma uses to organise a CERT-In-empanelled comprehensive audit; it aligns the CERT-In directions and government guidelines with the technical assessment areas an empanelled auditor must cover.

Domain codeDomainRepresentative control families
D1Governance, Risk & ComplianceSecurity policy, risk management, asset inventory, roles, exception management
D2Incident Response & Reporting6-hour reporting, IR plan, playbooks, forensic readiness, CERT-In liaison
D3Logging, Monitoring & Time Sync180-day log retention in India, NTP to NPL/NIC, SIEM, correlation, alerting
D4Identity & Access ManagementAuthentication, MFA, privileged access, joiner-mover-leaver, RBAC, KYC
D5Network SecuritySegmentation, firewall rules, IPS/IDS, secure remote access, DDoS protection
D6Endpoint & Server HardeningSecure baselines, EDR, patch management, anti-malware, USB/device control
D7Application SecuritySecure SDLC, source code review, OWASP-aligned testing, API security
D8Vulnerability & Penetration TestingExternal/internal VA, PT, re-test, exploitability validation
D9Data Security & CryptographyClassification, encryption at rest/in transit, key management, data localisation
D10Cloud & Virtualisation SecurityCSPM, shared responsibility, IAM, container/K8s, cloud logging
D11Third-Party & Supply ChainVendor due diligence, contracts, KYC for infra providers, SBOM
D12Business Continuity & ResilienceBCP/DR, backups, RTO/RPO, tabletop exercises, ransomware recovery
D13Physical & Environmental SecurityData centre access, CCTV, environmental controls, media disposal
D14Awareness & Human FactorsTraining, phishing simulation, secure conduct, insider risk

Master assessment checklist

This is the operational core of the audit. Each domain is expanded below into a control group with a table of what the auditor must verify and the typical evidence that satisfies each control. Implementers should treat the 'What to verify' column as their build-and-document requirement, and the 'Typical evidence' column as their evidence register. No domain is omitted.

D1 - Governance, Risk & Compliance

What to verifyTypical evidence
Board/management-approved information security policy exists, is current (reviewed within 12 months) and communicatedSigned policy document, version history, approval minutes, circulation record
A documented risk assessment methodology is applied with a maintained risk register and treatment plansRisk register, risk acceptance sign-offs, treatment tracker, methodology note
A complete asset inventory (hardware, software, data, cloud, third-party) with owners and classification existsCMDB/asset register export, classification labels, owner mapping
Roles, responsibilities and a designated CISO / point of contact for CERT-In are definedOrg chart, RACI, CISO appointment letter, CERT-In POC nomination
A compliance calendar tracks statutory/regulatory obligations (CERT-In directions, sectoral circulars)Compliance register, audit calendar, prior audit closure certificates
Security exceptions are formally raised, risk-assessed, time-bound and approvedException register with expiry dates and approver signatures

D2 - Incident Response & Reporting

What to verifyTypical evidence
Documented incident response plan covering the 20 CERT-In reportable incident categoriesIR plan, incident taxonomy mapped to CERT-In categories
Capability to report to CERT-In within 6 hours of noticing an incidentReporting SOP, sample reports/acknowledgements, escalation matrix, on-call roster
Named IR team, roles and 24x7 contact channel to CERT-In (incident@cert-in.org.in)Team roster, contact list, retainer/forensic partner agreement
Incident playbooks for ransomware, phishing, data breach, DoS, defacement etc.Playbook documents, tabletop exercise records
Forensic readiness: evidence preservation, chain of custody, image captureForensic SOP, tooling list, sample chain-of-custody form
Post-incident review and lessons-learned feedback into controlsClosed incident tickets, RCA reports, corrective action tracker

D3 - Logging, Monitoring & Time Synchronisation

What to verifyTypical evidence
Logs for all ICT systems are enabled, retained for at least 180 days and stored within Indian jurisdictionLog retention policy, storage location attestation, SIEM retention config
All system clocks are synchronised to NPL (National Physical Laboratory) or NIC NTP serversNTP configuration on hosts/network devices, drift monitoring output
Centralised log collection (SIEM) with parsing, correlation and alertingSIEM architecture, log source inventory, correlation rules, sample alerts
Security events are monitored, triaged and escalated within defined SLAsSOC runbook, ticket samples, SLA/MTTR reports
Log integrity is protected (tamper-evidence, restricted access, WORM/archival)Access controls on log store, hashing/immutability evidence
Coverage includes network, endpoint, application, cloud and identity logsLog source coverage matrix, gap analysis

