Setting the Stage: CERT-In’s Cyber Security Audit Policy
On July 25, 2025, CERT-In issued the Comprehensive Cyber Security Audit Policy Guidelines to strengthen India’s cybersecurity framework. Issued under its authority from Section 70B of the IT Act, 2000, these Guidelines outline the roles and responsibilities of auditors and auditees, emphasising ethical conduct, independence, and objectivity. They cover the scope of audits including compliance, risk, blockchain, and AI system assessments and lay out protocols for planning, execution, reporting, and data handling. The Guidelines aim to ensure accountability, quality, and continuous improvement in national cybersecurity. It is a major step forward in formalising how cyber audits should be done in India. These aren’t just broad advisories anymore these are detailed, enforceable rules that clearly spell out what organizations and auditors are expected to do.
Who Must Comply with CERT-In’s Cyber Audit Guidelines?
-
CERT-In Empanelled Auditing Organisations
These are entities officially empanelled by CERT-In to conduct cybersecurity audits, including vulnerability assessments, penetration testing, and compliance reviews, across both public and private sectors -
Auditee Organisations
These include all organisations—governmental or private—that own or operate information technology systems, processes, and infrastructure subject to evaluation by a CERT-In empanelled auditor. This encompasses both:- Regulated entities mandated under sectoral regulations (e.g., by the Reserve Bank of India, SEBI, etc.) to undergo cybersecurity audits.
- Voluntary participants seeking to assess their cybersecurity posture and align with best practices, even in the absence of regulatory compulsion.
Basic Principles of Cyber Security Audits
- Independence: Auditors must operate without bias, external influence, or conflicts of interest. The integrity of audit findings depends on complete independence, where conclusions are drawn solely from objective evidence.
- Objectivity: Auditors must exercise impartiality throughout the audit process. This includes avoiding any circumstances—such as receiving gifts, favors, or undue benefits—that could impair their judgment.
- Professional Skepticism: Auditors should approach the audit with a questioning mindset. This involves: Critically assessing information provided. Challenging assumptions.
- Integrity is a cornerstone of professional auditing. Auditors are expected to: Demonstrate honesty and strong ethical behavior at all times. Deliver accurate, truthful, and transparent reports that reflect the real cyber security posture of the auditee organization.
- Transparency and Accountability: Audit methodologies, findings, and decisions must be clearly documented and communicated. Auditors are accountable for: The accuracy and reliability of their conclusions.
- Confidentiality: Auditors have access to sensitive information, and it is their responsibility to protect its confidentiality. Information must not be disclosed or misused under any circumstances without proper authorization.
- Professional Care: High-quality audits require diligence, competence, and attention to detail. Auditors must: Stay current with evolving cyber threats and adhere to recognized industry standards and best practices.
- Professional Judgment: Auditors must apply informed judgment that balances: Technical evidence. Practical experience. The specific context of the auditee’s operational environment, risk exposure, and regulatory obligations.
Scope of Cyber Security Audit Engagements
Organizations are expected to conduct a comprehensive cyber security audit of their Information and Communication Technology (ICT) systems at least once annually. However, depending on emerging risks or compliance needs, additional audits may be undertaken throughout the year:
- Risk & Vulnerability Assessments: Identify cyber threats, vulnerabilities, and potential impacts.
- Source Code Review: Analyze application source code for security flaws, coding errors, and inefficiencies to enhance code quality and resilience.
- Cloud, IoT, and OT Security Testing: Review modern infrastructure for emerging security risks.
- Red Team Exercises & Forensic Readiness: Test detection and response capabilities under simulated attacks.
- Artificial Intelligence (AI) System Audits: Assess the security, ethics, data integrity, transparency, and robustness of AI systems, including their resistance to adversarial manipulation.
- SBOM, QBOM, and AIBOM Audits: Audit Software Bill of Materials (SBOM), Quantum Bill of Materials (QBOM), and Artificial Intelligence Bill of Materials (AIBOM) to ensure transparency, traceability, and integrity of software components. These audits identify vulnerabilities, licensing risks, and supply chain issues while promoting secure development practices.
- Vendor Risk Management Audits: Examine third-party and supply chain cybersecurity practices to identify risks and ensure alignment with the organization’s security policies.
- Blockchain Security Audit: Evaluate blockchain platforms—including smart contracts and consensus mechanisms—for security flaws, cryptographic soundness, and regulatory compliance.
