Knowledge Center / NCIIPC CII
NCIIPC · India

NCIIPC Critical Information Infrastructure Audit

Protection and audit of Critical Information Infrastructure in India.

Introduction: The NCIIPC Critical Information Infrastructure Audit

India's most consequential digital systems - the grids that keep the lights on, the payment rails that clear billions of rupees a day, the signalling that moves trains, and the platforms that run banks, telecom carriers and government service delivery - are increasingly targeted by nation-state actors, ransomware crews and hacktivist collectives. The National Critical Information Infrastructure Protection Centre (NCIIPC), the nodal agency constituted under Section 70A of the Information Technology Act, 2000, exists to protect these systems. The NCIIPC Critical Information Infrastructure (CII) Audit is the formal assurance mechanism by which an organisation demonstrates that its notified Critical Information Infrastructure meets NCIIPC's protection expectations.

This guide is written for two audiences at once. If you are the auditor or assessor - a CERT-In empanelled auditing organisation, an internal audit lead, or a third-party assessor - it gives you a control-by-control assessment map, evidence expectations, a scoring model and a defensible audit lifecycle. If you are the implementer - the CISO, the plant OT engineer, the SOC lead, or the product/architecture team of a designated Critical Sector entity - it tells you exactly what to build, what to document and how to prepare so the audit is a formality rather than a firefight. Throughout, we distinguish between what NCIIPC and CERT-In require, what is good practice, and what merely helps.

On sources and copyright
NCIIPC publishes its 'Guidelines for Protection of Critical Information Infrastructure', the 'Framework for Evaluating Cyber Security in CII', sector-specific guidance and periodic advisories. Those documents are the authoritative reference and are subject to NCIIPC's own copyright and distribution terms. This guide is original CyberSigma analysis and explanation written to help you prepare; it paraphrases and interprets the scheme and does not reproduce NCIIPC's protected text. Always audit against the current official NCIIPC guidelines, the CERT-In empanelment audit requirements, the applicable sectoral regulator's directions (RBI, SEBI, IRDAI, CERT-In, TRAI/DoT, CEA) and the specific notification issued for your organisation. Where this guide and an official document differ, the official document governs.

What is the NCIIPC CII Audit

Critical Information Infrastructure is defined in the IT Act as 'those computer resources, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety'. NCIIPC is the national nodal agency for CII protection and is administratively part of the National Technical Research Organisation (NTRO). A CII notification is a legal act: once the Central Government, on NCIIPC's recommendation, declares a computer resource to be 'protected system' under Section 70 of the IT Act, unauthorised access to it attracts enhanced penalties, and the operating entity inherits specific protection obligations.

The NCIIPC CII Audit is the assurance activity that verifies those obligations are met. It is not a single fixed checklist like a product certification; it is a risk-and-control assessment framed by NCIIPC's guidelines and delivered through the CERT-In empanelment audit ecosystem. In practice a CII audit blends several things: verification that the entity has correctly identified and notified its CII; assessment of the security controls protecting that CII against NCIIPC's guideline domains; validation of the organisation's incident detection, reporting and response capability (including the mandatory reporting of incidents to NCIIPC and CERT-In); and confirmation of governance, resilience and supply-chain controls. The output is an audit report with findings, risk ratings and a remediation roadmap, plus - increasingly - a maturity rating.

How it relates to the wider Indian assurance ecosystem

  • NCIIPC sets CII-specific protection guidelines and evaluates cyber security posture of CII; it operates threat intelligence sharing, issues advisories, and runs the Responsible Vulnerability Disclosure Programme (RVDP) and the National Cyber Coordination effort for CII.
  • CERT-In is the national CERT and issues the Cyber Security Directions of 28 April 2022 (incident reporting timelines, log retention, KYC/records), and empanels the auditing organisations that perform CII and other security audits.
  • Sectoral regulators overlay their own mandates - RBI's cyber security framework and the SAR/CSITE guidance for banks and NBFCs, SEBI's CSCRF for market infrastructure institutions and intermediaries, IRDAI's information and cyber security guidelines for insurers, and CEA/DoT/TRAI directions for power and telecom.
  • ISO/IEC 27001 and, for OT, IEC 62443 provide the international management-system and industrial-control baselines that a CII audit will often reference as evidence.

