Understanding CERT-In's Comprehensive Cyber Security Audit Policy Guidelines (2025)

COMPREHENSIVE CYBER SECURITY AUDIT POLICY – CERT-IN (2025)

Introduction

The Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology, has introduced the Comprehensive Cyber Security Audit Policy Guidelines (2025). This policy aims to standardise how cybersecurity audits are conducted across India, ensuring that organisations remain resilient against rising digital threats and cyber vulnerabilities.

Purpose

The new policy ensures:

• Common rules and methodologies for all cyber audits.
• Reliable, comparable, and evidence-based audit results.
• Enhanced accountability among auditors and auditee organisations.
• A shift from mere compliance checks to continuous cyber readiness.

Who Must Follow

Auditors: CERT-In empanelled firms authorised to conduct cybersecurity audits.

Auditees: Public or private entities managing digital infrastructure — including data centres, banks, hospitals, telecom operators, and government portals.

Example: A PSU bank’s data centre or a private hospital’s patient management system must undergo regular cybersecurity audits as per the new policy.

Types of Audits Covered

• Network Security Audits: Examination of firewalls, routers, and configuration settings.
• Application Security Audits: Testing web and mobile applications for vulnerabilities.
• Cloud and Data Centre Audits: Assessing data safety in cloud-based environments.
• AI and IoT System Audits: Evaluating smart devices, sensors, and AI-driven platforms for cyber risks.
• Industrial System Audits (OT/ICS): Reviewing cybersecurity controls in power plants, manufacturing units, or water utilities.

Example: An audit of a city’s water-supply control system ensures hackers cannot manipulate valves or pressure remotely.

Principles of Auditing

• Auditor independence and objectivity.
• Integrity, confidentiality, and evidence-based assessment.
• Use of globally recognised frameworks such as ISO 27001 and OWASP.
• All vulnerabilities must be verified through actual testing.

Example: If a vulnerability is reported in a railway ticketing app, auditors must confirm it through testing rather than assumption.

Audit Process

1. Planning: Define systems, applications, and networks to be tested.
2. Testing: Conduct vulnerability assessments and penetration tests.
3. Reporting: Categorise risks as low, medium, or high.
4. Remediation: Implement fixes and verify resolution.
5. Submission: Send audit reports and metadata to CERT-In within five days of completion.

Example: After detecting weak passwords in a cloud portal, the auditor recommends multi-factor authentication. The organisation fixes the issue and submits proof of compliance to CERT-In.

Frequency of Audits

• At least once every year.
• Additional audits required for new IT deployments or major system upgrades.

Example: Launching a new payment gateway or updating hospital management software requires a fresh cybersecurity audit.

Roles and Responsibilities

Auditee Organisation:

• Maintain a complete inventory of all hardware and software assets.
• Obtain top-management approval for audit plans.
• Implement all corrective measures promptly.
• Ensure audit data is not transferred outside India.

Auditor:

• Maintain neutrality, integrity, and confidentiality.
• Follow approved testing methodologies.
• Submit audit reports and documentation directly to CERT-In.
• Avoid using CERT-In’s name or logo for commercial promotion.

Data Handling and Retention

• All audit-related data must remain within Indian borders.
• Use encryption for all data storage and transfers.
• Securely delete logs, screenshots, and test data after project completion.

Example: Screenshots or test logs from a telecom audit must be erased after submission to prevent data misuse.

Non-Compliance

Failure to adhere to the policy may result in:

• Cancellation of auditor empanelment.
• Legal or regulatory action under the Information Technology Act, 2000.
• Loss of eligibility for government contracts and digital projects.

Impact and Significance

• Establishes a national benchmark for cyber hygiene and digital safety.
• Encourages adoption of robust data-protection and incident-response mechanisms.
• Shifts focus from compliance-driven security to risk-based resilience.

Example: A power-grid audit not only identifies vulnerabilities but also recommends long-term measures like network segmentation and offline recovery systems.

Synopsis (75 Words)

The CERT-In Cyber Security Audit Policy (2025) introduces a unified national framework for cybersecurity audits across all sectors. It mandates annual or event-based audits, emphasises data protection within Indian borders, and relies on global standards like ISO and OWASP. The policy promotes evidence-based testing, strict reporting timelines, and secure data handling — transforming India’s approach from reactive compliance to proactive cyber defence.

FAQs

1. What is the purpose of this policy?
To ensure that all organisations follow consistent and reliable cybersecurity audit procedures.

2. Who conducts these audits?
Only CERT-In empanelled auditors who are certified to assess IT systems and networks.

3. How often are audits required?
At least once annually or after major technological upgrades.

4. What happens after an audit?
The organisation must fix all vulnerabilities and confirm compliance with CERT-In.

5. What is the penalty for non-compliance?
Suspension of audit empanelment, loss of project eligibility, or legal action under the IT Act.