D4 - Identity & Access Management

What to verifyTypical evidence
Strong authentication with MFA for remote, privileged and administrative accessMFA policy, IdP configuration, enforcement screenshots, coverage report
Role-based access control with least privilege and segregation of dutiesRole matrix, entitlement review report, SoD conflict analysis
Privileged access is vaulted, session-recorded and just-in-time where feasiblePAM configuration, session logs, break-glass procedure
Joiner-mover-leaver process with timely de-provisioningJML SOP, sample tickets, orphan/dormant account report
Periodic user access recertification (at least quarterly for privileged)Access review evidence, sign-offs, remediation of exceptions
Password/secret policy and machine-identity/secret managementPassword policy, secrets vault config, key rotation records
KYC/identity verification maintained where mandated (providers, financial entities)KYC records, retention policy per CERT-In directions

D5 - Network Security

What to verifyTypical evidence
Network is segmented (DMZ, internal, management, OT/CDE) with documented zoningNetwork diagram, VLAN/subnet map, firewall zone policy
Firewall rule base is least-privilege, reviewed periodically and free of any-any rulesRule base export, rule review report, change tickets
IPS/IDS deployed at perimeter and key internal boundaries with tuned signaturesSensor placement diagram, signature version, alert samples
Secure remote access (VPN/ZTNA) with MFA and device posture checksVPN/ZTNA config, MFA enforcement, posture policy
DDoS protection and rate limiting for internet-facing servicesDDoS service config, test/attack mitigation reports
Wireless networks are segregated, encrypted (WPA2/3-Enterprise) and monitoredWLAN config, rogue AP scan results

D6 - Endpoint & Server Hardening

What to verifyTypical evidence
Secure configuration baselines (CIS/vendor benchmarks) applied to servers and endpointsHardening standards, benchmark scan results, deviation report
Endpoint Detection & Response / anti-malware deployed with central managementEDR console coverage report, policy config, detection samples
Patch and vulnerability management with defined SLAs by severityPatch policy, patch compliance report, exception list
Removable media and device control enforcedDLP/device control policy, blocked-device logs
Administrative rights on endpoints are restrictedLocal admin inventory, privilege elevation logs
Golden images and deployment automation ensure consistent hardeningImage build docs, MDM/config-management state

D7 - Application Security

What to verifyTypical evidence
Secure SDLC with security requirements, threat modelling and gated releasesSDLC policy, threat models, security gate records
Source code review (SAST) integrated into CI/CD with triage of findingsSAST reports, pipeline config, defect closure evidence
Application security testing aligned to OWASP Top 10 and OWASP ASVSDAST/PT reports, ASVS coverage mapping
API security: authentication, authorisation, rate limiting, schema validationAPI gateway config, API test results, spec/inventory
Input validation, output encoding and protection against injection/XSS/SSRFTest evidence, remediation of injection findings
Secrets are not hard-coded; dependency/SCA scanning for vulnerable librariesSCA reports, secret-scan results, SBOM

D8 - Vulnerability Assessment & Penetration Testing

What to verifyTypical evidence
Authenticated and unauthenticated VA of all in-scope external and internal assetsVA reports, scope/asset list, scan configs
Manual penetration testing validates exploitability beyond scanner outputPT report with proof-of-concept, exploitation narrative
CVSS-based severity rating and risk contextualisation for each findingFindings register with CVSS vectors and business impact
Re-test (closure verification) of high and critical findings before certificationRe-test report, closure/audit certificate
Testing frequency meets sectoral mandate (e.g. annual VAPT for RBI-regulated)Prior VAPT reports, audit calendar
Testing performed by a CERT-In-empanelled organisation with qualified testersEmpanelment reference, tester certifications (OSCP/CEH etc.)