Who must comply

The obligation attaches to any organisation that owns or operates a computer resource notified as CII or declared a 'protected system'. NCIIPC identifies CII across the nation's Critical Sectors. The precise list evolves, but the recognised Critical Sectors are the anchor for scoping.

Critical SectorIllustrative CII assetsPrimary sectoral overlay
Power & EnergySCADA/EMS at load despatch centres, generation DCS, substation automation, market operator systemsCEA Cyber Security Guidelines, CERC
Banking, Financial Services & InsuranceCore banking, payment switches (UPI/RTGS/NEFT/IMPS gateways), CCIL/depository/exchange systemsRBI, SEBI CSCRF, IRDAI
TelecommunicationsCore network, HLR/HSS, OSS/BSS, national long-distance and internet exchange infrastructureDoT, TRAI, licence conditions
TransportRailway signalling & train control, ATC/air-traffic systems, port and maritime control, metro SCADAMinistry of Railways, AAI, DGCA
Government / Strategic & Public EnterprisesNational ID and welfare delivery platforms, tax and customs systems, e-governance backbonesMeitY, respective ministries
HealthHospital information systems, national health stack components, medical device networks in notified facilitiesMoHFW, ABDM
Water / Strategic industriesWater treatment SCADA, defence-adjacent manufacturing, space and nuclear-adjacent (as notified)Respective ministries

Who inside the organisation is accountable

  • The organisation's Board and CEO carry ultimate accountability for protecting notified CII.
  • A designated CISO must be appointed and, for notified entities, is the point of contact to NCIIPC and CERT-In.
  • Each notified 'protected system' should have a named system owner and, per NCIIPC's model, the organisation appoints a Chief Information Security Officer and maintains a defined point of contact (nodal officer) for NCIIPC coordination.
  • Managed service providers, OEMs and cloud providers operating in-scope infrastructure inherit contractual obligations flowed down from the notified entity.

Structure of the NCIIPC CII Audit

NCIIPC's protection guidelines are organised into control domains that together cover governance, technical protection, detection, response and resilience. The audit assesses each domain. The table below sets out the domain structure used to frame a CII audit; the exact numbering follows the current NCIIPC guidelines, but the families below reflect their substance and are the practical basis for the master checklist in the next section.

DomainFocus of assessmentRepresentative control families
D1. Governance & Risk ManagementOwnership, policy, risk assessment, CII identificationSecurity policy; CII inventory; risk assessment; roles
D2. Identification & Classification of CIICorrect identification, criticality rating, notificationAsset inventory; interdependency mapping; criticality tiers
D3. Access Control & IdentityWho can touch CII and howIAM; PAM; MFA; segregation of duties; remote access
D4. Network Security & ArchitectureSegmentation, boundary defence, IT/OT separationZoning; firewalls; DMZ; secure remote access; wireless
D5. Application & Data SecuritySecure development, data protection, cryptographySSDLC; input validation; encryption; DLP; data classification
D6. Endpoint, Server & OT/ICS SecurityHardening of hosts and industrial systemsBaseline hardening; patching; AV/EDR; ICS-specific controls
D7. Security Monitoring & Threat DetectionLogging, SOC, threat intelligence, RVDPSIEM; log retention; use cases; NCIIPC threat feeds; vuln disclosure
D8. Incident Management & ReportingDetect, respond, mandatory reporting to NCIIPC/CERT-InIR plan; playbooks; forensic readiness; reporting timelines
D9. Business Continuity & ResilienceAvailability, DR, crisis managementBCP/DR; backups; RTO/RPO; cyber crisis management plan
D10. Supply Chain & Third-Party SecurityOEM, MSP, cloud and vendor riskVendor assessment; SBOM; secure procurement; flow-down
D11. Physical & Environmental SecurityProtection of facilities housing CIIPerimeter; access; environmental; media handling
D12. Awareness, Training & Personnel SecurityPeople riskBackground checks; role-based training; drills; insider threat

Master assessment checklist

This is the operational heart of the audit. Each control family below has a short intent statement, an evidence-oriented verification table, and specific notes for OT/ICS where relevant. Auditors should treat 'What to verify' as the assertion and 'Typical evidence' as the artefacts that substantiate it. Implementers should read the same tables as a build-and-document specification. No family is optional; where a family is not applicable to a given notified system, that non-applicability must itself be documented and justified.

