Introduction: The CERT-In Comprehensive Cyber Security Audit
The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), is the national nodal agency for responding to computer security incidents under Section 70B of the Information Technology Act, 2000. A CERT-In Comprehensive Cyber Security Audit is a structured, evidence-driven assessment of an organisation's information technology infrastructure, applications, networks, cloud environments and processes against recognised security baselines, conducted by an auditing organisation empanelled by CERT-In. It is not merely a vulnerability scan; it is a holistic examination of technical controls, governance, incident readiness and regulatory conformance that produces an auditor's opinion and a prioritised remediation roadmap.
This guide is written for two audiences simultaneously. For the auditor, it lays out the assessment methodology, the control-by-control verification steps, and the specific evidence to demand and inspect. For the implementer, it explains what to build, harden and document so that an audit passes on the first attempt. Throughout, we anchor the guidance to the real CERT-In instruments that give the audit its authority: the CERT-In Directions dated 28 April 2022 issued under Section 70B(6), the Guidelines on Information Security Practices for Government Entities (2023), the CERT-In empanelment framework for security auditing organisations, and the sector-specific mandates issued by the RBI, SEBI, UIDAI, NPCI, PFRDA and IFSCA that require CERT-In-empanelled audits.
Copyright and source note
CERT-In directions, guidelines and advisories are Government of India instruments published by MeitY. This guide is original explanatory content prepared by CyberSigma and does not reproduce the copyrighted text of CERT-In directions, RBI/SEBI/UIDAI/NPCI circulars, or any licensed standard such as ISO/IEC 27001 or the PCI DSS. Always refer to the authoritative source documents (cert-in.org.in and the respective regulator portals) for binding requirements. Control identifiers and clause numbers cited here are provided for navigation and mapping and must be verified against the current published versions.
What is the CERT-In Audit Policy
The 'CERT-In Audit Policy' is the collective framework of directions, guidelines, empanelment rules and audit methodology under which cyber security audits are commissioned and delivered in India when CERT-In empanelment is required. It has four interlocking layers.
- Legal basis: Section 70B of the IT Act, 2000 empowers CERT-In to call for information, issue directions, and require audits. The IT (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 operationalise this.
- Binding directions: The CERT-In Directions of 28 April 2022 mandate 180-day log retention within Indian jurisdiction, synchronisation of all ICT system clocks to NPL/NIC NTP servers, mandatory reporting of 20 categories of cyber incidents within 6 hours of noticing, KYC and record-keeping for data centres/VPS/cloud/VPN providers, and specific record-keeping for virtual asset service providers.
- Guidelines: The CERT-In Guidelines on Information Security Practices for Government Entities (June 2023) provide baseline controls across governance, network, application, cloud, endpoint, identity, data and third-party security, and are widely used as the audit baseline for public-sector and CII-adjacent entities.
- Empanelment and methodology: CERT-In maintains a panel of empanelled Information Security Auditing Organisations. An audit under this policy follows a defined lifecycle - scoping, information gathering, vulnerability assessment, penetration testing, configuration and process review, reporting, and re-audit/closure verification.
An audit conducted under this policy typically covers vulnerability assessment and penetration testing (VAPT) of externally and internally exposed assets, secure configuration review, source code and application security review, cloud security posture review, network architecture review, and a governance/process review mapped to the directions and any applicable sectoral circular. The deliverable is a signed audit report with a risk-rated findings register, evidence annexures, and a closure/re-audit certificate once high and critical findings are remediated.