D9 - Data Security & Cryptography

What to verifyTypical evidence
Data classification scheme applied with handling rules per classClassification policy, labelled data samples, handling matrix
Encryption of sensitive data at rest and in transit with approved algorithmsTLS config, disk/DB encryption evidence, cipher inventory
Cryptographic key management with rotation, escrow and HSM where applicableKMS/HSM config, key lifecycle records
Data localisation and residency requirements met (logs in India, sectoral rules)Storage-location attestation, cloud region config
Data loss prevention for exfiltration channels (email, web, endpoint)DLP policy, incident/blocked events report
Aadhaar Data Vault and tokenisation where UIDAI-regulatedData vault design, tokenisation evidence, UIDAI audit report

D10 - Cloud & Virtualisation Security

What to verifyTypical evidence
Cloud shared-responsibility model documented and ownedRACI for cloud, provider responsibility matrix
Cloud Security Posture Management identifies misconfigurations continuouslyCSPM findings, remediation tracker
Cloud IAM with least privilege, no long-lived root/admin keys, MFA on consoleIAM policy export, key age report, MFA status
Container and Kubernetes security (image scanning, admission control, RBAC)Registry scan results, cluster RBAC, network policies
Cloud logging (CloudTrail/Activity logs) enabled, centralised and retained in IndiaLogging config, region/retention evidence
Storage buckets/databases are not publicly exposed and are encryptedBucket ACL audit, public-exposure scan, encryption status

D11 - Third-Party & Supply Chain Security

What to verifyTypical evidence
Vendor due diligence and security risk rating before onboardingVendor assessment questionnaires, risk ratings
Contracts include security, audit-right, breach-notification and data-localisation clausesExecuted contracts/DPAs with security schedules
KYC and 5-year record retention for data centre/VPS/cloud/VPN providersKYC records, retention policy per CERT-In directions
Software supply chain: SBOM, provenance and update integritySBOM inventory, code-signing/verification evidence
Ongoing monitoring/re-assessment of critical suppliersPeriodic review records, SOC 2/ISO reports from vendors
Fourth-party/sub-processor visibility for critical servicesSub-processor list, flow-down clause evidence

D12 - Business Continuity & Resilience

What to verifyTypical evidence
BCP and DR plans exist with defined RTO/RPO per critical serviceBCP/DR documents, BIA, RTO/RPO register
Backups follow 3-2-1, are encrypted, and include immutable/offline copies against ransomwareBackup policy, job logs, immutability config
Backup restoration is tested periodically with documented resultsRestore test reports, success/failure log
DR failover tested (tabletop and/or live) within defined intervalsDR drill reports, RTO achievement evidence
Ransomware recovery runbook and isolated recovery environment existRunbook, IRE design, recovery test evidence
Continuity of CERT-In reporting during an incident is assuredAlternate reporting procedure, contact redundancy

D13 - Physical & Environmental Security

What to verifyTypical evidence
Physical access to data centres/server rooms is controlled and loggedAccess control logs, badge/biometric records
CCTV coverage with adequate retention for critical areasCCTV footage retention config, camera placement map
Environmental controls (power redundancy, cooling, fire suppression) are in placeUPS/DG records, HVAC and fire-suppression certificates
Media handling and secure disposal/sanitisation procedures are followedMedia disposal certificates, degauss/wipe logs
Visitor management and escort policy for restricted zonesVisitor register, escort policy
For colocated/cloud, provider physical-security assurance is obtainedProvider SOC 2/ISO 27001 certificate, DC audit report

D14 - Awareness & Human Factors

What to verifyTypical evidence
Periodic security awareness training for all staff with completion trackingTraining records, completion percentages, content outline
Simulated phishing campaigns with measured click/report rates and follow-upPhishing campaign reports, trend metrics
Role-specific training for developers, admins and privileged usersSecure-coding/admin training records
Acceptable use and secure conduct policies acknowledged by staffSigned AUP acknowledgements
Insider-risk indicators are monitored and escalatedInsider-risk programme docs, UEBA alerts where applicable
Onboarding and offboarding include security briefings and access handlingHR-security checklist, exit clearance records

Scoping the CERT-In audit

Correct scoping determines the validity of the audit opinion. A scope that omits an internet-facing asset or a sensitive data flow renders the certificate misleading and, for regulated entities, non-compliant. Scoping must be documented, signed off by the auditee's management, and reflected in the audit report.

