Introduction
The Indian Computer Emergency Response Team ("CERT-In") has issued its new Comprehensive Cyber Security Audit Policy Guidelines 2025 ("Guidelines"). These Guidelines mark a pivotal step in strengthening India's cyber resilience and providing a unified framework for cybersecurity audits across government and private sector entities. Unlike earlier procedural checklists, these CERT-In Guidelines introduce a full cybersecurity audit lifecycle covering planning, scoping, risk assessment, vulnerability testing, remediation, and follow-up verification, ensuring that audits drive measurable improvements in cyber risk management.
For corporate organisations, cybersecurity is now a board-level business imperative, not just a compliance requirement. Auditors and consulting firms must elevate their expertise, demonstrating transparency, independence, and data-driven rigour. The overarching goal is clear: to transform India's cybersecurity posture from reactive and fragmented to proactive, holistic, and resilient, building digital trust, protecting critical infrastructure, and enhancing business continuity.
Double Lens of Accountability: Who Falls Under CERT-In's 2025 Guidelines
Through the Guidelines, CERT-In has ensured that both auditors and auditees share a common understanding of expectations, methodologies, and reporting requirements. The Guidelines apply to two key categories of entities:
- CERT-In empanelled auditing organisations: CERT-In empanelled information security auditing organisations authorised to conduct vulnerability assessments, penetration tests, compliance audits and a wide spectrum of security reviews for government departments and the private sector.
- Auditee organisations: Any public or private sector entity required or electing to evaluate its cybersecurity posture, identify risks and vulnerabilities, and affirm compliance with applicable laws, regulations, and best practices.
Mapping the New Audit Landscape: The New Cyber Audit Scope of Engagement
Auditees are expected to conduct at least one comprehensive audit of their Information and Communication Technology ("ICT") systems annually. The Guidelines encompass the full range of cybersecurity audit and assessment engagements, including but not limited to:
| Audit Type | Description |
|---|---|
| Compliance Audits | Verifying adherence to regulatory and industry standards. |
| Risk Assessments | Identifying, quantifying and prioritising cyber threats. This involves assessing the likelihood and impact of various cybersecurity incidents. |
| Vulnerability Assessments | Examining an information system or product to evaluate the adequacy of security measures, identify deficiencies, predict the effectiveness of proposed controls, and confirm adequacy after implementation. |
| Penetration Testing | Actively testing individual components or entire applications to identify and exploit potential vulnerabilities. |
| Infrastructure and Operational Audits | Reviewing network components, data centre controls, OT/ICS environments, and physical security. |
| Policy Review | Reviewing and assessing IT security policy against established best practices. |
| Information Security Testing | Validating the effective implementation of security controls for information systems and networks, based on the organisation's security requirements. |
| Source Code and Process Security Reviews | Analysing application code for flaws and testing organisational processes for weaknesses. |
| Specialised Audits | Includes Communications Security Testing, Application security testing (including web applications, mobile applications and APIs), Mobile Application Security Auditing, Wireless Security Testing, Physical Security Testing, Red Team Assessment, Digital Forensic Readiness Assessment, Cloud Security Testing, Industrial Control Systems/ Operational Technology Security Testing, Internet of Things (IOT)/ Industrial Internet of Things Security Testing (IIOT), Log Management and Maintenance Audit, Endpoint Security Assessment, Artificial Intelligence (AI) System Audits, Vendor Risk Management Audits, Blockchain Security Audit and SBOM (Software Bill of Materials), QBOM (Quantum Bill of Materials), and AIBOM (Artificial Intelligence Bill of Materials) Auditing. |
From Checklist Tools to Comprehensive Evidence-Based Security Standards
To deliver rigorous, enterprise-grade cybersecurity audits, CERT-In mandates that auditors rely on established, comprehensive security frameworks and not just limited vulnerability lists. Over-reliance on tool-based testing is strongly discouraged, as such automated scans often miss manual, configuration, and process-level risks within IT infrastructure, leaving organisations with an incomplete security posture.
What's Out: Limited vulnerability references like OWASP Top 10, SANS Top 25 and similar, should not be considered as standards or references for audits, as they provide only a partial view of security gaps.
What's In: CERT-In's 2025 Guidelines require that audits follow multi-layered, globally recognised standards and sector-specific compliance frameworks, including ISO/IEC, Cyber Security Audit Baseline Requirements, CSA Cloud Controls Matrix (CCM) for Cloud Security and Open-Source Security Testing Methodology Manual (OSSTMM3), etc.
For audits involving sensitive personal data in critical government applications, CERT-In mandates the 282-control "Comprehensive Audit Program Checklist" issued by the Ministry of Electronics and Information Technology (MeitY). Additionally, all audited applications must demonstrate compliance with "Secure by Design" principles under CERT-In's Secure Application Design guidelines.
By embedding these globally recognised cybersecurity frameworks, CERT-In underscores that cybersecurity audits in India must evolve from a basic regulatory checkbox into a strategic risk management and compliance tool. Businesses should transition from tool-only vulnerability scanning to a multi-layered, evidence-based audit approach that combines automated testing with manual, process-driven security assessments. To stay competitive and compliant, organisations must adopt continuous cybersecurity audit practices aligned with global standards, regulatory mandates, and enterprise risk management frameworks.