D1 - Governance & Risk Management

Intent: leadership has established a CII protection programme with clear ownership, an approved policy set, and a living risk assessment tied to the notified systems.

What to verifyTypical evidence
A board/senior-management-approved information & cyber security policy exists and covers CII explicitlySigned policy, board minutes, review dates
A CISO and CII nodal officer are formally appointed with defined authorityAppointment letters, RACI, org chart
A documented risk assessment methodology is applied to notified CIIRisk methodology doc, risk register with CII assets, treatment plans
Risk acceptance decisions are made at an appropriate level and re-reviewedRisk acceptance records with owner, date, review trigger
Security objectives and KPIs are set and tracked to managementMetrics dashboard, management review minutes
Compliance obligations (IT Act 70A/70, CERT-In directions, sector regulator) are mappedLegal/compliance register mapping obligations to controls

D2 - Identification & Classification of CII

Intent: the organisation has correctly identified which of its assets constitute CII, mapped interdependencies, and completed notification. Mis-scoping here invalidates everything downstream.

What to verifyTypical evidence
A complete inventory of information assets exists and CII is distinguished from non-CIIAsset register, CII tagging, last-updated timestamp
Criticality assessment uses a defined rating (impact on national security/economy/public safety)Criticality scoring matrix, rationale per asset
Interdependencies and single points of failure are mapped (upstream/downstream, IT-OT)Dependency diagrams, interconnection register
Notified 'protected systems' are recorded and Section 70 notification is on fileGovernment notification/gazette reference, correspondence with NCIIPC
Changes to CII scope trigger re-assessment and re-notification where requiredChange records, re-scoping reviews
Data flows into and out of CII are documentedData-flow diagrams, integration inventory

D3 - Access Control & Identity

Intent: access to CII is least-privilege, strongly authenticated, individually accountable, and privileged access is tightly governed.

What to verifyTypical evidence
Identity lifecycle (joiner/mover/leaver) is enforced for CII accessIAM records, access request/approval tickets, revocation logs
Multi-factor authentication protects all administrative and remote CII accessMFA configuration, exception register
Privileged access is managed via PAM with session recording and just-in-time where feasiblePAM policy, vaulted credential list, session logs
Segregation of duties prevents toxic combinationsSoD matrix, review of conflicting roles
Access is reviewed and recertified periodicallyRecertification campaign records with sign-off
Default/shared/vendor accounts are removed or individually controlledAccount inventory, evidence of default-credential remediation
Remote and third-party access is brokered, time-bound and loggedJump-host config, VPN/ZTNA policy, vendor access logs

D4 - Network Security & Architecture

Intent: the network is segmented so that a compromise cannot spread freely into CII, IT and OT are separated, and boundaries are actively defended. This domain carries special weight for OT-heavy sectors.

What to verifyTypical evidence
Network is zoned (e.g., Purdue/IEC 62443 zones & conduits) with CII in protected segmentsNetwork architecture diagram, zone/conduit register
IT and OT networks are separated with a controlled DMZ/data diode where appropriateOT DMZ design, firewall rules, data-diode records
Firewall rule-bases follow default-deny and are reviewed for stale rulesRule-base export, rule-review reports
Ingress/egress from CII is restricted and monitoredEgress filtering config, IDS/IPS placement
Wireless and dial-up/legacy links into CII are eliminated or hardenedWireless survey, modem/backdoor decommissioning records
Secure remote access to OT uses brokered, monitored pathways onlyOT remote-access architecture, vendor access approvals

D5 - Application & Data Security

Intent: software touching CII is built and maintained securely, and sensitive data is classified, encrypted and protected against exfiltration.