  • Enumerate all in-scope assets: public IP ranges and domains, internal networks, applications and APIs, cloud accounts and regions, databases, endpoints, and OT/ICS where applicable.
  • Identify sensitive data flows and their storage locations to confirm data localisation and 180-day log retention within India.
  • Confirm regulatory drivers (RBI, SEBI, UIDAI, NPCI, PFRDA, IFSCA) as each imposes specific scope items - for example switch/host security for NPCI or the Aadhaar Data Vault for UIDAI.
  • Define testing windows, rules of engagement, escalation contacts, and out-of-scope exclusions with written justification.
  • Distinguish grey-box (credentialed) versus black-box testing per asset; regulated audits usually require authenticated testing for internal assets.
  • Agree the certification threshold: which severity levels (critical/high) must be closed and re-tested before the audit certificate is issued.

Implementation approach

CyberSigma delivers CERT-In readiness and audit as a phased engagement so that implementers can remediate ahead of the formal empanelled audit and pass on first submission.

Phase 1 - Discovery & Gap Assessment

  • Activities: asset discovery, documentation review, control-mapping workshops against CERT-In directions and applicable sectoral circulars, and a lightweight VA baseline.
  • Deliverables: scoping document, control gap register with severity, applicability matrix, and a prioritised remediation roadmap.

Phase 2 - Remediation & Hardening

  • Activities: implement/document policies, enable 180-day log retention in India, enforce NPL/NIC NTP, deploy MFA and PAM, harden configurations, fix critical/high vulnerabilities, and stand up the incident-reporting workflow.
  • Deliverables: hardened baselines, updated policy set, evidence pack, and a defect burndown showing closure of critical/high items.

Phase 3 - Formal Audit (VAPT + Review)

  • Activities: empanelled-auditor VAPT (external and internal), secure-configuration review, source-code/application review, cloud posture review, and process/governance review with interviews.
  • Deliverables: draft audit report with risk-rated findings register and evidence annexures.

Phase 4 - Closure, Re-test & Certification

  • Activities: remediate residual findings, submit fix evidence, and undergo re-test of high/critical items.
  • Deliverables: signed audit closure/re-audit certificate suitable for submission to CERT-In or the sector regulator, plus a continuous-monitoring plan.

Phase 5 - Sustain & Continuous Assurance

  • Activities: periodic VA scans, quarterly access reviews, drill exercises, and monitoring of CERT-In advisories/vulnerability notes.
  • Deliverables: recurring assurance dashboard, updated risk register, and readiness for the next audit cycle.

Maturity and capability model

CyberSigma rates each control domain on a five-level capability scale so that management can see where they stand and target investment. Regulated entities are generally expected to operate at Level 3 (Defined) or above across all domains, with Level 4+ for critical financial-sector functions.

LevelNameDescriptionAudit outcome
L0AbsentControl not present; requirement unaddressedNon-conformity / critical gap
L1InitialAd hoc, undocumented, person-dependentMajor finding
L2RepeatableSome documentation; inconsistent executionMinor finding with observation
L3DefinedDocumented, standardised and consistently appliedBaseline compliant
L4ManagedMeasured with KPIs, reviewed and continuously improvedStrong posture
L5OptimisingAutomated, predictive, threat-informed and self-correctingLeading practice

Assessment and audit approach

The empanelled audit follows a disciplined, repeatable lifecycle. The steps below are the sequence CyberSigma executes and that an auditor should expect.

  1. Initiation and scoping: agree assets, rules of engagement, escalation paths and certification threshold; obtain signed authorisation for testing.
  2. Information gathering: collect policies, network diagrams, asset inventory, prior audit reports and access to test environments.
  3. Vulnerability assessment: run authenticated and unauthenticated scans across in-scope assets and de-duplicate/validate results.
  4. Penetration testing: manually validate exploitability, chain vulnerabilities, and demonstrate business impact with proof-of-concept.
  5. Configuration and secure-baseline review: benchmark servers, network devices, databases and cloud against CIS/vendor standards.
  6. Application and source-code review: perform SAST/DAST and manual review against OWASP ASVS/Top 10 and API security best practice.
  7. Process and governance review: interview stakeholders and inspect evidence for GRC, IR, logging, IAM, BCP and third-party controls.
  8. Risk rating and reporting: assign CVSS-based severities, contextualise to business risk, and produce the draft findings register.
  9. Remediation support and re-test: verify closure of critical/high findings and update statuses.
  10. Certification and closure: issue the signed audit certificate and submit to CERT-In or the relevant regulator; agree the next-cycle plan.

Evidence request list

The following categorised list is the evidence the audit team will request. Implementers should assemble these into an indexed evidence pack before the audit begins.

