Cybersecurity leaders across the spectrum were expecting stronger regulations in India. This was because of the rise in cyber-attack cases plus the increasing use of modern technologies such as cloud, APIs and AI in business functions.
The Comprehensive Cybersecurity Audit Policy Guidelines (2025) issued by the Indian Computer Emergency Response Team (CERT-In) have raised the bar for public and private organization operating in the country. It is now mandatory to conduct annual cybersecurity audit.
Find out key takeaways from the just released guidelines in our blog 10 Points from the Latest CERT-IN Guidelines.
This blog explains how to implement CERT-In guidelines in a way that satisfies compliance needs. Moreover, how it can strengthen cyber resilience across the IT system and build long-term trust.
As a CERT-In empanelled auditor, our experts will walk you through what matters most, from checklists and phases to governance responsibilities and evidence expectations.
CERT-In Cybersecurity Audit Checklist
CERT-In’s guidelines emphasize on compliance to be comprehensive and evidence-backed. What does this mean for organizations? Leaders need to go beyond finding vulnerabilities. Instead, you should establish controls across your technology ecosystem. Based on the new guidelines, here’s what your cybersecurity audit checklist should include:
1. Scope Planning
Prepare updated asset inventory (systems, apps, network, OT/ICS, cloud, APIs, DBs, code review, incident response). Create diagrams showing infrastructure, dependencies, and high-risk zones. Include vendor/third-party and supply-chain risks in scope. Also, plan follow-up audits in the engagement.
2. Frequency
Schedule at least one audit every year (minimum requirement). Increase frequency for large, critical, or complex systems. Audit before any major change (migration, big configuration changes, new sensitive systems). Run periodic audits even without changes, based on risk.
3. Hosted/Third-Party Systems
Make sure that platform owner audits servers/platform. Plus, app/content owner audits application/backend with CERT-In-empanelled firm. Ensure audit report certifies app is free of exploitable issues. Include “secure by design” clauses in contracts for vendors, SaaS providers, and supply chain security.
4. Contracts & Governance
For critical apps, consider 2–3-year audit contracts. Define standards, report formats, re-validation, PoCs, timelines and tool approvals in contract.
5. Core Security Controls
This includes Access Control & Identity Management (least privilege, MFA enforcement), a documented Incident Response Framework aligned with CERT-In reporting, and Data Security Measures such as encryption, backups, and recovery testing.
6. Operational & Audit Assurance
This covers Patch, Change & Vulnerability Management (updates, scans, remediation, exception handling) along with Audit Evidence Controls like hashes, version logs, sign-offs, and artifact retention to ensure authenticity and traceability.
Unlike older approaches, the scope now extends to cloud, IoT, IIoT, AI systems, and SBOM (Software Bill of Materials).
Before, During and After the Audit
Implementing CERT-In guidelines requires leadership alignment before auditors even arrive, disciplined independence during, and accountability afterward.
1. Before the Audit
Ensure the CEO, CISO, and board approve the audit scope, audit frequency and remediation strategy. It is a CERT-In requirement for cybersecurity. Include secure-by-design into procurement and RFP processes so third-party systems are audit-ready. Conduct a self-assessment against the CERT-In checklist to eliminate low-hanging risks. Plus, nominate a compliance lead or partner early with a CERT-In empanelled auditor for readiness checks.
2. During the Audit
In this phase, there must be no conflict of interest. Audit results cannot be influenced by contracts, payments and outcomes. Share the intricate details only with authorized staff. In addition, evidence must be properly recorded, with asset hashes and signatures to guarantee authenticity.
Also, hold regular progress meetings. Leaders should expect open communication and documentation at every step. You should approve high-risk tests in writing as transparency is mandatory.
3. After the Audit
This is where compliance turns into resilience:
All findings must be scored using CVSS (severity) and EPSS (exploit likelihood) and fix critical issues first. A closure report is mandatory, with remediation timelines, responsible owners, and evidence attached. Store this data securely in India and submit the same to CERT-In within 5 days.
Organizations must schedule follow-up audits and maintain continuous monitoring. The board should review outcomes and link remediation to business KPIs like risk reduction and trust building.
What Should Be Done as Part of Audit?
A CERT-In audit is done to demonstrate security maturity. Here’s what leaders must ensure is done as part of the cybersecurity audit:
1. Adopt a Risk-Based Scope
The audit must align with your unique threat landscape, covering not just OWASP Top 10, but also domain-specific standards like OSSTMM, CSA CCM, and ISO/IEC frameworks (all listed by CERT-In).