What to verifyTypical evidence
A secure SDLC (SSDLC) governs in-house and bespoke CII applicationsSSDLC policy, threat models, secure code review records
Applications undergo security testing before and after go-live (VAPT)VAPT reports, remediation tracker, retest evidence
Data is classified and handled per classificationData classification policy, labelling evidence
Data at rest and in transit is encrypted with approved algorithms and key managementCrypto standard, TLS config, KMS/HSM records
Data loss prevention controls apply to CII-linked dataDLP policy and alerts, egress controls
Input validation, output encoding and secure config protect against OWASP-class flawsCode review, WAF config, SAST/DAST reports

D6 - Endpoint, Server & OT/ICS Security

Intent: hosts - IT servers, workstations, and industrial devices (PLC/RTU/DCS/HMI) - are hardened, patched (or compensated), and protected against malware, recognising that OT patching windows are constrained.

What to verifyTypical evidence
Hardening baselines (CIS/vendor/IEC 62443) are applied and drift is detectedBaseline standard, config-compliance scan results
A patch/vulnerability management process covers IT and OT with risk-based SLAsPatch policy, patch status reports, OT compensating-control records
Endpoint protection (AV/EDR) is deployed where supported; application whitelisting on OTEDR coverage report, whitelisting config on HMIs/engineering stations
Removable media into OT is controlled and scannedMedia control policy, kiosk/scanning logs
ICS-specific controls (safe backups of PLC logic, change control on controllers) existPLC project backups, controller change-approval records
Legacy/unsupported systems are inventoried with a remediation or isolation planEoL inventory, isolation/virtual-patch evidence

D7 - Security Monitoring & Threat Detection

Intent: security-relevant events from CII are collected, retained and analysed; detection use-cases are tuned to CII threats; and the organisation consumes NCIIPC threat intelligence and participates in the RVDP.

What to verifyTypical evidence
Centralised logging/SIEM ingests CII and security-device logsSIEM source inventory, log-coverage matrix
Log retention meets CERT-In directions (180 days) and sector requirementsRetention configuration, storage evidence
Time synchronisation uses NIC/NPL-referenced NTP as directed by CERT-InNTP configuration pointing to approved sources
Detection use-cases cover CII-relevant TTPs including OT threatsUse-case catalogue, alert-tuning records
NCIIPC advisories and threat feeds are ingested and actionedAdvisory tracker, IOC ingestion evidence
A Responsible Vulnerability Disclosure route is defined and triagedRVDP process, vulnerability intake and closure records

D8 - Incident Management & Reporting

Intent: the organisation can detect, contain, eradicate and recover from incidents, preserve evidence, and meet mandatory reporting duties to NCIIPC and CERT-In within prescribed timelines.

What to verifyTypical evidence
An incident response plan with severity classification and playbooks existsIR plan, playbooks (ransomware, OT compromise, data breach)
Reportable incidents are reported to CERT-In within 6 hours and to NCIIPC as requiredReporting SOP, sample incident-report submissions and acknowledgements
Forensic readiness preserves logs and images for investigationForensic procedure, chain-of-custody records
Incidents are tracked to closure with root-cause and lessons learnedIncident register, RCA reports, corrective-action tracker
IR is exercised through tabletop and technical drillsExercise reports, participation records
A defined communication protocol with NCIIPC (nodal officer) is maintainedContact-point records, NCIIPC correspondence log

D9 - Business Continuity & Resilience

Intent: CII availability is protected through resilient design, tested backups, and a cyber crisis management plan; recovery objectives are defined and validated.

What to verifyTypical evidence
A business continuity and disaster recovery plan covers CII with defined RTO/RPOBCP/DR documents, business impact analysis
Backups are taken, protected (immutable/offline) and restore-testedBackup schedules, restore-test logs
A Cyber Crisis Management Plan (CCMP) aligned to national guidance existsCCMP document, escalation matrix
DR is exercised, including failover of critical CII servicesDR drill reports, RTO/RPO achievement evidence
Redundancy and single-point-of-failure mitigation are in placeArchitecture redundancy evidence, SPOF register with mitigations

D10 - Supply Chain & Third-Party Security

Intent: OEMs, MSPs, cloud providers and other vendors touching CII are assessed, contractually bound, and monitored; software provenance is understood.

