Comprehensive Cyber Security Audit Policy Guidelines: Some Aspects

The Indian Computer Emergency Response Team (CERT-In) which was set up in 2004 as a functional body under the Ministry of Electronics and Information Technology (MeitY), released the Comprehensive Cyber Security Audit Policy Guidelines (version 1.0) in July 2025. These guidelines establish a national, standardised framework for conducting cyber security audits across both the public and private sectors. They aim to tackle cyber threats; ensure audit consistency with regards to quality, evaluation criteria, and reporting; and enhance India's digital resilience.

CERT-In’s guidelines are not mere recommendations. Rather, they are enforceable rules and procedures that all auditing firms and organisations must follow. They address the entire audit lifecycle, including planning, execution, reporting, follow-up, and remediation. They carry legal weight, as they are issued under CERT-In’s authority, granted by section 70B (subsection 4–7) of the IT Act 2000, and are enforceable for both auditing and audited organisations. Thus, the guidelines would provide independent, impartial, and constructive recommendations in order to strengthen the auditee’s cyber security.

Some Guidelines

The core elements of some of the guidelines are listed below:

• Standardised Audit Procedures: Audits must use uniform frameworks and evidence protocols. This ensures consistent quality and comparability across sectors.
• Well-Defined Roles and Responsibilities: Clear accountability and well-defined responsibilities for both auditors and auditees are essential to avoid ambiguity. Auditors must follow prescribed methodologies while organisations remain responsible for remediation and ongoing risk management.
• 360-Degree Audit Scope: The guidelines require comprehensive coverage i.e., moving beyond conventional IT infrastructure. Audits can now cover AI and blockchain systems, OT/ICS networks (operational technology/industrial control system), cloud environments, software bills of materials (SBOM), web/mobile applications, and supply chain/vendor risks. The scope has expanded to include CBOM) (cryptographic), BOM (Quantum), BOM (Hardware/Firmware), and AIBOM (AI-related components)—reflecting broader digital asset transparency. The guidelines specify more than 25 audit categories for a comprehensive digital risk assessment.
• Global Standards Alignment: Audits must draw on international standards such as ISO/IEC 27001, CSA Cloud Controls Matrix (CCM), OSSTMM, OWASP ASVS, and CERT-In’s own baseline requirements. This ensures benchmarking against global standards.

ISO/IEC 27001 is the world’s best-known standard for information security management system.

OSSTMM stands for open source security testing methodology manual.

OWASP ASUS stand for open web application security project—application security verification standard.

• Dual Vulnerability Scoring: All vulnerabilities must be assessed using both CVSS (common vulnerability scoring system) for severity and EPSS (exploit prediction scoring system) for likelihood, improving risk prioritisation and remediation planning.
• Mandated Independence: CERT-In insists on audit independence—auditors’ compensation cannot be linked to findings, and auditors cannot conduct both implementation and audits for the same organisation. Any conflicts of interest must be escalated to CERT-In for resolution.
• Post-Audit Data Management: All audit data must remain within India only. It is to be stored and transmitted securely, encrypted both at rest and during transit. Moreover, it is required to delete the data securely post-audit, with certification of deletion. This strict handling ensures not only privacy but also compliance with data sovereignty rules.
• Audit Frequency and Trigger Conditions Audits should be conducted at least annually. Additionally, any major change in system or application (e.g., Infrastructure overhaul or technology migration) must trigger a new audit, classified into ‘minor’ or ‘major’ changes for scope clarity.
• Rigorous Reporting and Oversight: Audit reports must be comprehensive. They need to be signed by CERT-In approved personnel and submitted to CERT-In within five days of completion. The agency reserves the right to review, join audit teams, and impose disciplinary measures against violations. This ensures transparency and accountability.
• Senior Management Accountability: Top-down ownership is enforced. Senior management responsibility cannot be delegated; they must approve audit scopes, oversee remediation, and ensure continuous internal assessment.

Why the Need for Guidelines?

India’s digital transformation has brought both vast opportunity and escalating risk. The proliferation of digital systems in government, business, critical infrastructure, and citizen services has made the threat surface immense, complex, and dynamic. Cyber-attacks, data breaches, and ransomware incidents have been rising, targeting both legal systems and emerging technologies. In this situation, ad hoc or tick-box cyber security audits were inadequate. Instead, a standardised, rigorous, and risk-driven framework is required.

