Introduction: The NCIIPC Critical Information Infrastructure Audit
India's most consequential digital systems - the grids that keep the lights on, the payment rails that clear billions of rupees a day, the signalling that moves trains, and the platforms that run banks, telecom carriers and government service delivery - are increasingly targeted by nation-state actors, ransomware crews and hacktivist collectives. The National Critical Information Infrastructure Protection Centre (NCIIPC), the nodal agency constituted under Section 70A of the Information Technology Act, 2000, exists to protect these systems. The NCIIPC Critical Information Infrastructure (CII) Audit is the formal assurance mechanism by which an organisation demonstrates that its notified Critical Information Infrastructure meets NCIIPC's protection expectations.
This guide is written for two audiences at once. If you are the auditor or assessor - a CERT-In empanelled auditing organisation, an internal audit lead, or a third-party assessor - it gives you a control-by-control assessment map, evidence expectations, a scoring model and a defensible audit lifecycle. If you are the implementer - the CISO, the plant OT engineer, the SOC lead, or the product/architecture team of a designated Critical Sector entity - it tells you exactly what to build, what to document and how to prepare so the audit is a formality rather than a firefight. Throughout, we distinguish between what NCIIPC and CERT-In require, what is good practice, and what merely helps.
What is the NCIIPC CII Audit
Critical Information Infrastructure is defined in the IT Act as 'those computer resources, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety'. NCIIPC is the national nodal agency for CII protection and is administratively part of the National Technical Research Organisation (NTRO). A CII notification is a legal act: once the Central Government, on NCIIPC's recommendation, declares a computer resource to be 'protected system' under Section 70 of the IT Act, unauthorised access to it attracts enhanced penalties, and the operating entity inherits specific protection obligations.
The NCIIPC CII Audit is the assurance activity that verifies those obligations are met. It is not a single fixed checklist like a product certification; it is a risk-and-control assessment framed by NCIIPC's guidelines and delivered through the CERT-In empanelment audit ecosystem. In practice a CII audit blends several things: verification that the entity has correctly identified and notified its CII; assessment of the security controls protecting that CII against NCIIPC's guideline domains; validation of the organisation's incident detection, reporting and response capability (including the mandatory reporting of incidents to NCIIPC and CERT-In); and confirmation of governance, resilience and supply-chain controls. The output is an audit report with findings, risk ratings and a remediation roadmap, plus - increasingly - a maturity rating.
How it relates to the wider Indian assurance ecosystem
- NCIIPC sets CII-specific protection guidelines and evaluates cyber security posture of CII; it operates threat intelligence sharing, issues advisories, and runs the Responsible Vulnerability Disclosure Programme (RVDP) and the National Cyber Coordination effort for CII.
- CERT-In is the national CERT and issues the Cyber Security Directions of 28 April 2022 (incident reporting timelines, log retention, KYC/records), and empanels the auditing organisations that perform CII and other security audits.
- Sectoral regulators overlay their own mandates - RBI's cyber security framework and the SAR/CSITE guidance for banks and NBFCs, SEBI's CSCRF for market infrastructure institutions and intermediaries, IRDAI's information and cyber security guidelines for insurers, and CEA/DoT/TRAI directions for power and telecom.
- ISO/IEC 27001 and, for OT, IEC 62443 provide the international management-system and industrial-control baselines that a CII audit will often reference as evidence.
Who must comply
The obligation attaches to any organisation that owns or operates a computer resource notified as CII or declared a 'protected system'. NCIIPC identifies CII across the nation's Critical Sectors. The precise list evolves, but the recognised Critical Sectors are the anchor for scoping.