What to verifyTypical evidence
Third parties with CII access/impact are inventoried and risk-ratedVendor register, criticality tiering
Security requirements and NCIIPC/CERT-In flow-downs are in contractsContract clauses, DPAs, right-to-audit terms
Vendor security is assessed before onboarding and periodicallyVendor assessment reports, re-assessment schedule
Software/firmware provenance and integrity are verified (SBOM where feasible)SBOMs, code-signing verification, secure-update records
Cloud services hosting CII meet localisation and security expectationsCloud config reviews, data-residency evidence

D11 - Physical & Environmental Security

Intent: facilities housing CII - data centres, control rooms, substations, plant floors - are physically protected and environmentally controlled.

What to verifyTypical evidence
Physical access to CII areas is restricted, logged and reviewedAccess-control logs, visitor records, area classification
Control rooms and equipment rooms have surveillance and intrusion detectionCCTV coverage map, alarm records
Environmental controls (power, cooling, fire) protect availabilityUPS/generator tests, cooling and fire-suppression records
Media and equipment disposal is secureMedia sanitisation/destruction certificates

D12 - Awareness, Training & Personnel Security

Intent: people who operate and protect CII are vetted, trained for their role, and the insider-threat risk is managed.

What to verifyTypical evidence
Background verification is performed for personnel with CII accessBGV records, re-verification policy
Role-based security training (incl. OT operators, developers) is deliveredTraining records, curriculum, completion rates
Phishing simulations and awareness campaigns are runCampaign results, trend metrics
Insider-threat indicators are monitored with defined responseInsider-threat programme doc, UEBA/monitoring evidence
Confidentiality/acceptable-use agreements are signedSigned agreements register

Scoping the audit

Correct scoping is the single biggest determinant of a useful CII audit. The scope is anchored on the notified CII, then expanded to every system that can affect the confidentiality, integrity or availability of that CII.

  1. Confirm the notification: obtain the Section 70 'protected system' notification(s) and the NCIIPC identification correspondence to fix the authoritative list of CII assets.
  2. Draw the boundary: include the CII itself plus all directly connected and supporting systems (identity providers, jump hosts, backup infrastructure, monitoring, network devices, engineering stations).
  3. Map interdependencies: add upstream/downstream dependencies and shared services that, if compromised, cascade into CII.
  4. Include OT and IT: for cyber-physical sectors, explicitly bring control systems (PLC/RTU/DCS/HMI/SCADA) and the IT/OT boundary into scope.
  5. Include third parties: bring in MSPs, cloud tenancies and OEM remote-access paths that touch in-scope systems.
  6. Document exclusions: any exclusion must be justified in writing and agreed with the audit sponsor; unjustified narrowing is itself a finding.
  7. Fix the assessment period: define the time window for evidence (typically the preceding 12 months for recurring controls).
Scoping trap to avoid
Organisations frequently scope only the 'application' declared as CII and omit the identity, backup and monitoring plane that can silently compromise it. NCIIPC's guidelines are explicit that protection must extend to the ecosystem around CII, not just the crown-jewel host. Scope to the blast radius, not the label.

Implementation approach

For implementers preparing a notified system, a phased programme de-risks the audit and spreads effort over a realistic horizon. Each phase below lists activities and the deliverables an auditor will later expect to see.

Phase 1 - Identify & Govern (Weeks 0-6)

  • Activities: appoint CISO and NCIIPC nodal officer; confirm CII notification status; establish the CII asset inventory and criticality rating; approve the security policy set; stand up the risk register.
  • Deliverables: CII inventory with criticality tiers; approved policy suite; RACI and appointment letters; initial risk assessment; compliance obligation map (IT Act, CERT-In directions, sector regulator).

Phase 2 - Assess & Prioritise (Weeks 4-12)

  • Activities: run a gap assessment against the D1-D12 domains; conduct VAPT and OT/ICS security assessment; map interdependencies and single points of failure; rate residual risk.
  • Deliverables: gap-assessment report with domain scoring; VAPT and OT assessment reports; interdependency diagrams; prioritised remediation roadmap with owners and dates.

Phase 3 - Remediate & Harden (Weeks 8-24)

  • Activities: implement segmentation and IT/OT separation; deploy MFA and PAM; harden hosts and controllers; stand up or tune the SIEM/SOC; close high-risk VAPT findings; formalise IR and BCP/DR.
  • Deliverables: updated architecture with zones/conduits; PAM and MFA rollout evidence; hardening compliance reports; SIEM use-case catalogue; IR plan and playbooks; BCP/DR and CCMP.

