The Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics and Information Technology, Government of India, has issued “Comprehensive Cyber Security Audit Policy Guidelines” (Guidelines) for cybersecurity audits. These principles stress independence, objectivity, and ethical behaviour throughout the audit process, outlining the roles and obligations of both auditing and auditee organisations.

The document describes the extent of several cybersecurity assessments, such as risk and compliance analyses and highly specialised testing like audits of blockchain and AI systems. In order to guarantee quality control, accountability, and ongoing enhancement of the national cybersecurity posture, it also involves audit planning, execution, reporting, and data management procedures.

This Comprehensive Cyber Security Audit Policy Guidelines document’s main goal is to give businesses a systematic and uniform framework for carrying out cybersecurity audits.

Introduction and Objectives

These guidelines are issued by CERT-In under the authority of Section 70B of the Information Technology (IT) Act, 2000. Their key objective is to guarantee “consistency in audit quality, evaluation criteria, and reporting” by offering a “structured and standardised framework for conducting cyber security audits within organisations.” The document accomplishes two goals:

• Auditee Organisation: To “help organisations being audited (auditees) in preparing for audits, understanding requirements, and addressing deficiencies,” according to the auditees’ statement. This enables them to conform to industry requirements and proactively enhance their security procedures.
• Auditor Organisation: To offer a “structured framework to conduct rigorous, fair, and transparent cyber security audits,” defining roles, procedures, and best practices, to auditing organisations.

“Collaborative efforts of both the organisation being audited and the auditing entity” are essential to the effectiveness of cyber security audits because they promote “mutual responsibility and driving meaningful enhancements in security, risk mitigation, and regulatory adherence.”

Applicability

These guidelines are applicable to two main entities:

• CERT-In Empanelled Auditing Organisations: These are organisations empanelled by CERT-In to conduct information security audits, including vulnerability assessments and penetration testing, for both government and other sectors.
• Auditee Organisations: Public and private sector organisations that are required to or seek to evaluate their cyber security posture, identify vulnerabilities, assess risks, and ensure compliance.

Scope of Engagements Covered

The guidelines cover a broad range of cybersecurity audits and assessments. Auditees are expected to undergo a comprehensive audit of their Information and Communication Technology (ICT) systems at least once a year, may also opt for additional assessments and audits during the year.  Key types of engagements include, but are not limited to:

Scope Point	What It Covers / Key Details
Compliance Audits	Checking adherence to applicable laws, regulations, CERT‑In directions, internal policies, standards.
Risk Assessments	Identifying threats, vulnerabilities, likelihood & impact; risk treatment; possibly periodic or triggered by changes.
Vulnerability Assessments & Penetration Testing (VAPT)	Active testing of systems/apps/infrastructure for weaknesses.
Network Infrastructure Audits	Hardware, software, network device configuration, network segmentation, firewall, routers etc.
Application Security Testing	Web, mobile, API applications; DAST & SAST (dynamic/static); testing in varying environments.
Source Code Review	Reviewing source code for security flaws, insecure practices, weaknesses, and secure coding practices.
Red Team Exercises (Attack Simulation)	Simulated adversary attacks to test detection, response, and resilience.
Cloud Security Testing	Assessing cloud infrastructure, configurations, access management, and data security in the cloud.
IoT / IIoT Security Testing	Devices, sensors, embedded systems, communication, firmware, etc.
OT / ICS Security Audits (Operational Technology / Industrial Control Systems)	Security of industrial control, SCADA, OT protocols, and risk in operational environments.
AI System Audits	Assess security, ethics, data integrity, transparency of AI/ML systems; resistance to adversarial attacks.
SBOM / QBOM / AIBOM Audits	Software Bill of Materials; Quantum; AI-related components; supply chain/component transparency.
Blockchain Security Audits	Smart contracts, consensus mechanisms, and cryptographic soundness.
Vendor / Third‑Party / Supply Chain Risk Audits	Assessing risks posed by vendors, third-party dependencies, contracts, and supply chain components.
IT Security Policy Review & Assessment	Reviewing existing security policies, their adequacy, alignment with risk, and implementation.
Regulatory / CERT‑In Directions & Baseline Requirements	Including regulatory guidance, baseline audit requirements (e.g. CERT‑In’s “Audit Baseline Requirements”) by default.
Comprehensive Audit Program Checklist (for Critical Apps / Databases / PII)	For entities handling sensitive PII & critical systems, use the mandatory checklist of ~282 control points.
Asset Inventory & All Environments in Scope	All digital assets (hardware, software, applications, environments – development/test/production), cloud resources, third-party systems, etc.
Change / Trigger-based Audits	Major changes like migrations, configuration changes, deployment of new infrastructure or systems should trigger audits.
Operational Audits / Efficiency & Effectiveness of Security Operations	How well security operations are working, incident response, monitoring, logging etc.
Internet / Mobile / API Application Testing	Specifically web/mobile/API apps, covering common threat vectors, secure design, etc.
Penetration Testing	Individual components or the application as a whole are actively tested to identify and exploit potential vulnerabilities.
Process Security Testing / Physical Security Testing-	Evaluating the physical security measures that protect an organisation’s Processes,  assets, including its facilities, equipment, and personnel, from unauthorised access, theft, damage, or other physical threats.
Communications Security Testing	Evaluating the security measures implemented on communication channels
Log Management and Maintenance Audit-	Assessing the effectiveness and completeness of system and security log generation, retention, integrity, and monitoring practices, ensuring that logs are maintained in accordance with organisational policies and regulatory requirements to support detection, investigation, and response activities.

Consequences of Non-Compliance

CERT-In has a “Deter and Punish Framework” for non-compliance, poor quality audits, or violations of guidelines/empanelment terms. Graded actions include:

• Move to watch list with warning & written commitment: For inadequate closure of non-compliances, lack of relation between noting and issues, inadequate sample details, minor impact violations of T&Cs, missing up to 2 vulnerabilities, first instance of conflict with auditee or non-compliance to data collection framework.
• Suspension: For adverse feedback (technical competency, auditor attributes), repeated failures in planning/coverage, issues appearing soon after audit, major impact violations of T&Cs, multiple adverse reports of missing vulnerabilities, or multiple non-compliance instances for data collection. Suspension can be revoked upon satisfactory corrective action.
• Withdrawal of Empanelment: For auditing malpractices, substandard services, or failure to cover the scope of work, leading to actions as per GFR and Department of Expenditure O.M.
• Penal & Legal Actions: For breach of trust, digital break-ins, damage or attempts to damage auditee interests/infrastructure, as per applicable laws.

Note on further details provided under the guidelines, like Applicable Standards and Frameworks, auditors’ responsibility, auditees’ responsibility, etc. will be shared under part 2 of the blog.

Disclaimer:  This is an effort by Lexcomply.com, to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.