Who must comply
CERT-In-empanelled cyber security audits are mandatory or strongly expected for a broad set of organisations, driven either by the CERT-In directions directly or by sector regulators who cite CERT-In empanelment in their own circulars.
| Entity / sector | Trigger for CERT-In audit | Governing instrument |
|---|
| All body corporates, government and service providers in India | Incident reporting, log retention (180 days in India), NTP sync | CERT-In Directions, 28 April 2022 (S.70B) |
| Government entities and ministries/departments | Baseline security controls and periodic audit | CERT-In Guidelines for Government Entities, 2023 |
| Banks, NBFCs, cooperative banks, payment operators | Annual VAPT and IS audit by CERT-In-empanelled auditor | RBI Cyber Security Framework 2016; RBI Master Direction on IT Governance 2023 |
| Stock brokers, depository participants, market infra (MIIs) | Systems audit and VAPT before go-live and periodically | SEBI CSCRF 2024; SEBI Cyber Security & Cyber Resilience circulars |
| AUA/KUA and Aadhaar ecosystem entities | Aadhaar data vault and security audit by empanelled auditor | UIDAI Aadhaar Data Security regulations / circulars |
| Banks and members connecting to UPI/IMPS/NFS/RuPay | Certification and security audit of switch and apps | NPCI security compliance and certification circulars |
| Pension fund intermediaries (CRA, PoP, aggregators) | Periodic IS audit and VAPT | PFRDA cyber security and systems audit circulars |
| IFSC (GIFT City) regulated entities | Cyber security framework compliance and audit | IFSCA cyber security and resilience framework |
| Data centres, VPS, cloud and VPN service providers | KYC, 5-year record retention, incident cooperation | CERT-In Directions, 28 April 2022 |
| Virtual asset / crypto exchanges and custodians | 5-year transaction and KYC record retention | CERT-In Directions, 28 April 2022 |
| Critical Information Infrastructure (CII) operators | Audit and reporting to NCIIPC in addition to CERT-In | IT Act S.70; NCIIPC guidelines |
Structure of the CERT-In Audit Policy
For audit execution, the framework is best expressed as a set of control domains, each decomposed into control families and individual verifiable controls. The table below sets out the domain structure CyberSigma uses to organise a CERT-In-empanelled comprehensive audit; it aligns the CERT-In directions and government guidelines with the technical assessment areas an empanelled auditor must cover.
| Domain code | Domain | Representative control families |
|---|
| D1 | Governance, Risk & Compliance | Security policy, risk management, asset inventory, roles, exception management |
| D2 | Incident Response & Reporting | 6-hour reporting, IR plan, playbooks, forensic readiness, CERT-In liaison |
| D3 | Logging, Monitoring & Time Sync | 180-day log retention in India, NTP to NPL/NIC, SIEM, correlation, alerting |
| D4 | Identity & Access Management | Authentication, MFA, privileged access, joiner-mover-leaver, RBAC, KYC |
| D5 | Network Security | Segmentation, firewall rules, IPS/IDS, secure remote access, DDoS protection |
| D6 | Endpoint & Server Hardening | Secure baselines, EDR, patch management, anti-malware, USB/device control |
| D7 | Application Security | Secure SDLC, source code review, OWASP-aligned testing, API security |
| D8 | Vulnerability & Penetration Testing | External/internal VA, PT, re-test, exploitability validation |
| D9 | Data Security & Cryptography | Classification, encryption at rest/in transit, key management, data localisation |
| D10 | Cloud & Virtualisation Security | CSPM, shared responsibility, IAM, container/K8s, cloud logging |
| D11 | Third-Party & Supply Chain | Vendor due diligence, contracts, KYC for infra providers, SBOM |
| D12 | Business Continuity & Resilience | BCP/DR, backups, RTO/RPO, tabletop exercises, ransomware recovery |
| D13 | Physical & Environmental Security | Data centre access, CCTV, environmental controls, media disposal |
| D14 | Awareness & Human Factors | Training, phishing simulation, secure conduct, insider risk |
Master assessment checklist
This is the operational core of the audit. Each domain is expanded below into a control group with a table of what the auditor must verify and the typical evidence that satisfies each control. Implementers should treat the 'What to verify' column as their build-and-document requirement, and the 'Typical evidence' column as their evidence register. No domain is omitted.