Phase 4 - Operationalise & Report (Weeks 20-32)

  • Activities: establish continuous monitoring; ingest NCIIPC advisories; run drills (IR tabletop, DR failover, phishing); configure CERT-In-compliant logging, NTP and 6-hour incident reporting workflow; deliver role-based training.
  • Deliverables: monitoring dashboards and KPIs; drill reports; advisory-action tracker; incident-reporting SOP with test submissions; training completion records.

Phase 5 - Audit & Improve (Ongoing)

  • Activities: engage a CERT-In empanelled auditor for the formal CII audit; remediate findings; re-audit high-risk items; feed lessons into the risk register; sustain the programme through periodic reviews and re-audits.
  • Deliverables: audit report and management response; corrective-action plan with closure evidence; annual re-assessment schedule; continuous-improvement records.

Maturity and capability scoring model

NCIIPC evaluates the cyber security posture of CII and increasingly frames results in maturity terms. A five-level maturity scale gives both auditor and implementer a common language for rating each domain and setting improvement targets. Ratings should be assigned per domain (D1-D12) and rolled up to an overall posture.

LevelNameDescriptionTypical characteristics
L1InitialControls absent or ad hocNo CII inventory, undocumented processes, reactive only
L2DevelopingControls partially defined, inconsistently appliedPolicies exist on paper, patchy MFA/segmentation, limited logging
L3DefinedControls documented and applied consistently across CIIFull CII inventory, IT/OT separation, SIEM live, IR plan tested
L4ManagedControls measured and governed with metricsKPIs tracked, recertification enforced, drills routine, advisories actioned
L5OptimisedControls continuously improved and threat-informedThreat-informed defence, automation, red-teaming, sub-6h reporting proven

Findings within the audit should additionally carry a risk rating so that remediation can be prioritised independently of maturity.

Risk ratingMeaningExpected remediation window
CriticalDirect, exploitable path to compromise CII availability/integrityImmediate / emergency change
HighSignificant weakness with likely material impact30 days
MediumWeakness with moderate impact or requiring chained conditions90 days
LowMinor weakness / best-practice deviationNext planned cycle

Assessment and audit approach

A defensible CII audit follows a structured lifecycle. The steps below are what a CERT-In empanelled audit team should execute and what an internal team should mirror when self-assessing.

  1. Engagement & scoping: agree scope against the notified CII, confirm the assessment period, and issue the audit plan and evidence-request list.
  2. Documentation review: examine policies, inventories, risk assessments, architecture and prior audit reports to build the control expectation baseline.
  3. Design assessment: for each D1-D12 control family, evaluate whether the control is designed to meet the objective.
  4. Operating-effectiveness testing: sample records over the assessment period to confirm controls operate as designed (access recertifications, patch cycles, incident reports, drills).
  5. Technical validation: perform or review VAPT, configuration reviews, and OT/ICS assessments; validate segmentation and monitoring empirically, not just on paper.
  6. Interviews & walkthroughs: interview the CISO, SOC, OT engineers and asset owners; walk through incident and recovery procedures.
  7. Findings & rating: record findings with maturity and risk ratings, root cause and recommended remediation.
  8. Reporting: deliver a draft report, hold a closing meeting, incorporate management responses, and issue the final signed report.
  9. Remediation & re-test: track corrective actions to closure and re-test critical/high findings before sign-off.
  10. Regulatory interface: support submission of results to NCIIPC and the relevant sectoral regulator where required, and schedule the next re-audit.

Evidence request list

The following categorised list is the evidence pack an auditor will request and an implementer should assemble in advance.

