Understanding CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines (2025): What Organizations Must Know

Note: This blog is issued under public interest

On July 25, 2025, the Indian Computer Emergency Response Team (CERT-In) released the CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines (Version 1.0) — a structured and standardized audit framework that is mandatory for all CERT-In empaneled auditing organizations and auditee entities.

In light of increasing cyber threats, digital transformation across sectors, and the growing complexity of compliance, these guidelines aim to bring rigor, consistency, and clarity to the entire audit lifecycle — from planning to reporting, remediation, and beyond.

Let’s break down what’s new, what it means for you.

🎯 The Objectives Behind the CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines

The guidelines serve three major purposes:

Standardize cybersecurity audits with uniform frameworks, scope definitions, and evidence protocols.
Define roles and responsibilities for both auditors and auditees — no more ambiguity in expectations.
Promote continuous improvement — shifting from tick-box compliance to risk-driven, outcome-oriented audits.

🏢 Applicability – Who Must Comply?

Auditing Organizations: All CERT-In empaneled security auditors must align their processes, tools, and team deployments to these guidelines.
Auditee Entities: Government agencies, critical infrastructure providers, and any organization undergoing audits using CERT-In empaneled bodies.

📦 Scope of Audit Engagements

The guidelines prescribe audits across more than 25 categories including:

Vulnerability Assessment & Penetration Testing (VAPT)
Risk and Compliance Audits
Source Code Review
Cloud Security & OT/ICS Testing
SBOM, AIBOM, QBOM audits
Red Team Exercises
AI/ML System Audits
Vendor Risk Assessments

This ensures 360-degree coverage of your digital infrastructure — from applications to cloud, endpoints, third-party risks, and AI systems.

📏 What’s Mandatory for Auditors

Implement both CVSS (severity) and EPSS (likelihood) scoring systems for every vulnerability.
Audit reports must be comprehensive and signed by declared CERT-In approved personnel.
Use of recognized frameworks like ISO/IEC, CSA CCM, OSSTMM3, OWASP ASVS, and CERT-In’s Audit Baseline Requirements is essential.
Maintain strict data confidentiality, encryption, access control, and post-audit data disposal procedures.

🧩 Responsibilities of Auditee Organizations

Top-Down Ownership Senior management must review audit scopes, approve remediation actions, and own the cybersecurity posture — no delegation of accountability.
Audit Readiness and Closure Organizations must:
Data and Process Governance

🚫 What’s NOT Allowed

Conflicts of interest — the same entity can’t implement and audit.
Payments linked to audit outcome — independence must be maintained.
Using CERT-In’s logo or name without written permission.
Deploying unauthorized or undeclared personnel during audits.

⚠️ Penalties for Non-Compliance

CERT-In has introduced a Deter & Punish framework for violations:

Watchlist & Warning
Suspension
De-empanelment
Legal Action under IT Act and other regulations

📣 Final Thoughts

CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines are a major step toward building a resilient, secure-by-design India. They set the tone for how cybersecurity audits should be independent, risk-based, technically sound, and business-aligned.

For organizations, the time is now — to modernize audit practices, integrate automation, and transform compliance into a strategic advantage.

Source : Complete Guidelines can be found here.