2. Evidence, Not Assertions
Every claim about encryption, access controls and backup policies now require evidence. Therefore, organizations should make sure all security initiatives are backed by logs, system outputs and documented proof.
3. Severity Scoring & Prioritization
Audit findings are of no use without rich and easy to understand context. CVSS and EPSS scoring ensures IT security leaders can distinguish cosmetic gaps from potential, real risks.
4. Governance in Action
Senior management are now required to be in the action mode, not delegating compliance. They are expected to approve scopes, accept or reject risk, and authorize remediation strategies.
5. Transparency & Culture
Confidentiality agreements, professional ethics, and open communication must define the cybersecurity audit process. This sets the tone for treating compliance as a trust-building exercise with customers and stakeholders.
In short, how to implement CERT-In guidelines is not just about what IT does—it’s about how leadership drives governance, ownership, and accountability.
How CyberNX Can Help
CyberNX is a CERT-In empaneled organization, authorized to conduct official CERT-In cybersecurity audits and ISO 27001:2022 certified for information security management. Plus, the qualified team including auditors are listed in CERT-In profile.
If you want to know more about CERT-In body, CERT-In empaneled audit firms and who provides CERT-In certification to business organizations, read our blog CERT-In Guide.
CyberNX guide enterprises through audits and enable them to embed compliance into their operating model. From initial assessment to final CERT-In submission, the experts handle every aspect of your cyber security audit. The comprehensive approach ensures compliance and improves security posture of your organization.
Here’s how:
- Pre-Audit Planning: This includes complete digital asset inventory and defining audit scope and objectives. The experts also help with scheduling and resource planning plus create confidentiality agreements.
- Audit Execution: In this phase, auditors provide comprehensive security testing, regular progress meetings. We make sure there are minimal business disruptions during the auditing process and offer real-time issue reporting.
- Post-Audit Support: Detailed audit report, remediation guidance and CERT-In submission support are provided. Plus, follow-up audit planning is offered as and when required.
CyberNX also offers Vulnerability Assessment and Penetration Testing (VAPT) to identify and strengthen security weaknesses and Red teaming assessment to find gaps in the security defence.
For organizations asking how to implement CERT-In guidelines without slowing down growth, CyberNX acts as a strategic partner: independent, transparent, and deeply aligned with your business priorities.
Conclusion
The 2025 CERT-In guidelines mark a significant shift. Cybersecurity audits are no longer tick-box exercises. They are risk-led, evidence-based and leadership-owned.
For enterprises, the opportunity is clear. By preparing early, engaging fully, and embedding governance, you can build a foundation for trust with regulators, partners, and customers.
For CEOs, CTOs, CISOs, and founders wondering how to implement CERT-In guidelines effectively, the answer lies in treating compliance as resilience and choosing partners who understand both the regulation and the business realities.
At CyberNX, that’s exactly what we deliver. Contact us today.
FAQs
What happens if an organization fails to comply with CERT-In audit guidelines?
Non-compliance doesn’t just risk regulatory penalties – it can damage your reputation, weaken investor confidence, and delay partnerships where cybersecurity assurance is a prerequisite. CERT-In can also escalate oversight or mandate corrective measures. For businesses, the bigger cost is often the loss of customer trust and stalled growth opportunities.
How often should organizations conduct CERT-In aligned audits?
While the guidelines call for annual cybersecurity audits, forward-thinking organizations treat them as part of a continuous security lifecycle. Supplementing the annual audit with quarterly internal reviews or interim gap assessments ensures risks are addressed in real time, rather than accumulating until the next year’s audit.
Do CERT-In guidelines apply only to IT companies?
No. The scope extends well beyond IT firms. Any enterprise that operates critical ICT infrastructure – finance, healthcare, retail, manufacturing, e-commerce, logistics, or government vendors – is expected to comply. In fact, sectors with sensitive data or national importance face even stricter scrutiny.
How can startups and mid-sized companies manage the cost of compliance?
Compliance doesn’t have to be overwhelming or cost-prohibitive. Startups and mid-sized firms can adopt a phased approach – prioritizing core controls like access management, data security, and incident response first, then scaling to more advanced requirements. Partnering with a CERT-In empanelled auditor also ensures investments go toward fixing real risks, not just paperwork.