D1 - Governance, Risk & Compliance
| What to verify | Typical evidence |
|---|
| Board/management-approved information security policy exists, is current (reviewed within 12 months) and communicated | Signed policy document, version history, approval minutes, circulation record |
| A documented risk assessment methodology is applied with a maintained risk register and treatment plans | Risk register, risk acceptance sign-offs, treatment tracker, methodology note |
| A complete asset inventory (hardware, software, data, cloud, third-party) with owners and classification exists | CMDB/asset register export, classification labels, owner mapping |
| Roles, responsibilities and a designated CISO / point of contact for CERT-In are defined | Org chart, RACI, CISO appointment letter, CERT-In POC nomination |
| A compliance calendar tracks statutory/regulatory obligations (CERT-In directions, sectoral circulars) | Compliance register, audit calendar, prior audit closure certificates |
| Security exceptions are formally raised, risk-assessed, time-bound and approved | Exception register with expiry dates and approver signatures |
D2 - Incident Response & Reporting
| What to verify | Typical evidence |
|---|
| Documented incident response plan covering the 20 CERT-In reportable incident categories | IR plan, incident taxonomy mapped to CERT-In categories |
| Capability to report to CERT-In within 6 hours of noticing an incident | Reporting SOP, sample reports/acknowledgements, escalation matrix, on-call roster |
| Named IR team, roles and 24x7 contact channel to CERT-In (incident@cert-in.org.in) | Team roster, contact list, retainer/forensic partner agreement |
| Incident playbooks for ransomware, phishing, data breach, DoS, defacement etc. | Playbook documents, tabletop exercise records |
| Forensic readiness: evidence preservation, chain of custody, image capture | Forensic SOP, tooling list, sample chain-of-custody form |
| Post-incident review and lessons-learned feedback into controls | Closed incident tickets, RCA reports, corrective action tracker |
D3 - Logging, Monitoring & Time Synchronisation
| What to verify | Typical evidence |
|---|
| Logs for all ICT systems are enabled, retained for at least 180 days and stored within Indian jurisdiction | Log retention policy, storage location attestation, SIEM retention config |
| All system clocks are synchronised to NPL (National Physical Laboratory) or NIC NTP servers | NTP configuration on hosts/network devices, drift monitoring output |
| Centralised log collection (SIEM) with parsing, correlation and alerting | SIEM architecture, log source inventory, correlation rules, sample alerts |
| Security events are monitored, triaged and escalated within defined SLAs | SOC runbook, ticket samples, SLA/MTTR reports |
| Log integrity is protected (tamper-evidence, restricted access, WORM/archival) | Access controls on log store, hashing/immutability evidence |
| Coverage includes network, endpoint, application, cloud and identity logs | Log source coverage matrix, gap analysis |
D4 - Identity & Access Management
| What to verify | Typical evidence |
|---|
| Strong authentication with MFA for remote, privileged and administrative access | MFA policy, IdP configuration, enforcement screenshots, coverage report |
| Role-based access control with least privilege and segregation of duties | Role matrix, entitlement review report, SoD conflict analysis |
| Privileged access is vaulted, session-recorded and just-in-time where feasible | PAM configuration, session logs, break-glass procedure |
| Joiner-mover-leaver process with timely de-provisioning | JML SOP, sample tickets, orphan/dormant account report |
| Periodic user access recertification (at least quarterly for privileged) | Access review evidence, sign-offs, remediation of exceptions |
| Password/secret policy and machine-identity/secret management | Password policy, secrets vault config, key rotation records |
| KYC/identity verification maintained where mandated (providers, financial entities) | KYC records, retention policy per CERT-In directions |
D5 - Network Security
| What to verify | Typical evidence |
|---|
| Network is segmented (DMZ, internal, management, OT/CDE) with documented zoning | Network diagram, VLAN/subnet map, firewall zone policy |
| Firewall rule base is least-privilege, reviewed periodically and free of any-any rules | Rule base export, rule review report, change tickets |
| IPS/IDS deployed at perimeter and key internal boundaries with tuned signatures | Sensor placement diagram, signature version, alert samples |
| Secure remote access (VPN/ZTNA) with MFA and device posture checks | VPN/ZTNA config, MFA enforcement, posture policy |
