New Cybersecurity Audit Guidelines by Cert-In

The Indian Computer Emergency Response Team (Cert-In) has issued new mandatory guidelines for cybersecurity audits targeting both private and public-sector organizations.

Key Directives

• Organizations owning or operating digital systems must undergo a third-party cybersecurity audit at least once a year.
• Audits should be risk-based and domain-specific, aligning with the business context and threat landscape.
• Sectoral regulators have the discretion to mandate more frequent audits if necessary.
• The guidelines aim to enhance cyber hygiene amidst rising digital threats and infrastructure breaches.

Compliance and Security Measures

• A cybersecurity audit is required for major changes to systems, including technology migration and configuration adjustments.
• Organizations must conduct: 
  • Risk and vulnerability assessments
  • Penetration testing
  • Network infrastructure and operational audits
  • Information security testing, including source code review
• The principle of “least privilege” must be implemented to minimize access permissions for employees.
• For remote access, all connections must be tunnelled, encrypted, and logged, with Multi-Factor Authentication (MFA) being mandatory.

Guidelines for Cybersecurity Auditors

• Auditors must conduct independent assessments of security practices and controls.
• In cases where assets are unavailable for audit, a detailed reason must be reported.
• To avoid temporary security measures, audit notifications should be limited to key personnel.

Statistics and Implementation

• Cert-In has empanelled 200 companies to conduct these audits.
• In the year 2024-25, 9,708 audits were conducted.