ARTICLE
25 August 2025

The New CERT-In Audit Guidelines: Is Your Organisation's Cyber Security Ready For The Spotlight?

L
Lexplosion Solutions Private Limited

Contributor

Lexplosion Solutions Private Limited logo
Lexplosion Solutions is a leading Legal-Tech company providing legal risk management solutions in areas of compliance management, audits, contract lifecycle management, litigation management and corporate governance. Lexplosion merges disruptive technology with legal domain expertise to create solutions that have increase efficiency and reduce costs.
Explore Firm Details
A new awakening is taking shape in the way India protects its critical digital assets.
India Technology
Dwaipayan Das and Amiya Mukherjee

A new awakening is taking shape in the way India protects its critical digital assets. CERT-In, the government's frontline cyber defence authority, has just rolled out the most comprehensive set of Cyber Security Audit Policy Guidelines to date. Released on 25th July 2025, this exhaustive guide covers the entire audit process, from initial planning to final reporting and follow-up actions, contributing to the overarching goal of safeguarding the nation's cyber infrastructure from threats. These rules apply across the board: from booming tech start-ups and state institutions to global banks and boutique audit firms.

This is not another round of "best practices", it is a direct call to action. If your business runs on computers, your ability to operate and avoid hefty penalties now hinges on how well you conduct, document, and respond to a regulated cyber audit.

Certainty, Not Checkbox Compliance

At the core of the new guidelines is a simple message: The auditing process should be viewed as a tool for the continual process improvement of the auditee organisation's security posture, rather than a mere formality for compliance. Audits must not be conducted solely for the sake of fulfilling regulatory requirements; instead, they should adopt a risk-based and domain-specific approach that aligns with the organisation's business context, threat landscape, and operational priorities.

Annual audits are now a minimum expectation, and every significant infrastructure or application change must trigger a fresh round of scrutiny. Gone are the days when an annual "tick-box" penetration test would suffice. All changes to the system or application must undergo a formal change management process. Each change should be classified as either a 'Minor Change' or a 'Major Change'. Minor change (low-risk, non-critical) require standard change management processes but do not need a cyber security audit. Major change (high-risk, impactful to security) such as system overhauls, technology migrations, or configuration adjustments that affect sensitive data or critical infrastructure must undergo a cyber security audit to evaluate potential vulnerabilities, ensure compliance, and mitigate security risks before implementation.

Audit should be performed after every major change in infrastructure and application, based on the criticality involved. Organisations are encouraged to undergo audits even if there is no major change in infrastructure at periodic interval of time to remediate and eliminate the risk from new vulnerabilities. Periodicity of audits should be decided based on the criticality of cyber assets.

But this is not just about frequency. Applications that lack secure design and development practices should not even be considered for assessment or audit. Therefore, to stay audit-ready, organisations should adopt secure application development practices from the outset, and application owners should ensure adherence to the best practices outlined in CERT-In's Application Security Guidelines.

Moreover, the organisations are also required to maintain and monitor the inventory of all the authorized assets (both software and hardware). For all the assets, proper patch management mechanism should be in-place to patch the vulnerable software, applications and firmware used by the organisation.

Implementation of the principle of least privilege is encouraged across the organisation's assets. This means that users, systems, applications, and processes should be granted only the minimum level of access permissions necessary to perform their specific roles or function.

No More Cutting Corners on Audit Teams

Empanelled auditors are held to a far higher bar. Companies will not just hire a firm because its name is on the CERT-In list. They are now required to verify the credentials of every auditor assigned to their project, cross-check them on CERT-In's public Snapshot Information, and bar any freelancers, moonlighters, or last-minute replacements.

Contracts for the audit of applications which are critical or have high user reach, should be awarded to the auditor organisation for a period of 2-3 years to enable continuous audits at a defined frequency. In case the credibility of the auditing organisation becomes doubtful, the contractual agreement for audit must allow the auditee organisation to stop the audit and choose another auditing organisation within a reasonable duration of time in order to avoid financial losses on both ends.