| DDoS protection and rate limiting for internet-facing services | DDoS service config, test/attack mitigation reports |
| Wireless networks are segregated, encrypted (WPA2/3-Enterprise) and monitored | WLAN config, rogue AP scan results |
D6 - Endpoint & Server Hardening
| What to verify | Typical evidence |
|---|
| Secure configuration baselines (CIS/vendor benchmarks) applied to servers and endpoints | Hardening standards, benchmark scan results, deviation report |
| Endpoint Detection & Response / anti-malware deployed with central management | EDR console coverage report, policy config, detection samples |
| Patch and vulnerability management with defined SLAs by severity | Patch policy, patch compliance report, exception list |
| Removable media and device control enforced | DLP/device control policy, blocked-device logs |
| Administrative rights on endpoints are restricted | Local admin inventory, privilege elevation logs |
| Golden images and deployment automation ensure consistent hardening | Image build docs, MDM/config-management state |
D7 - Application Security
| What to verify | Typical evidence |
|---|
| Secure SDLC with security requirements, threat modelling and gated releases | SDLC policy, threat models, security gate records |
| Source code review (SAST) integrated into CI/CD with triage of findings | SAST reports, pipeline config, defect closure evidence |
| Application security testing aligned to OWASP Top 10 and OWASP ASVS | DAST/PT reports, ASVS coverage mapping |
| API security: authentication, authorisation, rate limiting, schema validation | API gateway config, API test results, spec/inventory |
| Input validation, output encoding and protection against injection/XSS/SSRF | Test evidence, remediation of injection findings |
| Secrets are not hard-coded; dependency/SCA scanning for vulnerable libraries | SCA reports, secret-scan results, SBOM |
D8 - Vulnerability Assessment & Penetration Testing
| What to verify | Typical evidence |
|---|
| Authenticated and unauthenticated VA of all in-scope external and internal assets | VA reports, scope/asset list, scan configs |
| Manual penetration testing validates exploitability beyond scanner output | PT report with proof-of-concept, exploitation narrative |
| CVSS-based severity rating and risk contextualisation for each finding | Findings register with CVSS vectors and business impact |
| Re-test (closure verification) of high and critical findings before certification | Re-test report, closure/audit certificate |
| Testing frequency meets sectoral mandate (e.g. annual VAPT for RBI-regulated) | Prior VAPT reports, audit calendar |
| Testing performed by a CERT-In-empanelled organisation with qualified testers | Empanelment reference, tester certifications (OSCP/CEH etc.) |
D9 - Data Security & Cryptography
| What to verify | Typical evidence |
|---|
| Data classification scheme applied with handling rules per class | Classification policy, labelled data samples, handling matrix |
| Encryption of sensitive data at rest and in transit with approved algorithms | TLS config, disk/DB encryption evidence, cipher inventory |
| Cryptographic key management with rotation, escrow and HSM where applicable | KMS/HSM config, key lifecycle records |
| Data localisation and residency requirements met (logs in India, sectoral rules) | Storage-location attestation, cloud region config |
| Data loss prevention for exfiltration channels (email, web, endpoint) | DLP policy, incident/blocked events report |
| Aadhaar Data Vault and tokenisation where UIDAI-regulated | Data vault design, tokenisation evidence, UIDAI audit report |
D10 - Cloud & Virtualisation Security
| What to verify | Typical evidence |
|---|
| Cloud shared-responsibility model documented and owned | RACI for cloud, provider responsibility matrix |
| Cloud Security Posture Management identifies misconfigurations continuously | CSPM findings, remediation tracker |
| Cloud IAM with least privilege, no long-lived root/admin keys, MFA on console | IAM policy export, key age report, MFA status |
| Container and Kubernetes security (image scanning, admission control, RBAC) | Registry scan results, cluster RBAC, network policies |
| Cloud logging (CloudTrail/Activity logs) enabled, centralised and retained in India | Logging config, region/retention evidence |
| Storage buckets/databases are not publicly exposed and are encrypted | Bucket ACL audit, public-exposure scan, encryption status |
D11 - Third-Party & Supply Chain Security
| What to verify | Typical evidence |
|---|
| Vendor due diligence and security risk rating before onboarding | Vendor assessment questionnaires, risk ratings |