| Critical Sector | Illustrative CII assets | Primary sectoral overlay |
|---|---|---|
| Power & Energy | SCADA/EMS at load despatch centres, generation DCS, substation automation, market operator systems | CEA Cyber Security Guidelines, CERC |
| Banking, Financial Services & Insurance | Core banking, payment switches (UPI/RTGS/NEFT/IMPS gateways), CCIL/depository/exchange systems | RBI, SEBI CSCRF, IRDAI |
| Telecommunications | Core network, HLR/HSS, OSS/BSS, national long-distance and internet exchange infrastructure | DoT, TRAI, licence conditions |
| Transport | Railway signalling & train control, ATC/air-traffic systems, port and maritime control, metro SCADA | Ministry of Railways, AAI, DGCA |
| Government / Strategic & Public Enterprises | National ID and welfare delivery platforms, tax and customs systems, e-governance backbones | MeitY, respective ministries |
| Health | Hospital information systems, national health stack components, medical device networks in notified facilities | MoHFW, ABDM |
| Water / Strategic industries | Water treatment SCADA, defence-adjacent manufacturing, space and nuclear-adjacent (as notified) | Respective ministries |
Who inside the organisation is accountable
- The organisation's Board and CEO carry ultimate accountability for protecting notified CII.
- A designated CISO must be appointed and, for notified entities, is the point of contact to NCIIPC and CERT-In.
- Each notified 'protected system' should have a named system owner and, per NCIIPC's model, the organisation appoints a Chief Information Security Officer and maintains a defined point of contact (nodal officer) for NCIIPC coordination.
- Managed service providers, OEMs and cloud providers operating in-scope infrastructure inherit contractual obligations flowed down from the notified entity.
Structure of the NCIIPC CII Audit
NCIIPC's protection guidelines are organised into control domains that together cover governance, technical protection, detection, response and resilience. The audit assesses each domain. The table below sets out the domain structure used to frame a CII audit; the exact numbering follows the current NCIIPC guidelines, but the families below reflect their substance and are the practical basis for the master checklist in the next section.
| Domain | Focus of assessment | Representative control families |
|---|---|---|
| D1. Governance & Risk Management | Ownership, policy, risk assessment, CII identification | Security policy; CII inventory; risk assessment; roles |
| D2. Identification & Classification of CII | Correct identification, criticality rating, notification | Asset inventory; interdependency mapping; criticality tiers |
| D3. Access Control & Identity | Who can touch CII and how | IAM; PAM; MFA; segregation of duties; remote access |
| D4. Network Security & Architecture | Segmentation, boundary defence, IT/OT separation | Zoning; firewalls; DMZ; secure remote access; wireless |
| D5. Application & Data Security | Secure development, data protection, cryptography | SSDLC; input validation; encryption; DLP; data classification |
| D6. Endpoint, Server & OT/ICS Security | Hardening of hosts and industrial systems | Baseline hardening; patching; AV/EDR; ICS-specific controls |
| D7. Security Monitoring & Threat Detection | Logging, SOC, threat intelligence, RVDP | SIEM; log retention; use cases; NCIIPC threat feeds; vuln disclosure |
| D8. Incident Management & Reporting | Detect, respond, mandatory reporting to NCIIPC/CERT-In | IR plan; playbooks; forensic readiness; reporting timelines |
| D9. Business Continuity & Resilience | Availability, DR, crisis management | BCP/DR; backups; RTO/RPO; cyber crisis management plan |
| D10. Supply Chain & Third-Party Security | OEM, MSP, cloud and vendor risk | Vendor assessment; SBOM; secure procurement; flow-down |
| D11. Physical & Environmental Security | Protection of facilities housing CII | Perimeter; access; environmental; media handling |
| D12. Awareness, Training & Personnel Security | People risk | Background checks; role-based training; drills; insider threat |
Master assessment checklist
This is the operational heart of the audit. Each control family below has a short intent statement, an evidence-oriented verification table, and specific notes for OT/ICS where relevant. Auditors should treat 'What to verify' as the assertion and 'Typical evidence' as the artefacts that substantiate it. Implementers should read the same tables as a build-and-document specification. No family is optional; where a family is not applicable to a given notified system, that non-applicability must itself be documented and justified.