Scope: No Asset Left Behind

When it comes to audit scope, "partial coverage" is no longer acceptable. Under the new CERT-In guidelines, your cyber security audit must be driven by a complete, up-to-date asset inventory covering development, test, and production environments, as well as any third-party systems, cloud services, and vendor-managed infrastructure.

Critical databases and applications get top billing, with dynamic (DAST) and static (SAST) security testing now expected to be baked right into your vendor RFPs. And that's just the starting point. Organisations are encouraged to include a wide range of audit types over the course of the year, such as:

  • Core compliance and risk: compliance audits, risk assessments, vulnerability assessments, and penetration testing.
  • Infrastructure and operations: network infrastructure audits, operational audits, IT policy reviews, information security testing, source code reviews, and process/communication security testing.
  • Application and mobile security: web, mobile, and API audits; wireless and physical security testing; red team simulations; and digital forensic readiness assessments.
  • Specialised environments: cloud security testing, ICS/OT assessments, IoT/IIoT testing, log management reviews, endpoint security evaluations, AI system audits, vendor risk management, blockchain audits, and SBOM/QBOM/AIBOM verifications.

The message is clear, nothing in your digital estate should be invisible to the audit process.

And how you conduct those audits matters just as much as what you cover. Narrow, "tool-only" or checklist-driven exercises no longer pass muster. A balanced approach combining manual expertise with automated tools is expected, grounded in internationally recognised frameworks like ISO/IEC standards, CERT-In's Cyber Security Audit Baseline Requirements, the CSA Cloud Controls Matrix, OSSTMM, OWASP's ASVS and MSTG, and the DevSecOps Maturity Model, while staying aligned with the latest guidance from CERT-In and sectoral regulators. In short, the goal is to map everything, test deeply, and align with proven global standards while staying tuned to India's evolving cyber defence playbook.

Everything Evidence-Based

A pivotal shift in the new CERT-In regime is the detailed attention placed on the management of audit documentation and traceability of audit evidence. Gone are the days where a single unsigned PDF or a generic summary could pass muster. Today, the law prescribes exactly how reports, findings, and supporting notes must be created, handled, transmitted, and preserved.

Every stage of the audit produces critical artifacts, working papers, screenshots, technical logs, test outcomes, sample lists, and versions of assessed applications. These do not simply form the backbone of an effective audit; they are, in fact, legal records. For this reason, audit teams are required to enforce strict version control and cryptographic traceability for every document, log, and artifact related to the audit. Each report, certificate, and working note both draft and final is to be hashed, timestamped, and tracked, so that any dispute or challenge can be swiftly resolved with demonstrable evidence.

Further, the guidelines lay out a meticulous multi-level sign-off protocol for every report and certificate. The individuals who carried out the security testing must sign first, affirming the integrity and accuracy of findings. Final documents require signatures from the actual audit team, an independent reviewer, and finally, a senior leader (like the CEO) from the audit firm. Audits signed by the wrong person, or shortcuts in review, will result in formal warning or worse. It is mandatory for the auditing organisation to share audit report and audit metadata with CERT-In within 5 days of completion of audit.

All audit-related information must be stored only on secure systems located within India, with appropriate safeguards in place. Offshoring or retaining such data on unsecured laptops is strictly prohibited. During the engagement, data should be encrypted in transit and at rest, accessible only to authorised audit personnel. Once the project is complete, the auditing organisation must permanently and irreversibly delete all audit-related data in accordance with the Policy Guidelines for Handling Audit Related Data issued by CERT-In and provide the auditee with a formal certificate confirming that the data cannot be recovered by any known forensic method.