| Contracts include security, audit-right, breach-notification and data-localisation clauses | Executed contracts/DPAs with security schedules |
| KYC and 5-year record retention for data centre/VPS/cloud/VPN providers | KYC records, retention policy per CERT-In directions |
| Software supply chain: SBOM, provenance and update integrity | SBOM inventory, code-signing/verification evidence |
| Ongoing monitoring/re-assessment of critical suppliers | Periodic review records, SOC 2/ISO reports from vendors |
| Fourth-party/sub-processor visibility for critical services | Sub-processor list, flow-down clause evidence |
D12 - Business Continuity & Resilience
| What to verify | Typical evidence |
|---|
| BCP and DR plans exist with defined RTO/RPO per critical service | BCP/DR documents, BIA, RTO/RPO register |
| Backups follow 3-2-1, are encrypted, and include immutable/offline copies against ransomware | Backup policy, job logs, immutability config |
| Backup restoration is tested periodically with documented results | Restore test reports, success/failure log |
| DR failover tested (tabletop and/or live) within defined intervals | DR drill reports, RTO achievement evidence |
| Ransomware recovery runbook and isolated recovery environment exist | Runbook, IRE design, recovery test evidence |
| Continuity of CERT-In reporting during an incident is assured | Alternate reporting procedure, contact redundancy |
D13 - Physical & Environmental Security
| What to verify | Typical evidence |
|---|
| Physical access to data centres/server rooms is controlled and logged | Access control logs, badge/biometric records |
| CCTV coverage with adequate retention for critical areas | CCTV footage retention config, camera placement map |
| Environmental controls (power redundancy, cooling, fire suppression) are in place | UPS/DG records, HVAC and fire-suppression certificates |
| Media handling and secure disposal/sanitisation procedures are followed | Media disposal certificates, degauss/wipe logs |
| Visitor management and escort policy for restricted zones | Visitor register, escort policy |
| For colocated/cloud, provider physical-security assurance is obtained | Provider SOC 2/ISO 27001 certificate, DC audit report |
D14 - Awareness & Human Factors
| What to verify | Typical evidence |
|---|
| Periodic security awareness training for all staff with completion tracking | Training records, completion percentages, content outline |
| Simulated phishing campaigns with measured click/report rates and follow-up | Phishing campaign reports, trend metrics |
| Role-specific training for developers, admins and privileged users | Secure-coding/admin training records |
| Acceptable use and secure conduct policies acknowledged by staff | Signed AUP acknowledgements |
| Insider-risk indicators are monitored and escalated | Insider-risk programme docs, UEBA alerts where applicable |
| Onboarding and offboarding include security briefings and access handling | HR-security checklist, exit clearance records |
Scoping the CERT-In audit
Correct scoping determines the validity of the audit opinion. A scope that omits an internet-facing asset or a sensitive data flow renders the certificate misleading and, for regulated entities, non-compliant. Scoping must be documented, signed off by the auditee's management, and reflected in the audit report.
- Enumerate all in-scope assets: public IP ranges and domains, internal networks, applications and APIs, cloud accounts and regions, databases, endpoints, and OT/ICS where applicable.
- Identify sensitive data flows and their storage locations to confirm data localisation and 180-day log retention within India.
- Confirm regulatory drivers (RBI, SEBI, UIDAI, NPCI, PFRDA, IFSCA) as each imposes specific scope items - for example switch/host security for NPCI or the Aadhaar Data Vault for UIDAI.
- Define testing windows, rules of engagement, escalation contacts, and out-of-scope exclusions with written justification.
- Distinguish grey-box (credentialed) versus black-box testing per asset; regulated audits usually require authenticated testing for internal assets.
- Agree the certification threshold: which severity levels (critical/high) must be closed and re-tested before the audit certificate is issued.
Implementation approach
CyberSigma delivers CERT-In readiness and audit as a phased engagement so that implementers can remediate ahead of the formal empanelled audit and pass on first submission.
Phase 1 - Discovery & Gap Assessment
- Activities: asset discovery, documentation review, control-mapping workshops against CERT-In directions and applicable sectoral circulars, and a lightweight VA baseline.