Responsibility in Cybersecurity Audits
| Auditee Organizations | Auditing Organizations |
|---|---|
| Define and approve audit scope via top management. | Submit audit reports and metadata to CERT-In within 5 days. |
| Enforce secure coding; prevent unauthorized post-audit code changes. | Auditing teams must brief senior management of the auditee both before and after the audit to ensure transparency and clarity. |
| Retain and share audit artifacts as required. | Only CERT-In-empaneled auditors should conduct audits. |
| Plan follow-up audits to verify issue resolution. | Handling all audit-related data securely, with proper encryption, storage, and eventual disposal. |
| Conduct regular internal audits and enforce controls. | Reviewing and signing reports through an established chain. |
Audit Process
Selection of Auditor
➔
Planning the Audit
➔
Performance of the Audit
-
Utilizing CERT-In Snapshot Information for Shortlisting
Organizations and sectoral regulators should leverage the snapshot data available on the CERT-In website to match audit requirements with the competencies of empaneled auditing organizations. This information helps in:
- Assessing manpower skills and qualifications
- Understanding audit experience, sectors served, and audit categories
- Reviewing the number of audits conducted in the past year
- Analyzing tools and technologies used by the auditor
- Evaluating deployed technical manpower
-
Selection Process and Auditee Evaluation
Auditee organizations are responsible for selecting and evaluating the auditing personnel. Key steps include:
- Interviewing assigned auditors to assess domain expertise and competency
- Verifying technical qualifications based on CERT-In’s empanelment guidelines
- Confirming identities, official IDs, and employment status of audit personnel
- Ensuring auditors are not freelancers, interns, or staff serving notice periods
- Reviewing audit methodologies, domain expertise, and alternatives before final selection
-
Resource Vetting and Deployment Standards
Auditing organizations must follow strict resource deployment practices:
- Conduct comprehensive background checks on employees
- For employees transferring between CERT-In empaneled firms, a No Objection Certificate (NOC) or relieving letter is required
- Only those listed in the official Snapshot Information Form should be deployed
- CERT-In reserves the right to audit or verify this information independently
-
Contractual Guidelines and Contingencies
To maintain continuity and accountability:
- Audit contracts, especially for critical or high-impact applications, should ideally span 2–3 years
- In cases of credibility issues, contracts should allow for switching auditing organizations within a reasonable timeframe to mitigate financial and operational risks
| Auditee Organizations | Auditing Organizations |
|---|---|
| Define Audit Scope: Cover all systems including apps, networks, cloud, OT/ICS, APIs, databases, and incident response. | Legal and Confidentiality Requirements: Sign NDA and inform auditee about mandatory report submission to CERT-In within 5 days. |
| Audit Frequency: Conduct at least annually; trigger audits after major changes, minor changes go through change management. | Audit Team and Tool Authorization: Share audit team details and get written approval from the auditee. |
| Include Critical Assets: Identify and audit critical applications and databases using DAST/SAST and config checks. | Scope and Objectives Planning: Clearly communicate audit type, standards, assets, timelines, and data handling practices. |
| Audit Coordination: Ensure third-party teams are available and responsive during audits. | Stakeholder Communication: Eliminate the “expectation gap” by clearly outlining the audit scope, deliverables, and process. Communicate any limitations or exemptions related to the audit in advance. |
| Third-Party Infrastructure: Hosting providers handle infra-level audits; app owners handle application-level audits. | Report Handling and Distribution: Collect official email IDs and mobile numbers of designated contacts for secure report sharing. |
| Secure Data Handling: Ensure secure transmission, storage, and disposal of audit data and reports. | Risk Escalation and Issue Resolution: Create and share a clear escalation matrix with both auditee and auditing teams for timely issue resolution. |
| Audit Contracts: Clearly define audit plan, tasks, responsibilities, documentation, and reporting formats. | Remote & High-Risk Testing: Disclose auditor identity, contact details, and IPs for remote testing and obtain written permission. Notify auditee about changes in the audit plan, test venue, or high-risk findings. Provide regular updates during the audit process. |
- Limit Audit Visibility: Auditee should inform only key personnel to avoid temporary security hardening during the audit.
- Access Control: Provide only temporary privileged access to auditors; revoke immediately after the audit concludes.
- Monitor Progress: Auditee must track audit execution, timelines, and closure through regular reviews and meetings.
- Regulatory Compliance: Both parties must follow CERT-In directions, advisories, and applicable regulatory standards.
- Qualified Audit Team: Auditing organization must deploy domain-experienced personnel and revalidate past findings.
- Ethical Testing: Secure explicit permission for high-risk activities like DoS/DDoS, and ensure ethical, anonymized social engineering tests.
- Environment Clarity: Audits must be conducted on defined environments (e.g., test/staging); application version/hash must be recorded.
- Confidentiality & Data Handling: Ensure secure handling of auditee data with well-documented procedures and NDA enforcement.
- Quality Control: Implement a maker-checker process for validating audit findings and maintaining high quality.
- Incident Management & Escalation: Auditors should have a defined incident response plan and escalation matrix shared with auditee.
Consequences of Non-Compliance
This framework outlines graded consequences to ensure accountability and continuous improvement among auditing organizations.
- Watch-List Placement with Warning & Written Commitment: The auditing organization is moved to a watch list.
- Suspension of Empanelment: Adverse feedback on technical competence; Major violations of CERT-In terms and conditions.
-
Debarment & De-empanelment: Auditing malpractices or unethical conduct.
- Penal & Legal Action: In cases of severe violations, financial penalties, legal proceedings, or other punitive actions may be initiated under applicable laws.
Disclaimer
The information provided in this article is intended for general informational purposes only and should not be construed as legal advice. The content of this article is not intended to create and receipt of it does not constitute any relationship. Readers should not act upon this information without seeking professional legal counsel.
