India’s nodal cybersecurity agency, CERT-In, has released its most detailed framework yet for conducting comprehensive cybersecurity audits across public and private digital infrastructure. The guidelines aim to raise national cyber resilience by clearly defining audit scope, frequency, auditor qualifications, and responsibilities of audited entities.
Unified audit classifications introduced
The policy introduces a three-tier audit classification system: Comprehensive Cyber Security Audits (CCSA), Targeted Technical Audits, and Thematic Audits. CCSAs will serve as the broadest form of assessment, covering governance, risk management, and technical controls. Targeted audits are designed for systems undergoing significant change or exhibiting risk exposure, while thematic audits address sector-specific issues such as mobile app security or supply chain vulnerabilities.
Who must comply?
The guidelines apply to government bodies, critical information infrastructure (CII) operators, regulated service providers, and any digital platforms designated by CERT-In. All such entities are expected to coordinate with empanelled cybersecurity auditors and maintain a high standard of readiness by implementing corrective actions post-audit.
Reporting timelines and enforcement
Audit findings must be submitted to CERT-In using a new secure portal, within a fixed 30-day reporting window. For the first time, the policy outlines expectations for periodic follow-ups, with CERT-In empowered to request remediation updates. It also clarifies that audit cycles should align with emerging threats, meaning higher-risk systems may require annual or even ad-hoc audits.
The move strengthens India’s proactive cyber defense posture and aims to ensure both strategic readiness and operational accountability across sectors. It aligns with ongoing efforts to establish a National Cyber Security Strategy, although that framework is still pending release.
For a detailed breakdown, access the official CERT-In report here.