- Deliverables: scoping document, control gap register with severity, applicability matrix, and a prioritised remediation roadmap.
Phase 2 - Remediation & Hardening
- Activities: implement/document policies, enable 180-day log retention in India, enforce NPL/NIC NTP, deploy MFA and PAM, harden configurations, fix critical/high vulnerabilities, and stand up the incident-reporting workflow.
- Deliverables: hardened baselines, updated policy set, evidence pack, and a defect burndown showing closure of critical/high items.
Phase 3 - Formal Audit (VAPT + Review)
- Activities: empanelled-auditor VAPT (external and internal), secure-configuration review, source-code/application review, cloud posture review, and process/governance review with interviews.
- Deliverables: draft audit report with risk-rated findings register and evidence annexures.
Phase 4 - Closure, Re-test & Certification
- Activities: remediate residual findings, submit fix evidence, and undergo re-test of high/critical items.
- Deliverables: signed audit closure/re-audit certificate suitable for submission to CERT-In or the sector regulator, plus a continuous-monitoring plan.
Phase 5 - Sustain & Continuous Assurance
- Activities: periodic VA scans, quarterly access reviews, drill exercises, and monitoring of CERT-In advisories/vulnerability notes.
- Deliverables: recurring assurance dashboard, updated risk register, and readiness for the next audit cycle.
Maturity and capability model
CyberSigma rates each control domain on a five-level capability scale so that management can see where they stand and target investment. Regulated entities are generally expected to operate at Level 3 (Defined) or above across all domains, with Level 4+ for critical financial-sector functions.
| Level | Name | Description | Audit outcome |
|---|
| L0 | Absent | Control not present; requirement unaddressed | Non-conformity / critical gap |
| L1 | Initial | Ad hoc, undocumented, person-dependent | Major finding |
| L2 | Repeatable | Some documentation; inconsistent execution | Minor finding with observation |
| L3 | Defined | Documented, standardised and consistently applied | Baseline compliant |
| L4 | Managed | Measured with KPIs, reviewed and continuously improved | Strong posture |
| L5 | Optimising | Automated, predictive, threat-informed and self-correcting | Leading practice |
Assessment and audit approach
The empanelled audit follows a disciplined, repeatable lifecycle. The steps below are the sequence CyberSigma executes and that an auditor should expect.
- Initiation and scoping: agree assets, rules of engagement, escalation paths and certification threshold; obtain signed authorisation for testing.
- Information gathering: collect policies, network diagrams, asset inventory, prior audit reports and access to test environments.
- Vulnerability assessment: run authenticated and unauthenticated scans across in-scope assets and de-duplicate/validate results.
- Penetration testing: manually validate exploitability, chain vulnerabilities, and demonstrate business impact with proof-of-concept.
- Configuration and secure-baseline review: benchmark servers, network devices, databases and cloud against CIS/vendor standards.
- Application and source-code review: perform SAST/DAST and manual review against OWASP ASVS/Top 10 and API security best practice.
- Process and governance review: interview stakeholders and inspect evidence for GRC, IR, logging, IAM, BCP and third-party controls.
- Risk rating and reporting: assign CVSS-based severities, contextualise to business risk, and produce the draft findings register.
- Remediation support and re-test: verify closure of critical/high findings and update statuses.
- Certification and closure: issue the signed audit certificate and submit to CERT-In or the relevant regulator; agree the next-cycle plan.
Evidence request list
The following categorised list is the evidence the audit team will request. Implementers should assemble these into an indexed evidence pack before the audit begins.
- Governance: information security policy, risk register, asset inventory, org chart/RACI, CISO appointment, exception register, compliance calendar.
- Incident response: IR plan, reportable-incident taxonomy, 6-hour reporting SOP, CERT-In acknowledgements, playbooks, tabletop records.
- Logging & time: log retention policy, storage-location attestation (India), SIEM source inventory, NTP configuration to NPL/NIC.
- Identity & access: MFA/PAM configuration, RBAC matrix, JML tickets, access-recertification sign-offs, KYC records where applicable.