  • Governance: information security policy, risk register, asset inventory, org chart/RACI, CISO appointment, exception register, compliance calendar.
  • Incident response: IR plan, reportable-incident taxonomy, 6-hour reporting SOP, CERT-In acknowledgements, playbooks, tabletop records.
  • Logging & time: log retention policy, storage-location attestation (India), SIEM source inventory, NTP configuration to NPL/NIC.
  • Identity & access: MFA/PAM configuration, RBAC matrix, JML tickets, access-recertification sign-offs, KYC records where applicable.
  • Network & endpoint: network diagrams, firewall rule base and review, IPS/IDS config, EDR coverage, patch-compliance reports, hardening scans.
  • Application & cloud: SDLC policy, SAST/DAST/PT reports, SBOM/SCA output, CSPM findings, cloud IAM and logging config.
  • Data & crypto: classification policy, encryption/TLS evidence, key-management records, DLP reports, data-localisation attestations.
  • Continuity: BCP/DR plans, BIA, backup job logs, restore-test and DR-drill reports, ransomware recovery runbook.
  • Third-party: vendor assessments, contracts/DPAs, KYC and retention records, sub-processor lists.
  • Physical: data-centre access logs, CCTV retention, environmental certificates, media-disposal records, provider SOC 2/ISO certificates.
  • Awareness: training completion records, phishing-simulation results, signed acceptable-use acknowledgements.
  • Prior assurance: previous audit/VAPT reports, closure certificates, and remediation trackers.

Roles and responsibilities

RoleResponsibility in the audit
Board / Senior ManagementApprove policy, own residual risk, ensure funding, review audit outcomes
CISO / Information Security HeadOwn the audit programme, coordinate evidence, drive remediation and CERT-In liaison
CERT-In Point of ContactReport incidents within 6 hours, maintain communication with CERT-In
IT / Infrastructure TeamProvide access, implement hardening, remediate network/endpoint findings
Application / DevSecOps TeamFix code and configuration findings, maintain secure SDLC and SBOM
SOC / Monitoring TeamMaintain logging, retention, SIEM correlation and alert response
Risk & ComplianceTrack regulatory mapping, maintain risk and exception registers
Data Protection OfficerOversee data classification, localisation and privacy obligations
Empanelled Auditor (CyberSigma)Conduct VAPT and reviews, rate findings, re-test and issue certificate
Business / Process OwnersConfirm scope, validate business impact of findings, accept residual risk

KPIs to track

  • Mean time to report incidents to CERT-In (target: well under the 6-hour mandate).
  • Percentage of ICT systems with 180-day logging enabled and stored in India.
  • Percentage of systems synchronised to NPL/NIC NTP with drift within tolerance.
  • Critical/high vulnerability remediation SLA adherence and open-finding ageing.
  • MFA and privileged-access coverage across in-scope accounts.
  • Patch compliance percentage by severity within defined SLAs.
  • Phishing-simulation click rate and report rate trends.
  • Backup restore-test success rate and DR-drill RTO achievement.
  • Access-recertification completion rate per cycle.
  • Percentage of critical vendors with current security assessments and contract clauses.
  • Audit findings closed before certification versus carried forward.
  • Time from finding to closure verification (re-test cycle time).

Readiness checklist

  • Scope document signed off by management with all internet-facing and internal assets enumerated
  • Information security policy approved, current and communicated
  • CERT-In point of contact nominated and incident-reporting SOP tested against the 6-hour rule
  • Logs enabled with 180-day retention stored within Indian jurisdiction
  • All clocks synchronised to NPL/NIC NTP servers
  • MFA enforced on remote, privileged and administrative access
  • Privileged access vaulted and access recertification completed
  • Critical and high vulnerabilities from prior scans remediated or in a tracked plan
  • Secure configuration baselines applied and validated by benchmark scan
  • Application security testing completed against OWASP ASVS/Top 10 with fixes
  • Cloud posture reviewed with no public data exposure and least-privilege IAM
  • Backups verified by restore test and DR drill conducted with RTO/RPO evidence
  • Vendor KYC and 5-year retention records maintained for infra providers
  • Evidence pack assembled, indexed and mapped to the applicable sectoral circular
  • Awareness training and phishing simulation completed with metrics captured

