CERT-In Issues New Cybersecurity Audit Guidelines

The Indian Computer Emergency Response Team (CERT-In) has issued the Comprehensive Cyber Security Audit Policy Guidelines under the IT Act, 2000, introducing a standardized framework for cybersecurity audits across industries. These new guidelines aim to strengthen India’s cyber resilience by ensuring organizations follow a structured audit process, but they also raise questions about compliance, scope, and overlap with the Digital Personal Data Protection (DPDP) Act, 2023.

The guidelines apply to CERT-In empaneled auditors and any organization mandated or voluntarily opting to assess its cybersecurity posture. This includes government entities, critical infrastructure operators, telecom companies, financial institutions, healthcare organizations, and any business handling sensitive or regulated data.

What Do the Guidelines Cover?

Organizations are required to conduct comprehensive audits to:

● Assess compliance with cybersecurity laws and frameworks

● Identify vulnerabilities in systems

● Review application security, cloud infrastructure, IoT systems, industrial control systems, supply chains, and physical security

Audits are recommended annually or after “significant infrastructure changes.” However, the guidelines leave “significant changes” undefined, giving auditors and businesses room for interpretation.

Auditors must follow globally recognized standards such as:

● ISO/IEC standards

● OWASP (Open Worldwide Application Security Project)

● OSSTMM (Open Source Security Testing Methodology)

● CSA Cloud Controls Matrix

They must also use CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) for risk scoring, ensuring vulnerabilities are categorized based on severity. Organizations must remediate vulnerabilities flagged in audits and conduct follow-up reviews. CERT-In reserves the right to take action against non-compliant entities or substandard auditors, including delisting auditors or initiating legal proceedings.

The guidelines come as organizations prepare for compliance under the DPDP Act, 2023. With no clear bridge between the two frameworks, companies—especially small and mid-sized enterprises—may face challenges aligning with complex, high-level standards. These guidelines represent a critical step toward strengthening India’s cybersecurity ecosystem, but businesses must act quickly to align with the new compliance requirements.