Introduction
The Indian Computer Emergency Response Team, CERT-In, under the aegis of the Ministry of Electronics and Information Technology (MeitY), has issued guidelines titled the “Comprehensive Cyber Security Audit Policy Guidelines.” This aligns with India’s fast paced digital infrastructure growth and the parallel rise in cyber threats. The guidelines, released alongside expanded directions under the Information Technology Act, 2000, represent a leap toward institutionalising cybersecurity audit practices across government and private sectors.
Context and Legislative Mandate
CERT-In’s authority to issue cybersecurity directions and audit policies stems from its powers under sub-section (6) of section 70B of the Information Technology Act, 2000. This framework has become increasingly relevant given the ever-growing threats to India’s cyber space and the increased attack. The new guidelines are intended to strengthen accountability and preparedness through mandated audit practices that identify, assess, and mitigate cyber risks across organisations and digital service providers.
In April 2022, CERT-In issued a directive requiring entities to report cybersecurity incidents within six hours, maintain secure logs for 180 days, and ensure time synchronization of ICT infrastructure. These requirements set the stage for a compliance framework, which has now made its way through the release of the Comprehensive Cyber Security Audit Policy Guidelines.
These guidelines are primarily targeted at CERT-In empanelled Information Security Auditing Organisations and the organisations they audit, referred to as auditee organisations. These include a entities such as ministries, departments, public sector undertakings, statutory and autonomous bodies, as well as private companies operating critical information systems. In particular, entities falling under the purview of previous CERT-In directions or those engaging in significant public-facing digital services are expected to align with these audit expectations. This also extends to organisations voluntarily seeking assessment or those seeking to improve their cybersecurity posture through formal evaluations.
Objective and Purpose of the Guidelines
At their core, the guidelines play a major role in supplementing India’s cybersecurity audit ecosystem through a standardised, structured, and certifiable framework. The objective of these guidelines is to establish a standard framework for Cyber Security Audit, which will improve the overall Cyber Security posture of organisations and promote trust in digital services, business continuity, and protection of critical and non-critical information systems. CERT-In aims to improve the maturity level of cybersecurity postures within both government and private organisations by laying down definitive requirements for auditing methods, qualified personnel, frequency, and reporting.
One of the underlying motivations is to promote preparedness against increasingly sophisticated cyber threats while ensuring adherence to security best practices. The guidelines also seek to support India’s vision of being a global technology hub by ensuring that its cybersecurity audit processes are on par with international norms.
Applicability and Scope
Who Must Comply?
The Guidelines apply to two main categories of entities:
- CERT-In Empanelled Auditing Organisations- These are information security auditing firms empanelled by CERT-In to perform security audits including vulnerability assessment and penetration testing for government agencies and other sectors. Empanelled auditors operate under CERT-In’s program and must abide by empanelment terms and the new Guidelines when delivering audit services.
- Auditee Organisations- These include all organisations public or private sector that own or operate the systems, networks, applications, and processes being audited by the empanelled auditors. In practice, any organisation that is required or volunteers to evaluate its cybersecurity posture, identify vulnerabilities, assess risks, or ensure compliance with security standards may fall under the purview of these audits. Notably, the Guidelines are intended to cover government bodies, critical infrastructure providers, essential service organisations, as well as private companies that handle sensitive data or are part of the country’s digital ecosystem.
The Guidelines are binding on CERT-In empanelled auditing organisations and the auditee entities that fall under the relevant provisions of Section 70B of the IT Act. CERT-In is empowered by law to issue such directions, and failure to comply with them can attract penalties as outlined under Section 70B(7)
Structure of the Audit Policy Framework
The guidelines divide the audit process into distinct components that mirror international audit methodologies but tailor them to India’s regulatory context. These include:
- Audit Types: CERT-In has categorized cybersecurity audits into three principal types Internal, External, and Third-Party. Internal audits are conducted by the organisation’s in-house teams; external audits involve independent assessors; and third-party audits refer to assessments carried out by entities not affiliated in any way with the auditee. Each audit type has distinct implications for objectivity, depth of review, and cost.
- Audit Frequency: Organisations are expected to conduct cybersecurity audits periodically based on risk assessments and criticality of their systems. Though no strict timeline has been mandated, it is suggested that audits be performed annually, particularly for critical systems. Entities undergoing significant system changes or those experiencing security incidents may be required to conduct unscheduled audits.
- Qualified Personnel and Empanelment: Only CERT-In empanelled auditors or audit organisations are eligible to conduct recognized cybersecurity audits under these guidelines. Auditors must meet strict qualification criteria, including professional certifications and demonstrated experience. The empanelment process is subject to periodic review, thereby ensuring quality assurance in the audit ecosystem.