Common gaps

  • Logs retained for less than 180 days or stored outside India, breaching the CERT-In directions.
  • System clocks not synchronised to NPL/NIC, undermining incident correlation and forensic timelines.
  • No tested capability to report incidents within 6 hours; reliance on undocumented ad hoc escalation.
  • MFA absent on VPN, cloud console or privileged accounts; long-lived cloud access keys in use.
  • Firewall rule base containing any-any rules and unreviewed legacy exceptions.
  • Publicly exposed storage buckets, databases or management interfaces discovered during external testing.
  • Hard-coded secrets in source code and no SBOM or SCA scanning for vulnerable dependencies.
  • Backups not immutable/offline, leaving the organisation exposed to ransomware encryption of backups.
  • Critical/high vulnerabilities left open past SLA with no risk-accepted exception record.
  • Vendor contracts lacking security, audit-right, breach-notification and data-localisation clauses.
  • Access reviews and de-provisioning not performed, leaving orphan and dormant privileged accounts.
  • Audit conducted by a non-empanelled provider, which regulators may reject.

CERT-In Audit Policy mapped to other frameworks

CERT-In audit domains map closely to major standards and sectoral frameworks, allowing organisations to reuse evidence across multiple compliance programmes.

CERT-In domainISO/IEC 27001:2022NIST CSF 2.0PCI DSS v4.0Sectoral (RBI/SEBI/UIDAI)
Governance, Risk & ComplianceA.5 Organisational controlsGOVERN, IDENTIFYReq 12 PoliciesRBI IT Governance MD 2023; SEBI CSCRF Governance
Incident Response & ReportingA.5.24-5.28RESPOND, RECOVERReq 12.10RBI incident reporting; SEBI reporting timelines
Logging, Monitoring & Time SyncA.8.15-8.16DETECTReq 10RBI log retention; SEBI SOC requirements
Identity & Access ManagementA.5.15-5.18, A.8.2-8.5PROTECT (PR.AA)Req 7,8UIDAI access controls; RBI access management
Network SecurityA.8.20-8.22PROTECT (PR.IR)Req 1RBI network segmentation; NPCI switch security
Endpoint & Server HardeningA.8.8-8.9, A.8.19PROTECT (PR.PS)Req 2,5,6RBI baseline hardening
Application SecurityA.8.25-8.28PROTECT (PR.PS)Req 6SEBI application security; RBI secure SDLC
Vulnerability & Penetration TestingA.8.8IDENTIFY (ID.RA)Req 11RBI annual VAPT; SEBI VAPT before go-live
Data Security & CryptographyA.8.10-8.12, A.8.24PROTECT (PR.DS)Req 3,4UIDAI Aadhaar Data Vault; data localisation
Cloud & Virtualisation SecurityA.5.23, A.8.16PROTECT/DETECTReq 1,2,6RBI cloud guidance; IFSCA cloud controls
Third-Party & Supply ChainA.5.19-5.23GOVERN (GV.SC)Req 12.8RBI outsourcing; SEBI vendor management
Business Continuity & ResilienceA.5.29-5.30, A.8.13-8.14RECOVERReq 12.10RBI BCP; SEBI cyber resilience
Physical & Environmental SecurityA.7 Physical controlsPROTECT (PR.AA)Req 9RBI DC controls
Awareness & Human FactorsA.6.3PROTECT (PR.AT)Req 12.6RBI/SEBI awareness mandates
How CyberSigma helps
CyberSigma is a CERT-In-aligned cyber security partner that takes organisations from gap assessment to a signed, submission-ready audit certificate. We map your environment to the CERT-In directions and the exact sectoral circular that applies to you (RBI, SEBI, UIDAI, NPCI, PFRDA or IFSCA), remediate critical and high findings ahead of the formal audit, and deliver empanelled-grade VAPT, secure-configuration, application, cloud and governance reviews. Our evidence-first methodology means you enter the audit with an indexed evidence pack, 180-day India-resident logging, NPL/NIC time synchronisation, a tested 6-hour incident-reporting workflow, and ransomware-resilient backups already in place. The result is faster certification, fewer carried-forward findings, and a continuous-assurance programme that keeps you audit-ready every cycle. Talk to CyberSigma to scope your CERT-In audit today.

Frequently asked questions

Who can perform a CERT-In audit?
A CERT-In empanelled auditing organisation, following the 2025 Comprehensive Cyber Security Audit Policy Guidelines. CyberSigma is CERT-In empanelled.

Need help with CERT-In Audit Policy?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.