D1 - Governance & Risk Management
Intent: leadership has established a CII protection programme with clear ownership, an approved policy set, and a living risk assessment tied to the notified systems.
| What to verify | Typical evidence |
|---|---|
| A board/senior-management-approved information & cyber security policy exists and covers CII explicitly | Signed policy, board minutes, review dates |
| A CISO and CII nodal officer are formally appointed with defined authority | Appointment letters, RACI, org chart |
| A documented risk assessment methodology is applied to notified CII | Risk methodology doc, risk register with CII assets, treatment plans |
| Risk acceptance decisions are made at an appropriate level and re-reviewed | Risk acceptance records with owner, date, review trigger |
| Security objectives and KPIs are set and tracked to management | Metrics dashboard, management review minutes |
| Compliance obligations (IT Act 70A/70, CERT-In directions, sector regulator) are mapped | Legal/compliance register mapping obligations to controls |
D2 - Identification & Classification of CII
Intent: the organisation has correctly identified which of its assets constitute CII, mapped interdependencies, and completed notification. Mis-scoping here invalidates everything downstream.
| What to verify | Typical evidence |
|---|---|
| A complete inventory of information assets exists and CII is distinguished from non-CII | Asset register, CII tagging, last-updated timestamp |
| Criticality assessment uses a defined rating (impact on national security/economy/public safety) | Criticality scoring matrix, rationale per asset |
| Interdependencies and single points of failure are mapped (upstream/downstream, IT-OT) | Dependency diagrams, interconnection register |
| Notified 'protected systems' are recorded and Section 70 notification is on file | Government notification/gazette reference, correspondence with NCIIPC |
| Changes to CII scope trigger re-assessment and re-notification where required | Change records, re-scoping reviews |
| Data flows into and out of CII are documented | Data-flow diagrams, integration inventory |
D3 - Access Control & Identity
Intent: access to CII is least-privilege, strongly authenticated, individually accountable, and privileged access is tightly governed.
| What to verify | Typical evidence |
|---|---|
| Identity lifecycle (joiner/mover/leaver) is enforced for CII access | IAM records, access request/approval tickets, revocation logs |
| Multi-factor authentication protects all administrative and remote CII access | MFA configuration, exception register |
| Privileged access is managed via PAM with session recording and just-in-time where feasible | PAM policy, vaulted credential list, session logs |
| Segregation of duties prevents toxic combinations | SoD matrix, review of conflicting roles |
| Access is reviewed and recertified periodically | Recertification campaign records with sign-off |
| Default/shared/vendor accounts are removed or individually controlled | Account inventory, evidence of default-credential remediation |
| Remote and third-party access is brokered, time-bound and logged | Jump-host config, VPN/ZTNA policy, vendor access logs |
D4 - Network Security & Architecture
Intent: the network is segmented so that a compromise cannot spread freely into CII, IT and OT are separated, and boundaries are actively defended. This domain carries special weight for OT-heavy sectors.
| What to verify | Typical evidence |
|---|---|
| Network is zoned (e.g., Purdue/IEC 62443 zones & conduits) with CII in protected segments | Network architecture diagram, zone/conduit register |
| IT and OT networks are separated with a controlled DMZ/data diode where appropriate | OT DMZ design, firewall rules, data-diode records |
| Firewall rule-bases follow default-deny and are reviewed for stale rules | Rule-base export, rule-review reports |
| Ingress/egress from CII is restricted and monitored | Egress filtering config, IDS/IPS placement |
| Wireless and dial-up/legacy links into CII are eliminated or hardened | Wireless survey, modem/backdoor decommissioning records |
| Secure remote access to OT uses brokered, monitored pathways only | OT remote-access architecture, vendor access approvals |
D5 - Application & Data Security
Intent: software touching CII is built and maintained securely, and sensitive data is classified, encrypted and protected against exfiltration.
| What to verify | Typical evidence |
|---|---|
| A secure SDLC (SSDLC) governs in-house and bespoke CII applications | SSDLC policy, threat models, secure code review records |
| Applications undergo security testing before and after go-live (VAPT) | VAPT reports, remediation tracker, retest evidence |
| Data is classified and handled per classification | Data classification policy, labelling evidence |
| Data at rest and in transit is encrypted with approved algorithms and key management | Crypto standard, TLS config, KMS/HSM records |
| Data loss prevention controls apply to CII-linked data | DLP policy and alerts, egress controls |
| Input validation, output encoding and secure config protect against OWASP-class flaws | Code review, WAF config, SAST/DAST reports |
D6 - Endpoint, Server & OT/ICS Security
Intent: hosts - IT servers, workstations, and industrial devices (PLC/RTU/DCS/HMI) - are hardened, patched (or compensated), and protected against malware, recognising that OT patching windows are constrained.
