India’s cybersecurity landscape is undergoing a major transformation with the Indian Computer Emergency Response Team (CERT-In) introducing a landmark directive that mandates all public and private organisations handling digital systems to undergo comprehensive third-party cybersecurity audits annually. This is the first time the private sector has been included in such a requirement. The directive allows sectoral regulators to demand more frequent audits based on specific risk profiles. The goal is to significantly strengthen India’s cybersecurity resilience in the face of rising digital threats.
CERT-In Expands Cybersecurity Audit Mandate to Private Sector with Risk-Based Guidelines
CERT-In’s new Comprehensive Cyber Security Audit Policy Guidelines offer a structured framework for conducting audits, covering all stages from planning and scoping to execution, reporting, and follow-up. These guidelines emphasise a domain-specific, risk-based approach tailored to an organisation’s unique threat environment. The policy also encourages alignment with global standards like ISO/IEC 27001, promoting consistent and international best practices across Indian organisations.
This move marks a shift from past practices where only public and critical infrastructure entities were obligated to comply. By extending the mandate to the private sector, the policy aims to unify audit practices and raise the bar for cybersecurity preparedness across industries. It also empowers regulators to adapt the frequency and depth of audits according to sector-specific vulnerabilities.
CERT-In Urges Strategic, Ongoing Cybersecurity Audits
Importantly, CERT-In highlights that audits must go beyond simple regulatory compliance. They should evolve into strategic tools that enable continuous risk assessment and resilience building. The policy outlines key focus areas including asset management, vulnerability testing, governance reviews, and post-audit remediation actions. It stresses the need for skilled auditors and better collaboration between CISOs, IT teams, and regulators.
Aligned with India’s national cybersecurity strategy, the policy supports the country’s broader digital public infrastructure goals. However, its effectiveness will hinge on organisations treating audits as ongoing, meaningful safeguards rather than routine checkboxes.
Summary:
CERT-In has mandated annual third-party cybersecurity audits for both public and private organisations, marking a major policy shift. The guidelines promote a risk-based, domain-specific approach aligned with global standards. Emphasising strategic use over compliance, the policy aims to boost India’s cybersecurity resilience through continuous monitoring, skilled audits, and sector-specific enforcement.
