Cybersecurity Audits: Takeaways from CERT-In’s New Guidelines

On July 25, 2025, the Indian Computer Emergency Response Team (CERT-In) released guidelines that seek to provide a structured and standardised framework for conducting cybersecurity audits within organisations.

Some of the key features of the new guidelines are outlined below:

• Applicability: The guidelines are applicable to all CERT-In empanelled auditing organisations and auditee entities (i.e., those that own/operate the systems, processes, and infrastructure being evaluated or assessed by these auditors).
• Responsibilities: Both auditors and auditees have wide-ranging responsibilities under the guidelines. Auditees must follow cybersecurity auditing-related advisories and directions issued by CERT-In, implement recommended actions after receiving the audit findings, carry out continuous internal audits/assessments, etc. As for auditors, the guidelines inter alia require all audit team members to have valid non-disclosure agreements (NDAs) in place with their employer organisations. Based on the specific project requirements, they may also be required to sign a separate NDA with the auditee organisation, with the employer organisation being duly informed of such an arrangement.
• Audit planning: The guidelines enumerate the points that need to be taken into account while finalising the scope of the audit. They also elaborate on audit frequency, identification and inclusion of critical assets, etc.
• Performance of the audit: Guidelines for auditee organisations encompass preparing the audit environment (e.g. limiting notification about the auditing/testing to certain identified key personnel), managing access and testing credentials, monitoring audit execution, and adhering to regulatory guidance. Those for auditing organisations cover aspects such as pre-audit preparation (including discussion on the scope of work), compliance and confidentiality, and others.
• Non-compliance: Action will be taken in case of adverse reports, violation of these guidelines and terms and conditions of empanelment, and poor quality of audits

Other provisions concern audit report drafting, communications between the auditee and auditing organisations, submission of audit evidence as an appendix along with the final audit report, and so on.