| What to verify | Typical evidence |
|---|---|
| Hardening baselines (CIS/vendor/IEC 62443) are applied and drift is detected | Baseline standard, config-compliance scan results |
| A patch/vulnerability management process covers IT and OT with risk-based SLAs | Patch policy, patch status reports, OT compensating-control records |
| Endpoint protection (AV/EDR) is deployed where supported; application whitelisting on OT | EDR coverage report, whitelisting config on HMIs/engineering stations |
| Removable media into OT is controlled and scanned | Media control policy, kiosk/scanning logs |
| ICS-specific controls (safe backups of PLC logic, change control on controllers) exist | PLC project backups, controller change-approval records |
| Legacy/unsupported systems are inventoried with a remediation or isolation plan | EoL inventory, isolation/virtual-patch evidence |
D7 - Security Monitoring & Threat Detection
Intent: security-relevant events from CII are collected, retained and analysed; detection use-cases are tuned to CII threats; and the organisation consumes NCIIPC threat intelligence and participates in the RVDP.
| What to verify | Typical evidence |
|---|---|
| Centralised logging/SIEM ingests CII and security-device logs | SIEM source inventory, log-coverage matrix |
| Log retention meets CERT-In directions (180 days) and sector requirements | Retention configuration, storage evidence |
| Time synchronisation uses NIC/NPL-referenced NTP as directed by CERT-In | NTP configuration pointing to approved sources |
| Detection use-cases cover CII-relevant TTPs including OT threats | Use-case catalogue, alert-tuning records |
| NCIIPC advisories and threat feeds are ingested and actioned | Advisory tracker, IOC ingestion evidence |
| A Responsible Vulnerability Disclosure route is defined and triaged | RVDP process, vulnerability intake and closure records |
D8 - Incident Management & Reporting
Intent: the organisation can detect, contain, eradicate and recover from incidents, preserve evidence, and meet mandatory reporting duties to NCIIPC and CERT-In within prescribed timelines.
| What to verify | Typical evidence |
|---|---|
| An incident response plan with severity classification and playbooks exists | IR plan, playbooks (ransomware, OT compromise, data breach) |
| Reportable incidents are reported to CERT-In within 6 hours and to NCIIPC as required | Reporting SOP, sample incident-report submissions and acknowledgements |
| Forensic readiness preserves logs and images for investigation | Forensic procedure, chain-of-custody records |
| Incidents are tracked to closure with root-cause and lessons learned | Incident register, RCA reports, corrective-action tracker |
| IR is exercised through tabletop and technical drills | Exercise reports, participation records |
| A defined communication protocol with NCIIPC (nodal officer) is maintained | Contact-point records, NCIIPC correspondence log |
D9 - Business Continuity & Resilience
Intent: CII availability is protected through resilient design, tested backups, and a cyber crisis management plan; recovery objectives are defined and validated.
| What to verify | Typical evidence |
|---|---|
| A business continuity and disaster recovery plan covers CII with defined RTO/RPO | BCP/DR documents, business impact analysis |
| Backups are taken, protected (immutable/offline) and restore-tested | Backup schedules, restore-test logs |
| A Cyber Crisis Management Plan (CCMP) aligned to national guidance exists | CCMP document, escalation matrix |
| DR is exercised, including failover of critical CII services | DR drill reports, RTO/RPO achievement evidence |
| Redundancy and single-point-of-failure mitigation are in place | Architecture redundancy evidence, SPOF register with mitigations |
D10 - Supply Chain & Third-Party Security
Intent: OEMs, MSPs, cloud providers and other vendors touching CII are assessed, contractually bound, and monitored; software provenance is understood.
