On July 25, 2025, CERT-In issued its Comprehensive Cyber Security Audit Policy Guidelines (“Guidelines”) under its statutory authority pursuant to Section 70B of the Information Technology Act, 2000, and the CERT-In Rules, 2013. These Guidelines aim to standardize and enhance cybersecurity audits across both public and private sectors.

1. Legal and Statutory Framework

CERT-In derives its statutory authority from Section 70B of the Information Technology Act, 2000, which empowers it to issue directions to service providers, intermediaries, and any person in the interest of cyber security. The revised Guidelines have been issued under this mandate, and are binding on all notified entities. Non-compliance may invoke penal consequences under Section 70 B (6), as well as under Sections 69, 69A and 69B where applicable.

2. Key Enhancements 
3. Widened Scope of Applicability

The updated Guidelines significantly expand their reach by explicitly including both public and private sector entities. In addition to government departments and Critical Information Infrastructure (CII) operators, mandatory compliance has now been extended to data centres, cloud service provider, VPN providers, and virtual asset service providers, including cryptocurrency exchanges and custodial wallet operators. This expansion reflects a regulatory shift from the earlier approach, which did not uniformly mandate audits across private digital infrastructure providers.

2. Mandatory Cybersecurity Audit Lifecycle

All entities falling within the ambit of these Guidelines must now undergo annual cybersecurity audits conducted exclusively by CERT-In empanelled auditors. For critical sectors, the frequency of audits may be intensified based on risk exposure. Importantly, the audit scope has been broadened to include governance and risk assessment frameworks, Vulnerability Assessment and Penetration Testing (VAPT), red teaming exercises, and audits of emerging technologies such as AI/ML systems, IoT networks, cloud platforms, and blockchain-based solutions. This represents a considerable departure from the earlier, generic requirement of merely conducting periodic assessments.

3. Principles of Audit Integrity and Independence

Auditors must not have any conflict of interest with the entity being audited, and their remuneration must not be contingent on audit outcomes. Further, auditors are subject to enforceable obligations of ethical and confidential conduct throughout the audit lifecycle. These enhancements formally institutionalise audit integrity, which was earlier governed more by industry best practices than by statutory mandate.

4. Structured Audit Lifecycle

The audit process is now governed by a structured and standardised lifecycle encompassing all key phases- pre-audit planning and scoping, execution and risk identification, and post-audit reporting and mitigation follow-up. Importantly, all audits are to be conducted in alignment with internationally recognised frameworks such as ISO/IEC 27001, which enhances standardisation, accountability, and cross-sector comparability.

OPERATIONAL AND COMPLIANCE IMPLICATIONS

1. Entities must now operationalise these legal mandates across internal teams and governance mechanisms:
2. Senior leadership, particularly CISOs, are made directly accountable for audit compliance;
3. System logs must be retained for a minimum of 180 days, stored within India, and provided to CERT-In on demand;
4. Cybersecurity incidents must be reported within six hours of detection, continuing the short response window set by earlier directions;
5. All stakeholders, including third-party vendors, must align with the entity’s audit governance framework.

These changes reinforce CERT-In’s broader strategic aim: to elevate audits from a mere compliance exercise to a continuous, forward-looking risk management function.

CONCLUSION

CERT-In’s revised audit guidelines mark a definitive shift from reactive to preventive cybersecurity regulation in India. The emphasis is not only on audit compliance but on cyber governance as a board-level responsibility. Entities, especially in BFSI, fintech, e-commerce, and cloud service domains, must now treat cybersecurity audits not as optional hygiene but as a core component of operational compliance.

As India’s digital economy expands, legal frameworks like these are critical for safeguarding trust and continuity. The cost of non-compliance is no longer just monetary– it’s reputational.

For legal teams and compliance officers: now is the time to strengthen cyber audit readiness and treat CERT-In compliance as a non-negotiable regulatory standard.

Footnotes / References:

1. CERT-In, Cyber Security Audit Guidelines, July 2025. https://www.azbpartners.com/bank/strengthening-indias-cyber-defence-cert-ins-new-cyber-security-audit-guidelines-decoded
2. GK Today, Comprehensive Cyber Security Audit Policy Guidelines. https://www.gktoday.in/comprehensive-cyber-security-audit-policy-guidelines
3. Information Technology Act, 2000, Sections 69, 69A, 69B, and 70B.