  • Governance: security policy suite; board/management approval minutes; CISO and nodal-officer appointments; risk methodology and register; management review records.
  • Scope & assets: CII asset inventory with criticality; Section 70 notification; interdependency and data-flow diagrams; network architecture with zones/conduits.
  • Access & identity: IAM records; joiner/mover/leaver tickets; access recertification campaigns; PAM policy and session logs; MFA configuration; remote/vendor access logs.
  • Network & infrastructure: firewall rule-base exports and review reports; IT/OT segmentation design; wireless survey; egress-filtering config; IDS/IPS placement.
  • Application & data: SSDLC policy; VAPT and SAST/DAST reports with remediation trackers; data classification policy; crypto standard and TLS/KMS/HSM evidence; DLP alerts.
  • Endpoint & OT: hardening baselines and compliance scans; patch reports and OT compensating controls; EDR coverage; application-whitelisting config; PLC/controller backups and change records; EoL inventory.
  • Monitoring & detection: SIEM source inventory and log-coverage matrix; retention config (180-day); NTP config; use-case catalogue; NCIIPC advisory-action tracker; RVDP records.
  • Incident & continuity: IR plan and playbooks; sample CERT-In/NCIIPC incident submissions and acknowledgements; forensic and chain-of-custody procedures; incident register and RCAs; BCP/DR and CCMP; backup and DR drill reports.
  • Supply chain: vendor register and risk ratings; contracts with security and flow-down clauses; vendor assessments; SBOMs; cloud data-residency evidence.
  • Physical & people: physical access logs; CCTV coverage; environmental test records; BGV records; training completion; phishing-simulation results; signed acceptable-use/confidentiality agreements.

Roles and responsibilities

RoleResponsibility in the CII audit
Board / CEOUltimate accountability; approve policy and budget; own residual risk
CISOOwn the CII protection programme; primary NCIIPC/CERT-In interface; drive remediation
NCIIPC Nodal OfficerMaintain the coordination channel with NCIIPC; handle advisories and incident reporting
CII / System OwnerAccountable for a specific notified system's security and evidence
SOC / Monitoring LeadOperate logging, detection, threat-intel ingestion and incident detection
OT / Plant Engineering LeadSecure control systems, manage OT patching and change control
IR ManagerRun incident response, forensic readiness and mandatory reporting
BCP/DR CoordinatorMaintain and exercise continuity, backups and the CCMP
Procurement / Vendor ManagerEnforce security clauses, flow-downs and vendor assessments
Internal AuditIndependent assurance and interface with the empanelled external auditor
CERT-In Empanelled AuditorPerform the independent CII audit and issue the report

KPIs to track

  • Percentage of notified CII assets with complete, current inventory and criticality rating.
  • MFA and PAM coverage across privileged and remote CII access (target 100%).
  • Mean time to detect and mean time to respond for CII-affecting incidents.
  • Percentage of CERT-In-reportable incidents reported within the 6-hour window.
  • Patch/vulnerability SLA adherence for critical and high findings (IT and OT separately).
  • Percentage of high/critical VAPT findings remediated within SLA.
  • Log-coverage ratio (in-scope sources logging to SIEM) and retention compliance (180-day).
  • Backup restore-test success rate and DR RTO/RPO achievement.
  • NCIIPC advisory action-closure rate and time-to-action.
  • Access-recertification completion rate per cycle.
  • Security-training completion and phishing-simulation failure trend.
  • Vendor assessment coverage and overdue re-assessment count.
  • Domain maturity scores (D1-D12) trend over successive assessments.

Readiness checklist

  • CISO and NCIIPC nodal officer are formally appointed with documented authority
  • CII assets are inventoried, criticality-rated and Section 70 notification is on file
  • Board-approved security policy suite covers CII explicitly
  • Risk assessment covers all notified CII with treatment plans and accepted-risk records
  • IT and OT networks are segmented with a controlled boundary/DMZ
  • MFA protects all administrative and remote CII access; PAM governs privileged access
  • Hosts and controllers are hardened to a baseline with drift detection
  • Patch/vulnerability management operates with risk-based SLAs for IT and OT
  • SIEM ingests in-scope logs with 180-day retention and NIC/NPL-referenced NTP
  • NCIIPC advisories and threat feeds are ingested and actioned
  • IR plan, playbooks and a tested 6-hour CERT-In reporting workflow are in place
  • BCP/DR and a Cyber Crisis Management Plan exist and are exercised
  • Backups are immutable/offline and restore-tested
  • Third parties touching CII are assessed and contractually bound with flow-downs
  • Physical, environmental and personnel (BGV, training) controls are evidenced
  • Prior audit findings are remediated with closure evidence

