I. BACKGROUND

On July 25, 2025, the Indian Computer Emergency Response Team (“CERT-In”) issued the Comprehensive Cyber Security Audit Policy Guidelines, (“Guidelines”). CERT-In is the national agency established under Section 70B of the Information Technology Act, 2000 (“IT Act”) to perform functions in the area of cyber security including coordination of incident response activities and issuing guidelines and advisories relating to information security practices, procedures, prevention, response and reporting of cyber incident.

The Guidelines have been issued by CERT-IN in discharge of its statutory authority to enhance cyber security posture of India. This is in line with its powers under Section 70B of the IT Act to call for information and give directions to service providers, intermediaries, data centres and body corporates. The enabling provisions under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 also require CERT-In to provide services related to information security assurance and audits.

II. APPLICABILITY

The Guidelines apply to all organization that have been empaneled by CERT-IN as auditing organizations (“Auditors”) and organizations that own or operate information technology systems, processes, and infrastructure that is being evaluated or assessed by the CERT-In empaneled Auditor (“Auditees”). The Guidelines are intended for organizations in both public and private sectors that are required to or are seeking to evaluate their cyber security posture, identify vulnerabilities, assess risks, and ensure compliance with applicable regulatory standards and industry best practices.

Accordingly, organisations that undertake cybersecurity audits under applicable laws and regulations, as well as those seeking voluntary audits by CERT-In empaneled Auditors, would need to adhere to the Guidelines. For instance, entities regulated by the Reserve Bank of India, Securities and Exchange Board of India, etc., are required under their respective regulatory frameworks to undertake mandatory cybersecurity audits through CERT-In empaneled Auditors.

III. GUIDELINES – KEY HIGHLIGHTS

1. Scope of Engagements Covered: The Guidelines provide a non-exhaustive list of various types of cybersecurity audits and assessments, such as compliance audits, risks assessments, vulnerability assessments, penetration testing, network infrastructure audits, IT security policy review and assessment, source code review, application security testing, red team assessment, cloud security testing, internet of things security testing, artificial intelligence system audits, software, quantum and artificial intelligence bill of materials auditing, blockchain security audit, etc.
2. Basic Principles of Audit: The Guidelines emphasise that the effectiveness of a cyber security audit relies on adherence to fundamental principles such as independence, objectivity, integrity, professional skepticism, professional judgment, professional care, confidentiality, transparency and accountability. As per the Guidelines, Auditors should remain free from bias, conflict of interest, and external influence. To ensure objectivity and independence from undue influence, the commercial arrangements between the Auditor and the Auditee must be structured such that payments are not contingent upon the outcome of the audit, nor tied to the submission or approval of any closure reports.
3. Applicable standards and Frameworks: The Guidelines provide that Auditors need to utilize industry standard methodologies and best practices for security testing, and discourages solely tool-based testing, so as to ensure coverage of non-automated and manual components as well. Applications developed without any secure design and development practices should not be considered for audits and this position should be informed to Auditees in writing with a copy to CERT-In.
4. Audit Process:

• Selection of Auditor:
• Organizations or sectoral regulators should utilize the snapshot of skills and competencies of CERT-In empaneled Auditors, as published on the CERT-In website, to map their specific requirements and effectively identify and select suitable Auditor organizations based on their competencies. Auditees should also verify the technical credentials of manpower deployed for the audit (in line with the qualification requirements mentioned at “Guidelines for applying for Empanelment” published on CERT-In’s website).
• For critical applications or those with high user reach, auditee organizations should award audit contracts for 2-3 years to enable periodic audits.
• If the auditor’s credibility is uncertain, the contract should allow the auditee to terminate the engagement and appoint another auditor within a reasonable timeframe to minimize financial loss for both parties.
• Planning:
• For Auditors: Prior to the commencement of the audit assignment, Auditor must inform the Auditee, about the requirement for them to share audit metadata and audit reports with CERT-In within five days of audit completion. Audit data must be securely handled, with defined protocols for storage, access, and destruction. The auditing team and tools must be pre-approved, and any high-risk tests including penetrations tests, tests involving survivability failures, denial of service, or social engineering, require prior written consent from the Auditee.
• For Auditees: Auditee organizations must define a comprehensive scope covering all digital assets, including applications, networks, cloud infrastructure, OT/ICS environments, and APIs. Cybersecurity audits must be conducted at least annually, with higher frequencies determined by sectoral regulators or based on asset criticality and digital complexity. Major system changes such as technology migrations or configuration updates impacting sensitive data must trigger mandatory audits.
• ‘Cyber Security Audit Baseline Requirements’ document published on CERT-In’s website should be used by Auditees and Auditors to build their audit program.
• Terms of Engagement: Auditee and Auditors must execute a formal engagement agreement/ letter to ensure ensures clarity of purpose, establish mutual expectations, and define the responsibilities of all parties involved. The agreement must clearly identify the audit type (e.g., VAPT, configuration audit, compliance audit), the systems and environments in scope, applicable frameworks and standards (such as ISO/IEC, CERT-In guidelines), and the format of reports. It should also cover data handling, including access controls, storage, retention, and disposal practices.

