Understanding CERT-In's Comprehensive Cyber Security Audit Policy Guidelines

COMPREHENSIVE CYBER SECURITY AUDIT POLICY – CERT-IN (2025)

(GS Paper III – Internal Security and Technology)

INTRODUCTION

The Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), has released the Comprehensive Cyber Security Audit Policy Guidelines (2025). This initiative aims to standardise the process of cyber audits across India, ensuring that organisations are better prepared to handle the growing number of digital threats.

PURPOSE

The policy seeks to:

• Establish common standards for all cyber audits.
• Ensure reliability and comparability in audit results.
• Promote accountability among organisations and auditors.
• Shift the focus from basic compliance to continuous cyber readiness.

WHO MUST FOLLOW

Auditors: Firms empanelled by CERT-In to perform cyber security audits.

Auditees: All public or private entities managing digital infrastructure such as data centres, websites, banking systems, hospitals, or government portals.

Example: A PSU bank’s data centre or a private hospital’s patient-data system must undergo regular cyber audits under this policy.

TYPES OF AUDITS COVERED

• Network Security Audits: Evaluation of firewalls, routers, and security configurations.
• Application Security Audits: Testing of websites and mobile apps for vulnerabilities.
• Cloud and Data Centre Audits: Assessing data protection mechanisms in cloud environments.
• AI and IoT System Audits: Ensuring devices such as smart meters or AI-based tools are safeguarded against cyber threats.
• Industrial System Audits: Checking operational technology (OT) and control systems in power plants or factories.

Example: An audit of a city’s water-supply control system ensures that hackers cannot manipulate valves or pressure levels remotely.

PRINCIPLES OF AUDITING

• Maintain independence and objectivity of auditors.
• Ensure integrity, confidentiality, and evidence-based evaluations.
• Adopt recognised frameworks like ISO 27001 and OWASP.
• Base findings on verified results, not assumptions.

Example: If a vulnerability is found in a railway ticketing app, auditors must prove it through testing rather than speculation.

AUDIT PROCESS

1. Planning: Identify systems and networks to be examined.
2. Testing: Conduct vulnerability assessments and penetration tests.
3. Reporting: Classify risks as low, medium, or high.
4. Remediation: Implement corrective actions and verify effectiveness.
5. Submission: Submit audit reports and metadata to CERT-In within five days of completion.

Example: After discovering weak passwords in a cloud portal, the auditor recommends multi-factor authentication, and the organisation confirms compliance before submission.

FREQUENCY OF AUDITS

• At least once every year.
• Additional audits whenever new IT systems are launched or major changes occur.

Example: Launching a new online payment gateway or updating hospital software requires a new audit cycle.

ROLES AND RESPONSIBILITIES

Auditee Organisation:

• Maintain an updated inventory of all hardware and software assets.
• Approve audit plans at the senior management level.
• Implement corrective actions promptly.
• Ensure audit-related data remains within Indian borders.

Auditor:

• Maintain neutrality, confidentiality, and professionalism.
• Use approved testing methodologies.
• Submit all required documentation to CERT-In.
• Refrain from using CERT-In’s name or logo for marketing purposes.

DATA HANDLING AND RETENTION

• All data collected during audits must remain within India.
• Encrypt data during storage and transmission.
• Securely delete all audit data after project completion.

Example: Screenshots or test logs from a telecom audit must be deleted after submission to prevent misuse.

NON-COMPLIANCE

Failure to follow the policy may lead to:

• Cancellation of auditor empanelment.
• Legal or regulatory action under the IT Act, 2000.
• Loss of eligibility for government contracts.

IMPACT AND SIGNIFICANCE

• Establishes a national baseline for cyber safety.
• Encourages stronger data protection and risk management.
• Promotes proactive and resilient cyber infrastructure across sectors.

Example: A power-grid audit not only detects vulnerabilities but also recommends long-term safeguards such as network segmentation and offline recovery systems.

SYNOPSIS (75 WORDS)

The CERT-In Cyber Security Audit Policy (2025) introduces a national standard for digital safety audits across all sectors. It mandates annual or event-based audits, emphasises secure data handling within India, and promotes evidence-based evaluations using ISO and OWASP frameworks. The policy shifts India’s cybersecurity approach from mere compliance to proactive risk management and national-level resilience.

FAQs

What is the purpose of this policy?
To ensure all organisations follow consistent and reliable cybersecurity audit procedures.

Who conducts these audits?
CERT-In-empanelled auditors who are certified to assess IT systems.

How often are audits required?
At least once every year or after significant technological changes.

What happens after an audit?
The organisation must address vulnerabilities and confirm compliance to CERT-In.

What is the penalty for non-compliance?
Suspension of auditor empanelment or legal action under the IT Act.