- Network & endpoint: network diagrams, firewall rule base and review, IPS/IDS config, EDR coverage, patch-compliance reports, hardening scans.
- Application & cloud: SDLC policy, SAST/DAST/PT reports, SBOM/SCA output, CSPM findings, cloud IAM and logging config.
- Data & crypto: classification policy, encryption/TLS evidence, key-management records, DLP reports, data-localisation attestations.
- Continuity: BCP/DR plans, BIA, backup job logs, restore-test and DR-drill reports, ransomware recovery runbook.
- Third-party: vendor assessments, contracts/DPAs, KYC and retention records, sub-processor lists.
- Physical: data-centre access logs, CCTV retention, environmental certificates, media-disposal records, provider SOC 2/ISO certificates.
- Awareness: training completion records, phishing-simulation results, signed acceptable-use acknowledgements.
- Prior assurance: previous audit/VAPT reports, closure certificates, and remediation trackers.
Roles and responsibilities
| Role | Responsibility in the audit |
|---|
| Board / Senior Management | Approve policy, own residual risk, ensure funding, review audit outcomes |
| CISO / Information Security Head | Own the audit programme, coordinate evidence, drive remediation and CERT-In liaison |
| CERT-In Point of Contact | Report incidents within 6 hours, maintain communication with CERT-In |
| IT / Infrastructure Team | Provide access, implement hardening, remediate network/endpoint findings |
| Application / DevSecOps Team | Fix code and configuration findings, maintain secure SDLC and SBOM |
| SOC / Monitoring Team | Maintain logging, retention, SIEM correlation and alert response |
| Risk & Compliance | Track regulatory mapping, maintain risk and exception registers |
| Data Protection Officer | Oversee data classification, localisation and privacy obligations |
| Empanelled Auditor (CyberSigma) | Conduct VAPT and reviews, rate findings, re-test and issue certificate |
| Business / Process Owners | Confirm scope, validate business impact of findings, accept residual risk |
KPIs to track
- Mean time to report incidents to CERT-In (target: well under the 6-hour mandate).
- Percentage of ICT systems with 180-day logging enabled and stored in India.
- Percentage of systems synchronised to NPL/NIC NTP with drift within tolerance.
- Critical/high vulnerability remediation SLA adherence and open-finding ageing.
- MFA and privileged-access coverage across in-scope accounts.
- Patch compliance percentage by severity within defined SLAs.
- Phishing-simulation click rate and report rate trends.
- Backup restore-test success rate and DR-drill RTO achievement.
- Access-recertification completion rate per cycle.
- Percentage of critical vendors with current security assessments and contract clauses.
- Audit findings closed before certification versus carried forward.
- Time from finding to closure verification (re-test cycle time).
Readiness checklist
- Scope document signed off by management with all internet-facing and internal assets enumerated
- Information security policy approved, current and communicated
- CERT-In point of contact nominated and incident-reporting SOP tested against the 6-hour rule
- Logs enabled with 180-day retention stored within Indian jurisdiction
- All clocks synchronised to NPL/NIC NTP servers
- MFA enforced on remote, privileged and administrative access
- Privileged access vaulted and access recertification completed
- Critical and high vulnerabilities from prior scans remediated or in a tracked plan
- Secure configuration baselines applied and validated by benchmark scan
- Application security testing completed against OWASP ASVS/Top 10 with fixes
- Cloud posture reviewed with no public data exposure and least-privilege IAM
- Backups verified by restore test and DR drill conducted with RTO/RPO evidence
- Vendor KYC and 5-year retention records maintained for infra providers
- Evidence pack assembled, indexed and mapped to the applicable sectoral circular
- Awareness training and phishing simulation completed with metrics captured
Common gaps
- Logs retained for less than 180 days or stored outside India, breaching the CERT-In directions.
- System clocks not synchronised to NPL/NIC, undermining incident correlation and forensic timelines.
- No tested capability to report incidents within 6 hours; reliance on undocumented ad hoc escalation.
- MFA absent on VPN, cloud console or privileged accounts; long-lived cloud access keys in use.