- Audit Methodology: The policy prescribes a well-defined audit lifecycle that includes planning, execution, reporting, and follow-up. The planning phase entails risk profiling and scope definition. Execution covers system reviews, vulnerability scanning, penetration testing, and control validation. Reporting must be factual, actionable, and submitted in a prescribed format. Follow-ups require corrective actions and revalidation of controls.
- Documentation and Reporting: The guidelines mandate detailed documentation throughout the audit lifecycle. Reports must include risk assessments, mitigation recommendations, control validation summaries, and evidence-based findings. Organizations must retain these reports securely and furnish them to CERT-In upon request. Confidentiality of audit results is emphasized, with limited dissemination permitted on a “need to know” basis.
Review of Bills of Materials
As part of emphasis on supply chain transparency and vulnerability management, the CERT-In Guidelines mandate a structured review of Bills of Materials (BoMs) during cybersecurity audits. Clause 6(xxvi) of the Guidelines requires empanelled auditors to verify the presence, accuracy, and integrity of the Software Bill of Materials (SBOM), Hardware Bill of Materials (HBOM), Firmware Bill of Materials (FBOM), and AI/ML Model Bill of Materials (AI/ML BoM) associated with the systems under audit. These BoMs serve as inventories of system components such as software libraries, physical hardware, embedded firmware, and deployed AI/ML models including their datasets and dependencies. The review supports component traceability, identification of vulnerabilities, and transparency across critical and non-critical digital infrastructure.
Role of CERT-In and Enforcement Mechanism
CERT-In plays a central coordinating role in this framework, not only as the policy issuer but also as a supervisory and enforcement authority. It has the power to initiate audits, seek compliance reports, mandate re-audits, and engage with sectoral regulators to ensure cross-domain compliance. The guidelines assign CERT-In a central role in coordinating, monitoring, and ensuring adherence to the cyber security audit framework, including oversight of empanelled auditors and compliance reporting by auditee entities. Theis empowers CERT-In to recommend actions in case of audit failures or lapses, including reporting to the concerned regulator, ministry, or even suggesting punitive measures where negligence or wilful non-compliance is detected. While the Cyber Security Audit Policy Guidelines are presently advisory, CERT-In retains statutory powers under Section 70B(6) of the IT Act to issue mandatory directions, non-compliance with which is punishable under Section 70B(7)
Importance of Software Bill of Materials (SBOM) in Cybersecurity Audits
One of the more nuanced developments emerging alongside the audit guidelines is CERT-In’s emphasis on the Software Bill of Materials. The updated framework highlights SBOM as a crucial enabler for cyber risk transparency. An SBOM lists all software components, including open-source packages and third-party integrations, used in an application. Incorporating SBOM requirements within cybersecurity audits allows auditors to evaluate supply chain security, detect outdated components, and recommend timely upgrades. This not only reduces systemic risk but also supports ongoing compliance with national and sector-specific cyber norms.
Stakeholder Responsibilities
Organisations subject to audits bear the primary responsibility for facilitating the audit process, ensuring access to systems, and implementing remediation measures post-audit. Internal cybersecurity and IT teams are required to maintain audit logs, risk registers, and incident response documentation. Moreover, senior management is expected to support audit outcomes through resource allocation and strategic prioritisation. Auditors, whether internal or external, are tasked with maintaining independence, adhering to professional ethics, and ensuring thorough and unbiased assessments. They must also keep audit findings confidential unless mandated otherwise by CERT-In or the relevant sectoral regulator.
CERT-In, as the apex cybersecurity body, holds the responsibility of maintaining the empanelled auditor registry, framing evolving standards, and monitoring compliance. It is also expected to work with ministries and critical sector regulators to promote inter-agency alignment and policy uniformity.
Audit Reporting and Follow-Up Actions
The post-audit phase is perhaps the most operationally critical. The guidelines stipulate that audit reports must be completed within a time frame and submitted in both digital and physical formats as directed. Entities must implement the recommendations within a defined corrective action timeline and conduct a re-audit to validate remediation. CERT-In may review reports to identify systemic vulnerabilities across sectors and recommend sector-wide reforms. In cases of non-compliance, CERT-In may initiate follow-up actions including issuing compliance warnings, recommending re-audits, or escalating the matter to relevant regulators or authorities, as provided under the guidelines.
Conclusion
CERT-In’s new Cyber Security Audit Guidelines are a wake-up call for Indian organisations. They make it clear that cyber safety can’t be left to chance or last-minute checklists. Real security today means being constantly ready not just when a problem strikes, but all year round.
With these rules, businesses can’t afford to treat audits as a box-ticking exercise. Instead, regular checks, clear documentation, and qualified experts are now the norm. There’s also a stronger push to actually fix problems found in audits, not just file away the reports. These steps aren’t about making life harder they’re about making India’s digital economy safer for everyone, from customers to companies. What does this mean for you? Whether you run a large enterprise or a small startup, it’s time to take cyber audits seriously, to stay compliant in this ever connect world.
0 Comments