 The engagement terms must include the right to revise the scope if significant changes arise, such as new infrastructure, evolving risks, or regulatory updates. Any revision must be documented with mutual consent. To ensure confidentiality, a signed Non-Disclosure Agreement (NDA) is mandatory. If required, the Auditee may include liability clauses covering the Auditor and its personnel.

• Performance of Audit:
• For Auditors: Auditors should include the verification of compliance with CERT-In Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 dated April 28, 2022, in every audit assignment and findings along with relevant evidence in audit report. The Auditor should also comply with all applicable regulations, acts and circulars issued by regulators and the Government concerning data security and privacy. Any discovered breaches or other high-risk vulnerabilities should be assessed and reported immediately to the Auditee and CERT-In. The maker-checker concept should be implemented to enhance quality and effectiveness of security assessments.
• For Auditees: Auditees should limit disclosure about the auditing to key personnel to prevent temporary increase in security measures. The Auditee should monitor audit execution as per the tests agreed upon under the audit contract and that prescribed timelines are adhered to, through scheduled cadence of progress meetings.
• Forming an Opinion, Conclusion and Reporting:
• The audit report must present a clear, objective assessment of the Auditee’s cybersecurity posture based on the evidence gathered during the engagement. Audit report must be comprehensive yet precise, covering the audit scope, methodology, tools used, testing processes, observations, and any limitations or exclusions.
• Auditors are expected to classify vulnerabilities using standardized frameworks and should include categorization of observations / vulnerabilities based on both Common Vulnerability Scoring System (CVSS) for severity and supplemented with Exploit Prediction Scoring System (EPSS) to assess likelihood of real-world exploitation. Every reported observation / vulnerability needs to be mapped with Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) number.
• The audit report should provide well-structured findings, conclusions, and actionable recommendations. The suggested controls and remedies in the audit report should be practical and implementable. Vulnerabilities classified as ‘critical’/’high’ in the severity score are required to be notified by the Auditor to the Auditee organization during audit on as and when found basis and reported in the Final Outcome Report. The Final audit report should be issued after the closure of vulnerabilities & completion of follow-up audit of the application hosted on production environment. If the audit scope is limited to the staging platform, the report must explicitly state that the audit was not conducted on production environment.
• Auditee related data should be stored only on systems located in India with adequate safeguards and should keep the auditee informed of the means & location of storage and seek Auditee’s consent, where necessary. Auditee-related data may be shared only with prior written consent, except where disclosure is mandated by Indian law or required by regulators or authorities like CERT-In. Sharing with any foreign entity is strictly prohibited unless explicitly authorized in writing by the Auditee.
• The audit report must be signed by the assigned auditors, reviewed by a mid-management reviewer not involved in the audit, and authorized and signed by the head of the auditing organization (e.g., Director or CEO).
• The Auditee may request clarifications or justifications for any evidence presented, and the Auditor must respond within a mutually agreed timeframe.
• Effective communication with IT governance stakeholders, including CISOs and senior management, is essential. Auditors must present findings, risks, and recommendations in clear, accessible terms for both technical and non-technical audiences. Each engagement should begin with an onboarding session to align expectations and end with an exit briefing to summarize key outcomes and ensure accountability.
  
  IV. CONSEQUENCES – NON-COMPLIANCE

The Guidelines provide for a graded enforcement mechanism depending on the severity of non-compliance, referred to as the ‘deter & punish’ mechanism.

• Placing in watch-list with warning and written commitment – for inadequate closure of non-compliances, inadequate sample details, violating CERT-In terms having minor impact, etc.
• Suspension of empanelment – for adverse feedback regarding technical competency, violating CERT-In terms having major impact, multiple adverse reports of missing vulnerabilities, etc.
• Debarment as per General Financial Rules and De-empanelment by CERT-In – for auditing malpractices, substandard services, etc.
• Penal and legal actions as per applicable law – for breach of trust, digital break-in, damage to Auditee infrastructure, etc.

Notably, these consequences have been prescribed primarily for Auditors and not Auditees. Nevertheless, in our view Auditees would have recourse through contractual remedies as well as other remedies available under criminal and civil laws.

V. TAKEAWAYS

The primary objective of the Guidelines appears to provide a structured and standardized framework for conducting cyber security audits within organizations by identified cyber security auditors who have the requisite skill to do so. The Guidelines aim to provide a comprehensive guide for the entire lifecycle of audit process from initial planning of audit to final reporting and follow-up actions, and consequences for non-compliance. The Guidelines also provide certain fundamental measures that should be taken by Auditees to mitigate potential impact of security breach such as access control measures including implementation of least privileged access and restricted remote access.