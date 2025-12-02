Introduction

On September 1, 2025, the Indian Computer Emergency Response Team (hereinafter referred to as 'CERT-In') issued '15 Elemental Cyber Defense Controls for Micro, Small and Medium Enterprises (MSMEs)' (hereinafter referred to as 'MSME Guidelines') vide Guidelines no. CISG-2024-03. The MSME Guidelines prescribe45 baseline recommendations for MSMEs to adopt in order to safeguard Cyber Infrastructure, confidential data, adhere to legal requirements, reduce financial risk, maintain customer confidence, guarantee operational continuity, gain a competitive advantage, support digital projects, and sustain business growth in an increasingly digital environment.1

Issued in furtherance to the Comprehensive Cyber Security Audit Guidelines which were released on July 25, 2025 by CERT-In2, these Guidelines mandate all MSMEs to mandatorily conduct baseline audits through CERT-In Empaneled Auditing Organizations for the mentioned elemental controls at least once in a year.

How can these MSME Guidelines be utilized?

The MSME Guidelines can be used by enterprises to determine the current level of their preparedness against potential cybersecurity threats by conducting self-assessments. Baseline audits can be conducted on the basis of these guidelines through CERT-In empaneled auditing organizations. These Guidelines can also be incorporated into the internal cybersecurity policies of the MSMEs.3

What else do the MSME Guidelines prescribe?

The Elemental Cyber Defense Controls can be classified into two types of measures – Organizational measures and Technical measures:

Baseline Organizational Recommendations

Asset Management4 – MSMEs need to maintain a centralized, continuously updated inventory of all assets, tracking their full lifecycle with proper identification, classification, and secure handling. Awareness and Training5– Provide regular cybersecurity awareness training and participate in national programs to strengthen security culture and response readiness Governance and Compliance6– MSMEs must assign a security lead, maintain and update a comprehensive security policy, and comply with CERT-In and regulatory guidelines Access Control7– Enforce unique IDs, least-privilege role-based access, periodic reviews, and strict control of administrative rights with segregation of duties. Physical Security8– Enforce strict physical access controls and asset-return procedures to protect critical infrastructure and prevent data or equipment loss. Risk and Incident Management – It is recommended to maintain and regularly test an Incident Response Plan, complying with legal requirements and reporting cyber incidents to CERT-In within six hours.9 Further, enterprises must enforce due diligence and equal security standards for all third parties to maintain a resilient and secure supply chain.10 Vulnerability Audits and Assessments11– Perform annual third-party vulnerability and periodic risk assessments, with timely remediation to address identified threats.

Baseline Technical Recommendations

Network and Email Security12– MSME Guidelines recommend enforcing layered network, wireless, remote access, and email security through firewalls, encryption, MFA, and anti-spoofing controls End Point and Mobile Security13– MSMEs need to ensure licensed, updated endpoint protection, restrict unauthorized software and removable media use, and integrate with national malware alert systems. Secure Configurations14– It is recommended to maintain approved baseline configurations, disable unnecessary components, and replace default settings to reduce security risks. Patch Management15– MSMEs should apply timely security updates and monitor trusted advisories to address vulnerabilities promptly. Logging and Monitoring16– Maintain secure, jurisdiction-compliant logging with continuous monitoring and advanced analysis to detect and respond to threats Data Protection, Backup, and Recovery17– MSME Guidelines prescribe the establishment of a regular backup schedule and storing encrypted copies securely across offsite and offline locations. Further, periodical testing of restoration procedures to verify data recoverability and system resilience is also recommended. Maintain a Business Continuity Plan for critical applications to ensure timely recovery, and securely dispose of physical and digital media through proper sanitization or destruction methods.

Cybersecurity in Smaller organizations – A broader layer of responsibility and accountability

The MSME Guidelines have been released just when the Digital Personal Data Protection Rules (hereinafter referred to as 'DPDP Rules') are around the corner. This indicates the regulatory intention of spreading the incidence of responsibility and accountability on smaller firms to align their practices with the data protection requirements under the DPDP Rules. Acknowledging the economic costs involved in conducting cybersecurity audits, the MSME Guidelines, prescribe the minimum standard of protection required by the MSMEs as compared to the requirements under the Comprehensive Cybersecurity Guidelines issued by CERT-In earlier.