Auditee organisations have equally important obligations. They must ensure timely and complete access to systems, networks, applications, documentation, and relevant staff, and verify that all audit personnel are those declared to CERT-In in the organisation's published Snapshot Information. They are responsible for designating a single point of contact for coordination, ensuring senior management oversight, and facilitating both entry and exit meetings with top leadership. Pre-audit preparation requirements such as ensuring backups, securing environments, and configuring test access must be fully met. The auditee is also expected to retain audit reports, certificates, and associated artifacts (including version hashes, timestamps, and scope details) in secure storage for the agreed retention period, and to follow the agreed process for secure disposal.

Failure to comply with these requirements, whether by the auditor or the auditee, can result in regulatory action, suspension or blacklisting, and in serious cases, criminal investigation and penalties under the Information Technology Act, 2000.

Boardroom Attention, Not Just IT

Entry and exit meetings are now to be held with the company's Board or executive management. The intent is to tear down the wall that often keeps upper management "out of the loop" on cyber posture. For the first time, top leadership of the auditee company will not only see but be held responsible for receiving and signing off on audit scope and findings.

Independence and Integrity: Zero Tolerance

The guidelines take zero prisoners on auditor objectivity. Fees cannot be linked to findings or closure, conflicts must be actively managed, and all signs of undue influence are to be escalated to CERT-In immediately. Any hint of "pay for closure" or manipulation will not be a matter for mere warning –it can result in suspension, debarment, or prosecution for breach of trust.

What Happens If the Company Slips Up?

The guidelines introduce a tiered penalty system. Most first-time lapses mean warning and formal corrective commitment. But serious or repeated issues – such as missed vulnerabilities, use of unqualified staff, insecure data storage –bring suspension or blacklisting. In cases of deliberate malpractice or breach of trust, law enforcement can get involved with penalties ranging up to one year's imprisonment or fines up to ₹1 lakh.

What This Means for the Real World

For CISOs and IT heads: routine is no longer enough. Ongoing asset inventory, disciplined change management, and proof-driven remediation are non-negotiable. For audit teams: professional discipline is on the line for every member, from junior testers to firm partners. For management: the era of finger-pointing or passing blame is over. The organisation as a whole is now accountable.

However, regardless of where the accountability lies, getting ready for a CERT-In cyber security audit can seem challenging. Success often depends on following a set of practical, well-planned actions while steering clear of avoidable pitfalls. Here is a quick reference for you to what can help the process run smoothly:

Practices that help you succeed

  • Keep senior management engaged from the planning stage through to closure.
  • Be transparent with your auditors by sharing complete, accurate details of your systems, policies, and any past reports.
  • Appoint a single point of contact to coordinate tasks and respond promptly to queries.
  • Maintain an updated inventory of all hardware, software, and applications in use.
  • Restrict system and data access to those who genuinely need it.
  • Support the agreed security testing — from penetration tests to VAPT and beyond.
  • Record every issue identified and follow through until it's resolved.
  • Treat audits as part of an ongoing cycle by planning for follow-ups in advance.
  • Store audit records securely, including versions, hashes, and timestamps.
  • Apply multi-factor authentication for all forms of remote access.

Practices that put you at risk

  • Withholding, misrepresenting, or delaying important information.
  • Restricting access to systems or assets that are already in the agreed scope.
  • Handing over complete control of the process to an external party instead of retaining ownership.
  • Allowing unapproved or unauthorised individuals to interfere with audit activities.
  • Treating the audit as a formality rather than an opportunity to strengthen your security posture.

Bottom Line

CERT-In's overhaul is less about paperwork and more about a real paradigm shift in India's cyber culture. When auditors and auditees act as partners in risk, and when both are compelled to document, disclose, and improve at every step, everyone is better protected. The question is not when and how the companies will be audited, but how the companies will always remain secured and thus, prepared for any audit that may follow.

Therefore, now is the moment to review your audit processes, contracts, and reporting lines. Because in 2025 and beyond, only organisations that embed security and audit transparency into their DNA will stay off the penalties and stay ahead of the threats.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Dwaipayan Das
Person photo placeholder
Amiya Mukherjee
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More