Some of the major factors responsible for the release of these guidelines are as follows:

• Increased Frequency and Sophistication of Attacks: Modern threats interact with AI, cloud, OT, and supply chains, demanding technical depth and wide audit coverage.
• Fragmented Regulatory Landscape: With multiple regulators, standards, and practices in play, audits often lacked consistency, comparability, and enforceability.
• Expansion to Private Sector: Initially, directives mainly covered critical national infrastructure and government agencies; now, private entities operating digital systems must comply, reducing nationwide cyber security gaps.
• Accountability and Continuous Improvement: Without clear guidelines, organisations struggled with audit preparation, risk prioritisation, and post-audit remediation. Senior management often delegated responsibility, leading to insufficient follow-through.
• Global Benchmarking: India must align with global standards to support international business, data protection, and cross-border digital flows. These guidelines help bridge gaps and put India on par with best cyber security practices worldwide.

Audit Lifecycle

The audit lifecycle under these guidelines consists of the following five phases:

1. Preparation and Planning: This involves defining audit scope based on risk, business context, and threat landscape using approved frameworks such as ISO, CSA CCM, OSSTMM, OWASP ASVS, CERT-In baseline for scoping and methodology.
2. Execution: This involves conducting risk and compliance audits, testing, source code reviews, cloud and OT/ICS assessments, vendor risk assessments, etc. This phase uses a combination of automated and manual testing tools for thorough assessment. Audit-only approaches are discouraged. In fact, audits accompanied by actionable remediation plans are encouraged.
3. Reporting: This involves making comprehensive and accurate reports that must detail methodology, tools used, findings, CVSS/EPSS scores (CVSS/EPSS stands for common vulnerability scoring system/exploit prediction scoring system), remediation recommendations, and executive summaries. The reports need to be submitted within five days to CERT-In.
4. Remediation and Oversight: This involves auditee’s developing remediation plans and getting senior management approval for audits. It also involves carrying out mandated continuous assessments for closed vulnerabilities, and contracts including scope-change and data-handling clauses.
5. Post-Audit Data Management: This involves ensuring that all data stays within India, securely deleted post-audit, and the auditee receives a certificate of deletion. CERT-In collects audit metadata for national oversight.

Significance of the Guidelines

These guidelines are significant for some of the reasons:

• Holistic Approach: By mandating coverage for legacy and modern digital environments, from AI to OT/ICS, CERT-In ensures that organisations proactively address both established as well as emerging cyber risks.
• Transformation from Compliance to Strategy: The guidelines emphasise that audits should become strategic tools for resilience, not mere regulatory checkboxes. Risk-driven and domain-specific audits allow organisations to embed security into their business objectives and operations.
• Elevated Accountability and Transparency: The insistence on signed audit reports, senior management involvement, independent audit teams, and post-audit data handling sets new benchmarks for accountability and governance, increasing trust in the audit process.
• Continuous Improvement and Enforcement: Organisations are required not only to fix identified vulnerabilities but also strengthen internal security controls, develop remediation plans, and undergo review audits. CERT-In retains the disciplinary powers—watchlists, suspension, de-empanelment, and legal action against entities violating the guidelines.
• Strengthening National Cyber Security: By covering all entities managing digital systems—and empowering regulators to enforce more frequent audits in high-risk sectors—India's cyber security enhances significantly. The requirement for audits in cases of major changes such as technology migration makes cyber security dynamic and adaptive.
• Global and Domestic Data Protection: The strict requirements for audit data handling support India’s data sovereignty goals. Secure storage, access control, encryption, and certified deletion help protect sensitive information during and after audits.
• Professionalisation of Cyber Security Audits: By enforcing rigorous standards for both auditors and auditees, including independence, ethical conduct, and continuous professional development, CERT-In raises the standard of cyber security professionals and service providers nationwide.
• Quantitative Outcome Measurement: Through required adoption of CVSS and EPSS scoring for vulnerabilities, organisations gain actionable, prioritised insights, improving remediation efficiency and resource allocation.

Conclusion

To conclude, these guidelines not only represent technical protocols; but also embody a strategic shift towards risk-based, business-aligned, and globally benchmarked cyber security governance. By transforming audits from compliance checks into engines of resilience, enforcing rigorous frameworks, and mandating both independence and senior management accountability, these guidelines secure India’s digital transformation against an evolving threat landscape.

For organisations, auditors, and regulators, the message is unequivocal: cyber risks require continuous, disciplined, and collaborative mitigation. Not only do the guidelines protect IT infrastructure, but they also fortify the foundations of digital trust, data protection, and economic growth in the digital age.

© Spectrum Books Pvt Ltd.