Who Does What in Cybersecurity? Clarity on Auditee and Auditor Roles
i. Auditee organisations
The auditee organisation holds ultimate accountability for cyber risk governance and security compliance. Top management, such as CXOs, Chief Information Security Officer (CISOs), and board committees, must define and approve the audit scope, set audit frequency, and establish remedial action plans, while disclosing high-level outcomes in annual compliance reports. Risk acceptance decisions, whether to retain, mitigate, transfer, or accept, must be formally documented with written executive approval. After receiving audit findings, the auditee is responsible for implementing the recommended actions to improve security and mitigate risks. The auditee organisation must ensure that 'Secure by Design' principles and secure application development practices are included as mandatory requirements. Once the audit certificate is issued, the application developer should avoid making any code changes to the audited application or infrastructure.
ii. Auditing organisations
The auditor's role is to provide independent, point-in-time assessments, communicate inaccessible assets that fall outside the audit scope. During and after the audit assignment, personnel involved must be aware of information classification requirements and adhere to practices that ensure the confidentiality, security, and privacy of information.
Essential Guidelines for Audit Planning
An effective cybersecurity audit starts with a clear, well-defined audit scope. Organisations must map their entire ICT ecosystem, including systems, applications, cloud services, operational technology, source code repositories and third-party integrations. This mapping should be validated through iterative reviews involving the internal audit team and the CISO to ensure that no critical asset is overlooked.
While annual cybersecurity audits establish the baseline for measuring an organisation's security posture, the programme must remain agile. Any major infrastructure migration, system overhaul, or significant application upgrade should trigger supplementary targeted audits to confirm that security controls remain effective before deployment.
CERT-In empanelled auditing organisations must present a detailed audit execution plan upfront covering proposed team structure, expected effort estimates, tooling inventory and stakeholder engagement plan in advance of fieldwork, ensuring alignment on resources and timelines. All legal, regulatory, and confidentiality agreements should be finalised before any testing begins to safeguard compliance and data protection obligations.
Best Practices for Report Structuring and Practical Remediation Protocol
i. Drafting and structuring of the report: Audit report format should be mutually agreed upon and should be clear, precise and comprehensive. The report must be signed by the Auditors who conducted the audit. The audit certificate must be signed by both the Lead Auditor and the Head of the Auditing Organisation.
ii. Executive summary and risk categorisation: A concise business-oriented overview for boards, translating technical issues into strategic risk insights. Auditors are required to implement both the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) frameworks within their audit reports. Every reported observation/vulnerability shall be mapped with Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) numbers.
iii. Data handling and disclosure guidelines: The sharing and disclosure of auditee-related data should be done with the prior consent of the auditee organisation. However, disclosures mandated by law or required by designated regulatory bodies or competent authorities in India (such as CERT-In) may be made by the auditing organisation without additional consent.
Consequences of Non-Compliance
CERT-In's framework not only incentivises high-quality audits but also outlines graded penalties for failure to adhere:
|
Grade/Severity |
Indicative
Parameters |
Actions
Required |
|---|---|---|
| Move to watch list (Moderate) |
1. Inadequate closure of non-compliances 2. Weak link between observations and issues 3. Insufficient sample details or flawed conclusions 4. Minor violations of CERT-In terms (e.g. First adverse report includes missing maximum of 2 vulnerabilities, conflict with the auditee, first instance of noncompliance with the CERT-In data collection framework, etc.) |
Issue a warning and a corrective-action report; require a written commitment from the auditing organisation |
| Suspension (Moderate to High) |
1. Adverse feedback on auditor competence or conduct 2. Repeated planning/coverage failures 3. New issues surfacing immediately post-audit 4. Major CERT-In term violations |
Suspend empanelment; revoke suspension only after satisfactory corrective-action submission and verification. |
| Withdrawal of Empanelment (High) |
1. Proven auditing malpractice 2. Substandard service delivery 3. Failure to cover the agreed scope of work |
Actions as per GFR and O.M. No. F.1/20/2018-PPD dated 2nd November 2021 of the Department of Expenditure. |
| Penal & Legal Actions (Severe) |
1. Breach of trust or contract 2. Unauthorised access or digital break-in 3. Intentional damage to the auditee infrastructure or interests |
As per applicable penal & legal acts/laws |
Key Takeaway for Businesses to Build Lasting Cyber Resilience
These Guidelines give organisations a clear roadmap for every stage of a cyber security audit, from defining what to review to delivering the final report. Businesses should integrate these guidelines into their existing risk management and governance models by formalising audit engagements that cover their complete IT infrastructure, including applications, networks, cloud environments, and supply chains. The mandatory use of established vulnerability scoring systems (CVSS and EPSS) in audit reports enables prioritisation of risks based on severity and likelihood of exploitation, supporting more data-driven and effective remediation strategies. Organisations are expected to adopt 'Secure by Design' principles in software development, enforce stringent data handling practices, and ensure rigorous follow-up audits after remediation actions, thus embedding continuous improvement into their security lifecycle.
Adherence to these practices should become part of corporate governance, risk management frameworks, and vendor management processes, enabling organisations to proactively identify and mitigate cyber risks while facilitating transparent communication with regulators and board-level management.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
