Under the IT Act, 2000, the Indian government has launched official rules for cybersecurity audits via CERT-In. The Comprehensive Cyber Security Audit Policy Guidelines aim to bring consistency across organizations. Yet, the flexibility in interpretation has sparked debate about compliance expectations and potential overlaps with the 2023 Digital Personal Data Protection Act. 

Inside the CERT-In Audit Framework  

CERT-In’s new guidelines outline the complete lifecycle of a cybersecurity audit—from planning and execution to final reporting. Here's a look at the key areas they address: 

Scope of Applicability  

CERT-In’s guidelines are applicable to both empaneled auditors and organizations conducting cybersecurity audits, whether by requirement or choice. Covered entities include government agencies, critical infrastructure, telecom, finance, healthcare, and any business dealing with sensitive or regulated data. 

Scope and Frequency of Audits  

CERT-In mandates that audits assess security compliance and risks in domains like cloud systems, IoT, application security, industrial controls, supply chains, and physical infrastructure. While audits should be done yearly or following substantial infrastructure changes, the guidelines don’t clearly define what counts as “significant,” leaving room for subjective judgment.

Standards and Methodologies for Audits  

Auditors are required to adhere to globally recognized frameworks, including ISO/IEC standards, OWASP, OSSTMM, and the CSA Cloud Controls Matrix, along with relevant CERT-In advisories. They must also document their methodology, use CVSS and EPSS for scoring vulnerabilities, and ensure complete confidentiality throughout the audit process. 

Mandatory Follow-Up and CERT-In Oversight  

The guidelines require organizations to fix any vulnerabilities found during the audit and to verify remediation through additional reviews. Failure to comply—or submitting a subpar audit—can lead CERT-In to remove auditors from its list or initiate legal proceedings against the concerned parties. 

Ambiguity in Compliance Scope  

Although the guidelines highlight critical infrastructure and digital services, their broad wording potentially applies to any organization with cybersecurity duties. A mid-sized tech firm working with a regulated client could be pulled into the audit regime, despite not being the original focus. With no exemptions or compliance tiers for smaller entities, there’s a real risk of regulatory overreach and strain on limited resources. 

Overlapping Yet Disconnected: CERT-In and DPDP 

The release of CERT-In’s audit guidelines coincides with rising compliance pressure under the DPDP Act, 2023. Both sets of rules aim to enhance cybersecurity and data privacy, but there’s no defined alignment between them. According to Section 8(5) of the DPDP Act, Data Fiduciaries are obligated to adopt reasonable security measures to protect personal data: 

“The Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf, by taking reasonable security safeguards to prevent personal data breach.”

This applies to any company that collects or processes personal data regardless of size.