Cert-In makes annual cybersecurity audit mandatory for companies

The guidelines by Cert-In allow sectoral regulators to mandate audits more frequently if needed, Cert-In said

cybersecurity laptop working — The new guidelines, aimed at tightening cyber hygiene across sectors, come amid a surge in digital threats and a rising number of breaches targeting critical infrastructure.

4 min read Last Updated : Jul 28 2025 | 12:01 AM IST

In a first, the Indian Computer Emergency Response Team (Cert-In) has made it mandatory for private and public-sector organisations that own or operate digital systems, processes, or infrastructure, to undergo a comprehensive third-party cybersecurity audit at least once a year.

This is the first such directive for the private sector.

The guidelines by Cert-In allow sectoral regulators to mandate audits more frequently if needed, Cert-In said.

In a set of guidelines issued for all public-sector and private companies, Cert-In has stated cybersecurity audits should adopt a risk-based and domain-specific approach, aligning with the business context, threat landscape, and operational priorities of the company being audited.

Business Standard has reviewed a copy of the new guidelines.

The new guidelines, aimed at tightening cyber hygiene across sectors, come amid a surge in digital threats and a rising number of breaches targeting critical infrastructure.

Cert-In, the Ministry of Electronics and Information Technology’s agency doing digital-risk analysis, assessments, and prevention, has mandated “a cybersecurity audit to evaluate potential vulnerabilities, ensure compliance, and mitigate security risks before implementation” for any major change such as a systems overhaul, technology migration, or configuration adjustment that impacts sensitive data and critical infrastructure.

Both public-sector and private companies dealing in any form of digital infrastructure must conduct an independent third-party audit after every major change to the infrastructure and applications of the company’s offers.

These organisations must also conduct a comprehensive risk and vulnerability assessment, penetration testing, a network infrastructure and operational audit, an information technology security policy review, information security testing, a source code review, and security testing of processes, communications, applications, and mobile applications, in accordance with the guidelines of Cert-In.

Organisations are also required to implement the principle of “least privilege” — ensuring that any employee has the “minimum level of access permissions necessary to perform their specific roles or function”.

For a company offering remote access to its employees, all access to the organisation’s cyber-infrastructure is “tunnelled, encrypted and logged” to avoid misuse.

“Multi Factor Authentication (MFA) is mandatory for remote access of the cyber infrastructure,” Cert-In said in its new guidelines.

The agency has also released comprehensive guidelines for cybersecurity auditors who are empanelled with it and can conduct these audits.

In these guidelines, Cert-In has stated auditors will be required to conduct an independent assessment of various companies’ security practices, systems, and controls.

If any asset within the scope of digital products and services that need to be audited is not provided by a company, the auditors must state that in their report, with a reason as to why the asset was not given, and bring the report to Cert-In’s notice.

To date, Cert-In has empanelled 200 companies for conducting these audits. As part of the exercise, the empanelled auditors should, at the very minimum, conduct dynamic application security testing, vulnerability assessment and external attack penetration testing, denial of service attacks, distributed denial-of-service attacks, as well as social engineering attacks to test the strength of the company’s digital defences.

“To prevent a temporary increase in security measures solely for the duration of the audit, the auditee organisation should limit notification about the auditing/testing to key personnel only,” Cert In said.

In 2024-25, Cert-In conducted 9,708 audits, of which 1,579 were in the power and energy sectors, 582 in transport, and 7,547 in banking, financial services and insurance, according to the government data.