Common gaps

  • Under-scoped CII: only the flagship application is treated as CII while the identity, backup and monitoring plane that can compromise it is excluded.
  • Flat networks and porous IT/OT boundaries: segmentation exists on the diagram but not in the firewall rule-base; engineering stations dual-homed to corporate IT.
  • Weak privileged access: shared admin and vendor accounts, no PAM, MFA absent on remote OT access paths.
  • Logging blind spots: OT and network devices not logging to the SIEM, retention below 180 days, or NTP not referenced to approved sources.
  • Reporting gaps: no tested workflow to meet the CERT-In 6-hour incident reporting duty or to notify NCIIPC.
  • OT patching paralysis: unsupported controllers with neither patches nor documented compensating controls or isolation.
  • Untested resilience: BCP/DR and CCMP documents exist but have never been exercised; backups never restore-tested.
  • Supply-chain blind spots: MSP/OEM remote access uncontrolled, no flow-down clauses, no SBOM or software-integrity verification.
  • Advisory drift: NCIIPC advisories received but not tracked to closure.
  • Stale inventory: CII inventory and interdependency maps not updated after major change, invalidating the risk picture.

NCIIPC CII mapped to other frameworks

CII audit domains align closely with mainstream frameworks, which lets an organisation reuse evidence and integrate assurance. The mapping below is indicative, not one-to-one; use it to build a shared control library.

NCIIPC CII domainISO/IEC 27001:2022NIST CSF 2.0IEC 62443 (OT)Sector overlay
D1 Governance & RiskCl. 5-6, A.5GOVERN, IDENTIFY62443-2-1 (CSMS)RBI/SEBI governance clauses
D2 Identify & Classify CIIA.5.9, A.8.1IDENTIFY (Asset Mgmt)62443-3-2 (zones/risk)Regulator asset scoping
D3 Access & IdentityA.5.15-5.18, A.8.2-8.5PROTECT (PR.AA)62443-3-3 SR 1.xRBI access controls
D4 Network SecurityA.8.20-8.22PROTECT (PR.IR)62443-3-3 SR 5.x, 3-2CEA network segregation
D5 App & Data SecurityA.8.24-8.28PROTECT (PR.DS)62443-4-1/4-2SEBI app security
D6 Endpoint & OTA.8.7-8.9, A.8.19PROTECT (PR.PS)62443-3-3 SR 3.x, 7.xCEA OT hardening
D7 Monitoring & DetectionA.8.15-8.16DETECT62443-3-3 SR 6.xCERT-In logging/NTP
D8 Incident & ReportingA.5.24-5.28RESPOND62443-2-1 IRCERT-In 6-hour reporting
D9 Continuity & ResilienceA.5.29-5.30, A.8.13-8.14RECOVER62443-2-1 continuityNational CCMP guidance
D10 Supply ChainA.5.19-5.23GOVERN (GV.SC)62443-2-4Regulator vendor rules
D11 Physical & EnvironmentalA.7.xPROTECT (PR.IR)62443-3-3 physicalDC/plant physical security
D12 Awareness & PersonnelA.6.1-6.6PROTECT (PR.AT)62443-2-1 trainingBGV/personnel norms
How CyberSigma helps
CyberSigma brings CERT-In empanelled auditors and PCI QSA-grade rigour to NCIIPC CII engagements end to end. We help you correctly identify and scope your CII, run a D1-D12 gap assessment with maturity and risk ratings, execute IT and OT/ICS VAPT and configuration reviews, and stand up the segmentation, PAM, SIEM/SOC, incident-reporting and BCP/DR capabilities that the audit expects. We build the evidence pack, prepare your teams for interviews and drills, interface with NCIIPC and your sectoral regulator, and remediate findings to closure - then keep you audit-ready through continuous monitoring and re-assessment. Talk to CyberSigma to turn your next NCIIPC CII audit from a scramble into a confirmation of the protection you already have in place.

Frequently asked questions

What is a protected system?
A system declared under Section 70 of the IT Act as Critical Information Infrastructure, subject to NCIIPC oversight and stricter protection.
Official documents

Need help with NCIIPC CII?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.