The cybersecurity audit guidelines issued by the Indian Computer Emergency Response Team, or Cert-In, will revamp how such audits are approached in the country, shifting the focus from checklist-based compliance to continuous threat preparedness, experts said.
The stringent audit framework released last week is expected to compel both public and private entities to implement robust measures that not only prevent breaches but also enable real-time response amid rising cyber threats, they said.
“Indian enterprises have recognised the impact due to cyber risk, and the recent spate of cyber incidents has further heightened the sensitivity. The Cert-In guidelines are timely and comprehensive,” said Atul Gupta, partner at KPMG. “It is heartening to see the inclusion of attack vectors like VPNs, supply chains, and access controls, which have been repeatedly exploited in recent breaches.”
Audits are now expected to go beyond policy declarations and cover technical configurations, evidence logs, cloud infrastructure, and even secure code history.
Cert-In has made it mandatory for cybersecurity audits to comprehensively cover an organisation’s entire ICT structure, including APIs, apps, cloud, and operational technology (OT) systems, using both manual and automated testing. Auditors must follow global frameworks and report vulnerabilities to reflect severity and real-world risk.
Operating under the electronics and IT ministry, Cert-In is the national nodal agency for cybersecurity.
Firms noted that one of the most significant changes is the expectation for top management to take ownership of cybersecurity audit programs.
“There is now a clear top-down mandate,” said Munjal Kamdar, partner at Deloitte. “Boards must define scope, approve remediation actions, and ensure comprehensive coverage, from secure software setups to risk exception handling.”
Auditors are also required to retain logs, review code, and verify secure configurations – practices that were earlier optional or inconsistently implemented.
“The real opportunity is in becoming breach-ready, building programs that can detect, respond, and recover in real time,” said Sundareshwar Krishnamurthy, partner and leader, cybersecurity, at PwC India.
The guidelines also call on Cert-In-empanelled audit firms to reskill teams to keep track of audit complexities.
With hyperconnected applications, multi-cloud adoption, and AI-enabled platforms growing rapidly, security audits must now be conducted by teams that “understand threat exposure and can apply professional judgment,” noted Gupta of KPMG.
Deloitte’s Kamdar said, “Audits are no longer one-size-fits-all. Technical scope, documentation, and manual testing capabilities will all have to scale up.”
The Cert-In guidelines even illustrate how firms must handle audit-related data securely, restrict the use of freelancers, prohibit audit subletting, and enforce report confidentiality.
Experts said sectors such as banking, telecom, healthcare, and energy, which are already under regulatory pressure, will feel the impact most immediately. However, smaller firms will also have to adapt quickly.
“We are seeing a mindset shift,” Krishnamurthy of PwC India said. “Security is no longer about passing an audit, it’s about protecting business continuity, reputations, and national infrastructure.”
As India ramps up its cybersecurity defences amid rising attack frequency and regulatory scrutiny, these new Cert-In guidelines may well serve as a foundational framework.
Experts believe these could also prompt the development of a more mature, standardised, and transparent cybersecurity audit system – a need long felt by both enterprises and regulators.
The stringent audit framework released last week is expected to compel both public and private entities to implement robust measures that not only prevent breaches but also enable real-time response amid rising cyber threats, they said.
“Indian enterprises have recognised the impact due to cyber risk, and the recent spate of cyber incidents has further heightened the sensitivity. The Cert-In guidelines are timely and comprehensive,” said Atul Gupta, partner at KPMG. “It is heartening to see the inclusion of attack vectors like VPNs, supply chains, and access controls, which have been repeatedly exploited in recent breaches.”
Audits are now expected to go beyond policy declarations and cover technical configurations, evidence logs, cloud infrastructure, and even secure code history.
Cert-In has made it mandatory for cybersecurity audits to comprehensively cover an organisation’s entire ICT structure, including APIs, apps, cloud, and operational technology (OT) systems, using both manual and automated testing. Auditors must follow global frameworks and report vulnerabilities to reflect severity and real-world risk.
Operating under the electronics and IT ministry, Cert-In is the national nodal agency for cybersecurity.
Firms noted that one of the most significant changes is the expectation for top management to take ownership of cybersecurity audit programs.
“There is now a clear top-down mandate,” said Munjal Kamdar, partner at Deloitte. “Boards must define scope, approve remediation actions, and ensure comprehensive coverage, from secure software setups to risk exception handling.”
Auditors are also required to retain logs, review code, and verify secure configurations – practices that were earlier optional or inconsistently implemented.
“The real opportunity is in becoming breach-ready, building programs that can detect, respond, and recover in real time,” said Sundareshwar Krishnamurthy, partner and leader, cybersecurity, at PwC India.
The guidelines also call on Cert-In-empanelled audit firms to reskill teams to keep track of audit complexities.
With hyperconnected applications, multi-cloud adoption, and AI-enabled platforms growing rapidly, security audits must now be conducted by teams that “understand threat exposure and can apply professional judgment,” noted Gupta of KPMG.
Deloitte’s Kamdar said, “Audits are no longer one-size-fits-all. Technical scope, documentation, and manual testing capabilities will all have to scale up.”
The Cert-In guidelines even illustrate how firms must handle audit-related data securely, restrict the use of freelancers, prohibit audit subletting, and enforce report confidentiality.
Experts said sectors such as banking, telecom, healthcare, and energy, which are already under regulatory pressure, will feel the impact most immediately. However, smaller firms will also have to adapt quickly.
“We are seeing a mindset shift,” Krishnamurthy of PwC India said. “Security is no longer about passing an audit, it’s about protecting business continuity, reputations, and national infrastructure.”
As India ramps up its cybersecurity defences amid rising attack frequency and regulatory scrutiny, these new Cert-In guidelines may well serve as a foundational framework.
Experts believe these could also prompt the development of a more mature, standardised, and transparent cybersecurity audit system – a need long felt by both enterprises and regulators.