- Firewall rule base containing any-any rules and unreviewed legacy exceptions.
- Publicly exposed storage buckets, databases or management interfaces discovered during external testing.
- Hard-coded secrets in source code and no SBOM or SCA scanning for vulnerable dependencies.
- Backups not immutable/offline, leaving the organisation exposed to ransomware encryption of backups.
- Critical/high vulnerabilities left open past SLA with no risk-accepted exception record.
- Vendor contracts lacking security, audit-right, breach-notification and data-localisation clauses.
- Access reviews and de-provisioning not performed, leaving orphan and dormant privileged accounts.
- Audit conducted by a non-empanelled provider, which regulators may reject.
CERT-In Audit Policy mapped to other frameworks
CERT-In audit domains map closely to major standards and sectoral frameworks, allowing organisations to reuse evidence across multiple compliance programmes.
| CERT-In domain | ISO/IEC 27001:2022 | NIST CSF 2.0 | PCI DSS v4.0 | Sectoral (RBI/SEBI/UIDAI) |
|---|
| Governance, Risk & Compliance | A.5 Organisational controls | GOVERN, IDENTIFY | Req 12 Policies | RBI IT Governance MD 2023; SEBI CSCRF Governance |
| Incident Response & Reporting | A.5.24-5.28 | RESPOND, RECOVER | Req 12.10 | RBI incident reporting; SEBI reporting timelines |
| Logging, Monitoring & Time Sync | A.8.15-8.16 | DETECT | Req 10 | RBI log retention; SEBI SOC requirements |
| Identity & Access Management | A.5.15-5.18, A.8.2-8.5 | PROTECT (PR.AA) | Req 7,8 | UIDAI access controls; RBI access management |
| Network Security | A.8.20-8.22 | PROTECT (PR.IR) | Req 1 | RBI network segmentation; NPCI switch security |
| Endpoint & Server Hardening | A.8.8-8.9, A.8.19 | PROTECT (PR.PS) | Req 2,5,6 | RBI baseline hardening |
| Application Security | A.8.25-8.28 | PROTECT (PR.PS) | Req 6 | SEBI application security; RBI secure SDLC |
| Vulnerability & Penetration Testing | A.8.8 | IDENTIFY (ID.RA) | Req 11 | RBI annual VAPT; SEBI VAPT before go-live |
| Data Security & Cryptography | A.8.10-8.12, A.8.24 | PROTECT (PR.DS) | Req 3,4 | UIDAI Aadhaar Data Vault; data localisation |
| Cloud & Virtualisation Security | A.5.23, A.8.16 | PROTECT/DETECT | Req 1,2,6 | RBI cloud guidance; IFSCA cloud controls |
| Third-Party & Supply Chain | A.5.19-5.23 | GOVERN (GV.SC) | Req 12.8 | RBI outsourcing; SEBI vendor management |
| Business Continuity & Resilience | A.5.29-5.30, A.8.13-8.14 | RECOVER | Req 12.10 | RBI BCP; SEBI cyber resilience |
| Physical & Environmental Security | A.7 Physical controls | PROTECT (PR.AA) | Req 9 | RBI DC controls |
| Awareness & Human Factors | A.6.3 | PROTECT (PR.AT) | Req 12.6 | RBI/SEBI awareness mandates |
How CyberSigma helps
CyberSigma is a CERT-In-aligned cyber security partner that takes organisations from gap assessment to a signed, submission-ready audit certificate. We map your environment to the CERT-In directions and the exact sectoral circular that applies to you (RBI, SEBI, UIDAI, NPCI, PFRDA or IFSCA), remediate critical and high findings ahead of the formal audit, and deliver empanelled-grade VAPT, secure-configuration, application, cloud and governance reviews. Our evidence-first methodology means you enter the audit with an indexed evidence pack, 180-day India-resident logging, NPL/NIC time synchronisation, a tested 6-hour incident-reporting workflow, and ransomware-resilient backups already in place. The result is faster certification, fewer carried-forward findings, and a continuous-assurance programme that keeps you audit-ready every cycle. Talk to CyberSigma to scope your CERT-In audit today.