| What to verify | Typical evidence |
|---|---|
| Third parties with CII access/impact are inventoried and risk-rated | Vendor register, criticality tiering |
| Security requirements and NCIIPC/CERT-In flow-downs are in contracts | Contract clauses, DPAs, right-to-audit terms |
| Vendor security is assessed before onboarding and periodically | Vendor assessment reports, re-assessment schedule |
| Software/firmware provenance and integrity are verified (SBOM where feasible) | SBOMs, code-signing verification, secure-update records |
| Cloud services hosting CII meet localisation and security expectations | Cloud config reviews, data-residency evidence |
D11 - Physical & Environmental Security
Intent: facilities housing CII - data centres, control rooms, substations, plant floors - are physically protected and environmentally controlled.
| What to verify | Typical evidence |
|---|---|
| Physical access to CII areas is restricted, logged and reviewed | Access-control logs, visitor records, area classification |
| Control rooms and equipment rooms have surveillance and intrusion detection | CCTV coverage map, alarm records |
| Environmental controls (power, cooling, fire) protect availability | UPS/generator tests, cooling and fire-suppression records |
| Media and equipment disposal is secure | Media sanitisation/destruction certificates |
D12 - Awareness, Training & Personnel Security
Intent: people who operate and protect CII are vetted, trained for their role, and the insider-threat risk is managed.
| What to verify | Typical evidence |
|---|---|
| Background verification is performed for personnel with CII access | BGV records, re-verification policy |
| Role-based security training (incl. OT operators, developers) is delivered | Training records, curriculum, completion rates |
| Phishing simulations and awareness campaigns are run | Campaign results, trend metrics |
| Insider-threat indicators are monitored with defined response | Insider-threat programme doc, UEBA/monitoring evidence |
| Confidentiality/acceptable-use agreements are signed | Signed agreements register |
Scoping the audit
Correct scoping is the single biggest determinant of a useful CII audit. The scope is anchored on the notified CII, then expanded to every system that can affect the confidentiality, integrity or availability of that CII.
- Confirm the notification: obtain the Section 70 'protected system' notification(s) and the NCIIPC identification correspondence to fix the authoritative list of CII assets.
- Draw the boundary: include the CII itself plus all directly connected and supporting systems (identity providers, jump hosts, backup infrastructure, monitoring, network devices, engineering stations).
- Map interdependencies: add upstream/downstream dependencies and shared services that, if compromised, cascade into CII.
- Include OT and IT: for cyber-physical sectors, explicitly bring control systems (PLC/RTU/DCS/HMI/SCADA) and the IT/OT boundary into scope.
- Include third parties: bring in MSPs, cloud tenancies and OEM remote-access paths that touch in-scope systems.
- Document exclusions: any exclusion must be justified in writing and agreed with the audit sponsor; unjustified narrowing is itself a finding.
- Fix the assessment period: define the time window for evidence (typically the preceding 12 months for recurring controls).
Implementation approach
For implementers preparing a notified system, a phased programme de-risks the audit and spreads effort over a realistic horizon. Each phase below lists activities and the deliverables an auditor will later expect to see.
Phase 1 - Identify & Govern (Weeks 0-6)
- Activities: appoint CISO and NCIIPC nodal officer; confirm CII notification status; establish the CII asset inventory and criticality rating; approve the security policy set; stand up the risk register.
- Deliverables: CII inventory with criticality tiers; approved policy suite; RACI and appointment letters; initial risk assessment; compliance obligation map (IT Act, CERT-In directions, sector regulator).
Phase 2 - Assess & Prioritise (Weeks 4-12)
- Activities: run a gap assessment against the D1-D12 domains; conduct VAPT and OT/ICS security assessment; map interdependencies and single points of failure; rate residual risk.
- Deliverables: gap-assessment report with domain scoring; VAPT and OT assessment reports; interdependency diagrams; prioritised remediation roadmap with owners and dates.
