The Indian government has introduced official rules for conducting cybersecurity audits. CERT-In’s (Indian Computer Emergency Response Team) has published the Comprehensive Cyber Security Audit Policy Guidelines under the IT Act, 2000. The guidelines aim to make the audit process consistent across various types of organisations.
Although the rules explain the process clearly, some parts are still vague. These unclear rules leave companies confused, especially when they also have to follow other laws like the DPDP Act, 2023.
What Do the Guidelines Include?
1. Who Must Follow Them?
CERT-In’s rules apply to two groups:
- Auditors officially approved (empanelled) by CERT-In.
- Any organisation can check its cybersecurity—either because it must or because it chooses to.
This includes government bodies, telecom operators, banks, hospitals, and any business that handles sensitive or regulated data.
2. What Should the Audit Cover?
Audits must:
- Check if an organisation is following cybersecurity rules.
- Find security gaps or weak points.
- Review areas like cloud systems, IoT (Internet of Things), apps, supply chains, and even physical security measures.
The guidelines recommend that organisations perform audits at least once a year or after major IT changes. However, they don’t explain what qualifies as a “major” change, leaving it open to interpretation.
3. Which Standards Must Be Followed?
Auditors need to follow global security standards such as:
- ISO/IEC standards
- OWASP (for application security)
- OSSTMM
- CSA’s Cloud Controls Matrix
They must also:
- Use CERT-In’s advisories.
- Apply risk scoring methods like CVSS and EPSS.
- Keep the audit findings confidential.
4. What Happens After the Audit?
Companies must:
- Fix any problems found in the audit.
- Do follow-up reviews to confirm issues are resolved.
If an audit is poorly done or a company doesn’t take action, CERT-In may:
- Take legal steps.
- Remove the auditor from their approved list.
The Confusion Around Compliance
Although CERT-In names specific sectors, the rules are written in broad terms. This means any company dealing with user data or serving regulated industries could fall under these rules—even if not directly mentioned.
Also, there are no exemptions for small businesses. A small startup may be expected to meet the same standards as a national telecom provider. This creates a potential problem for businesses with limited resources or legal knowledge.
How the DPDP Act Adds Complexity
The DPDP Act, 2023 already requires businesses that handle personal data to take reasonable steps to prevent data leaks. One of its key points says:
“The Data Fiduciary shall protect personal data… by taking reasonable security safeguards to prevent personal data breach.”
This applies to all businesses, no matter their size.
For larger businesses classified as Significant Data Fiduciaries (SDFs), the law adds more duties:
- Appoint an independent data auditor.
- Conduct Data Protection Impact Assessments (DPIAs).
- Carry out regular data audits.
CERT-In’s new guidelines also demand audits—but under a separate system. There’s no clarity on:
- Whether a CERT-In audit will meet the DPDP Act’s audit requirements.
- If breach reports filed with CERT-In count for DPDP compliance.
- How to avoid doing the same audit twice under two laws.
Why These Questions Matter
The new CERT-In guidelines are important. They set a clear format for how companies should do cybersecurity audits. But they also create confusion if there’s no alignment with other laws.
For example:
- How often should audits be done if no time frame is given?
- What counts as a “major” change requiring a new audit?
- Will businesses have to report the same cyber incident to multiple regulators?
- Can CERT-In and DPDP audits be combined, or must they be separate?
Until regulators explain how these systems work together, companies may face double work, higher costs, and greater legal risks. These rules aim to strengthen India’s cybersecurity, but without better coordination between laws, they might create more problems for businesses.
Also read: State Cyber Unit Breach Raises Alarm Over Possible Inside Sabotage