Phase 3 - Remediate & Harden (Weeks 8-24)
- Activities: implement segmentation and IT/OT separation; deploy MFA and PAM; harden hosts and controllers; stand up or tune the SIEM/SOC; close high-risk VAPT findings; formalise IR and BCP/DR.
- Deliverables: updated architecture with zones/conduits; PAM and MFA rollout evidence; hardening compliance reports; SIEM use-case catalogue; IR plan and playbooks; BCP/DR and CCMP.
Phase 4 - Operationalise & Report (Weeks 20-32)
- Activities: establish continuous monitoring; ingest NCIIPC advisories; run drills (IR tabletop, DR failover, phishing); configure CERT-In-compliant logging, NTP and 6-hour incident reporting workflow; deliver role-based training.
- Deliverables: monitoring dashboards and KPIs; drill reports; advisory-action tracker; incident-reporting SOP with test submissions; training completion records.
Phase 5 - Audit & Improve (Ongoing)
- Activities: engage a CERT-In empanelled auditor for the formal CII audit; remediate findings; re-audit high-risk items; feed lessons into the risk register; sustain the programme through periodic reviews and re-audits.
- Deliverables: audit report and management response; corrective-action plan with closure evidence; annual re-assessment schedule; continuous-improvement records.
Maturity and capability scoring model
NCIIPC evaluates the cyber security posture of CII and increasingly frames results in maturity terms. A five-level maturity scale gives both auditor and implementer a common language for rating each domain and setting improvement targets. Ratings should be assigned per domain (D1-D12) and rolled up to an overall posture.
| Level | Name | Description | Typical characteristics |
|---|---|---|---|
| L1 | Initial | Controls absent or ad hoc | No CII inventory, undocumented processes, reactive only |
| L2 | Developing | Controls partially defined, inconsistently applied | Policies exist on paper, patchy MFA/segmentation, limited logging |
| L3 | Defined | Controls documented and applied consistently across CII | Full CII inventory, IT/OT separation, SIEM live, IR plan tested |
| L4 | Managed | Controls measured and governed with metrics | KPIs tracked, recertification enforced, drills routine, advisories actioned |
| L5 | Optimised | Controls continuously improved and threat-informed | Threat-informed defence, automation, red-teaming, sub-6h reporting proven |
Findings within the audit should additionally carry a risk rating so that remediation can be prioritised independently of maturity.
| Risk rating | Meaning | Expected remediation window |
|---|---|---|
| Critical | Direct, exploitable path to compromise CII availability/integrity | Immediate / emergency change |
| High | Significant weakness with likely material impact | 30 days |
| Medium | Weakness with moderate impact or requiring chained conditions | 90 days |
| Low | Minor weakness / best-practice deviation | Next planned cycle |
Assessment and audit approach
A defensible CII audit follows a structured lifecycle. The steps below are what a CERT-In empanelled audit team should execute and what an internal team should mirror when self-assessing.
- Engagement & scoping: agree scope against the notified CII, confirm the assessment period, and issue the audit plan and evidence-request list.
- Documentation review: examine policies, inventories, risk assessments, architecture and prior audit reports to build the control expectation baseline.
- Design assessment: for each D1-D12 control family, evaluate whether the control is designed to meet the objective.
- Operating-effectiveness testing: sample records over the assessment period to confirm controls operate as designed (access recertifications, patch cycles, incident reports, drills).
- Technical validation: perform or review VAPT, configuration reviews, and OT/ICS assessments; validate segmentation and monitoring empirically, not just on paper.
- Interviews & walkthroughs: interview the CISO, SOC, OT engineers and asset owners; walk through incident and recovery procedures.
- Findings & rating: record findings with maturity and risk ratings, root cause and recommended remediation.
- Reporting: deliver a draft report, hold a closing meeting, incorporate management responses, and issue the final signed report.
- Remediation & re-test: track corrective actions to closure and re-test critical/high findings before sign-off.
- Regulatory interface: support submission of results to NCIIPC and the relevant sectoral regulator where required, and schedule the next re-audit.
Evidence request list
The following categorised list is the evidence pack an auditor will request and an implementer should assemble in advance.
- Governance: security policy suite; board/management approval minutes; CISO and nodal-officer appointments; risk methodology and register; management review records.
- Scope & assets: CII asset inventory with criticality; Section 70 notification; interdependency and data-flow diagrams; network architecture with zones/conduits.
- Access & identity: IAM records; joiner/mover/leaver tickets; access recertification campaigns; PAM policy and session logs; MFA configuration; remote/vendor access logs.
- Network & infrastructure: firewall rule-base exports and review reports; IT/OT segmentation design; wireless survey; egress-filtering config; IDS/IPS placement.
- Application & data: SSDLC policy; VAPT and SAST/DAST reports with remediation trackers; data classification policy; crypto standard and TLS/KMS/HSM evidence; DLP alerts.
- Endpoint & OT: hardening baselines and compliance scans; patch reports and OT compensating controls; EDR coverage; application-whitelisting config; PLC/controller backups and change records; EoL inventory.
- Monitoring & detection: SIEM source inventory and log-coverage matrix; retention config (180-day); NTP config; use-case catalogue; NCIIPC advisory-action tracker; RVDP records.
- Incident & continuity: IR plan and playbooks; sample CERT-In/NCIIPC incident submissions and acknowledgements; forensic and chain-of-custody procedures; incident register and RCAs; BCP/DR and CCMP; backup and DR drill reports.
- Supply chain: vendor register and risk ratings; contracts with security and flow-down clauses; vendor assessments; SBOMs; cloud data-residency evidence.
- Physical & people: physical access logs; CCTV coverage; environmental test records; BGV records; training completion; phishing-simulation results; signed acceptable-use/confidentiality agreements.
Roles and responsibilities
| Role | Responsibility in the CII audit |
|---|---|
| Board / CEO | Ultimate accountability; approve policy and budget; own residual risk |
| CISO | Own the CII protection programme; primary NCIIPC/CERT-In interface; drive remediation |
| NCIIPC Nodal Officer | Maintain the coordination channel with NCIIPC; handle advisories and incident reporting |
| CII / System Owner | Accountable for a specific notified system's security and evidence |
| SOC / Monitoring Lead | Operate logging, detection, threat-intel ingestion and incident detection |
| OT / Plant Engineering Lead | Secure control systems, manage OT patching and change control |
| IR Manager | Run incident response, forensic readiness and mandatory reporting |
| BCP/DR Coordinator | Maintain and exercise continuity, backups and the CCMP |
| Procurement / Vendor Manager | Enforce security clauses, flow-downs and vendor assessments |
| Internal Audit | Independent assurance and interface with the empanelled external auditor |
| CERT-In Empanelled Auditor | Perform the independent CII audit and issue the report |
KPIs to track
- Percentage of notified CII assets with complete, current inventory and criticality rating.
- MFA and PAM coverage across privileged and remote CII access (target 100%).
- Mean time to detect and mean time to respond for CII-affecting incidents.
- Percentage of CERT-In-reportable incidents reported within the 6-hour window.
- Patch/vulnerability SLA adherence for critical and high findings (IT and OT separately).
- Percentage of high/critical VAPT findings remediated within SLA.
- Log-coverage ratio (in-scope sources logging to SIEM) and retention compliance (180-day).
- Backup restore-test success rate and DR RTO/RPO achievement.
- NCIIPC advisory action-closure rate and time-to-action.
- Access-recertification completion rate per cycle.
- Security-training completion and phishing-simulation failure trend.
- Vendor assessment coverage and overdue re-assessment count.
- Domain maturity scores (D1-D12) trend over successive assessments.
Readiness checklist
- CISO and NCIIPC nodal officer are formally appointed with documented authority
- CII assets are inventoried, criticality-rated and Section 70 notification is on file
- Board-approved security policy suite covers CII explicitly
- Risk assessment covers all notified CII with treatment plans and accepted-risk records
- IT and OT networks are segmented with a controlled boundary/DMZ
- MFA protects all administrative and remote CII access; PAM governs privileged access
- Hosts and controllers are hardened to a baseline with drift detection
- Patch/vulnerability management operates with risk-based SLAs for IT and OT
- SIEM ingests in-scope logs with 180-day retention and NIC/NPL-referenced NTP
- NCIIPC advisories and threat feeds are ingested and actioned
- IR plan, playbooks and a tested 6-hour CERT-In reporting workflow are in place
- BCP/DR and a Cyber Crisis Management Plan exist and are exercised
- Backups are immutable/offline and restore-tested
- Third parties touching CII are assessed and contractually bound with flow-downs
- Physical, environmental and personnel (BGV, training) controls are evidenced
- Prior audit findings are remediated with closure evidence
Common gaps
- Under-scoped CII: only the flagship application is treated as CII while the identity, backup and monitoring plane that can compromise it is excluded.
- Flat networks and porous IT/OT boundaries: segmentation exists on the diagram but not in the firewall rule-base; engineering stations dual-homed to corporate IT.
- Weak privileged access: shared admin and vendor accounts, no PAM, MFA absent on remote OT access paths.
- Logging blind spots: OT and network devices not logging to the SIEM, retention below 180 days, or NTP not referenced to approved sources.
- Reporting gaps: no tested workflow to meet the CERT-In 6-hour incident reporting duty or to notify NCIIPC.
- OT patching paralysis: unsupported controllers with neither patches nor documented compensating controls or isolation.
- Untested resilience: BCP/DR and CCMP documents exist but have never been exercised; backups never restore-tested.
- Supply-chain blind spots: MSP/OEM remote access uncontrolled, no flow-down clauses, no SBOM or software-integrity verification.
- Advisory drift: NCIIPC advisories received but not tracked to closure.
- Stale inventory: CII inventory and interdependency maps not updated after major change, invalidating the risk picture.
NCIIPC CII mapped to other frameworks
CII audit domains align closely with mainstream frameworks, which lets an organisation reuse evidence and integrate assurance. The mapping below is indicative, not one-to-one; use it to build a shared control library.
| NCIIPC CII domain | ISO/IEC 27001:2022 | NIST CSF 2.0 | IEC 62443 (OT) | Sector overlay |
|---|---|---|---|---|
| D1 Governance & Risk | Cl. 5-6, A.5 | GOVERN, IDENTIFY | 62443-2-1 (CSMS) | RBI/SEBI governance clauses |
| D2 Identify & Classify CII | A.5.9, A.8.1 | IDENTIFY (Asset Mgmt) | 62443-3-2 (zones/risk) | Regulator asset scoping |
| D3 Access & Identity | A.5.15-5.18, A.8.2-8.5 | PROTECT (PR.AA) | 62443-3-3 SR 1.x | RBI access controls |
| D4 Network Security | A.8.20-8.22 | PROTECT (PR.IR) | 62443-3-3 SR 5.x, 3-2 | CEA network segregation |
| D5 App & Data Security | A.8.24-8.28 | PROTECT (PR.DS) | 62443-4-1/4-2 | SEBI app security |
| D6 Endpoint & OT | A.8.7-8.9, A.8.19 | PROTECT (PR.PS) | 62443-3-3 SR 3.x, 7.x | CEA OT hardening |
| D7 Monitoring & Detection | A.8.15-8.16 | DETECT | 62443-3-3 SR 6.x | CERT-In logging/NTP |
| D8 Incident & Reporting | A.5.24-5.28 | RESPOND | 62443-2-1 IR | CERT-In 6-hour reporting |
| D9 Continuity & Resilience | A.5.29-5.30, A.8.13-8.14 | RECOVER | 62443-2-1 continuity | National CCMP guidance |
| D10 Supply Chain | A.5.19-5.23 | GOVERN (GV.SC) | 62443-2-4 | Regulator vendor rules |
| D11 Physical & Environmental | A.7.x | PROTECT (PR.IR) | 62443-3-3 physical | DC/plant physical security |
| D12 Awareness & Personnel | A.6.1-6.6 | PROTECT (PR.AT) | 62443-2-1 training | BGV/personnel norms |
Frequently asked questions
Need help with NCIIPC CII?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
