Skip to content

India's critical infrastructure under siege: New CERT-In rules

Andrew Robinson |

September 1, 2025
India's critical infrastructure under siege: New CERT-In rules

Audio version

India's critical infrastructure under siege: New CERT-In rules
10:37

Contents

The Computer Emergency Response Team of India (CERT-In) is ushering in a new era of cybersecurity accountability with its Comprehensive Cyber Security Audit Policy Guidelines, standardising audit processes and requirements across both public and private organisations, including operators of critical infrastructure. These new rules build on existing reporting mechanisms and mandate annual cybersecurity audits that assess vulnerability management, incident response capabilities, and security architecture robustness. Let's explore what this entails for critical sectors in India and how integrated compliance strategies can empower organisations to maintain consistent cyber resilience and audit readiness. Learn more below.

Understanding CERT-In's new mandatory audit requirements

In fiscal year 2024-25 alone, CERT-In conducted nearly 10,000 audits across critical sectors like power, transportation, and banking. Critical infrastructure providers, government entities, and organisations that handle sensitive data, must now demonstrate compliance with specific technical configurations, maintain comprehensive documentation, and implement continuous monitoring systems. Failure to comply can result in criminal penalties up to ₹1 lakh and imprisonment for specified violations, making adherence not just a security imperative but a legal obligation with serious consequences.

The latest release by CERT-In includes provisions for:

6clicks blog - CERT-In Comprehensive Cyber Security Audit Policy Guidelines

  • Audit scope: Cybersecurity audits must assess compliance with laws such as the Digital Personal Data Protection Act (DPDP Act), the IT Act, and CERT-In’s Cyber Security Directions on information security practices. These include existing requirements to report incidents within six hours and retain logs for 180 days. Organisations must undergo third-party cybersecurity audits at least annually or after significant infrastructure changes, covering information technology (IT), operational technology (OT), cloud, supply chain, and physical security.

  • Audit lifecycle: CERT-In outlines the full audit lifecycle, starting from risk-based planning and scoping, followed by control and exposure validation, audit execution with evidence collection, and post-audit remediation and verification. CERT-In also emphasises ensuring board-level oversight of all audit activities, from planning through to remediation and closure.

  • Strengthened Bill of Materials (BOM) guidelines: CERT-In has expanded its BOM requirements to enhance transparency and security across emerging technologies. In addition to traditional software BOMs, the guidelines now extend to cryptographic BOMs (CBOM), quantum readiness BOMs (QBOM), hardware and firmware BOMs (HBOM), and AI BOMs (AIBOM) covering training data and behaviour logs. Organisations must enforce BOM generation and retention requirements across their vendors, placing greater responsibility on them for supply chain risk management.

  • Audit methodologies: Auditors shall align their methodologies with CERT-In advisories and global cybersecurity standards, such as ISO/IEC standards, the Cloud Security Alliance Cloud Controls Matrix (CSA CCM), the Common Vulnerability Scoring System (CVSS), and the Exploit Prediction Scoring System (EPSS). The guidelines also address data residency, requiring that all audit-related data be stored and retained within Indian borders.

  • Post-audit requirements: Organisations must initiate and track remediation efforts for any vulnerabilities identified during the audit process and undergo follow-up reviews.

Enforcement of these new rules is already underway, with organisations subject to CERT-In oversight starting July 2025. 

The critical infrastructure cyber threat landscape in India

6clicks blog - India cyber threat landscape

India's critical infrastructure faces an unprecedented surge in cyber threats. According to the India Cyber Threat Report 2025 by the Data Security Council of India (DSCI), the country experienced 369 million malware detections across 8.44 million endpoints in the past year, averaging a staggering 702 potential attacks per minute. The threat landscape is particularly complex due to the convergence of IT and OT systems, creating expanded attack surfaces that traditional security measures struggle to protect.

State-sponsored actors and cybercriminal organisations are increasingly leveraging AI-powered attacks, including deepfakes for social engineering and autonomous malware capable of adapting to defensive measures in real-time. Recent incidents have exposed over 223,800 digital assets across critical sectors, highlighting vulnerabilities in aging infrastructure and the urgent need for modernised security approaches. The economic impact of these breaches extends beyond immediate financial losses, threatening national stability and citizen services.

Building comprehensive security frameworks for compliance

Meeting CERT-In's requirements demands more than piecemeal security solutions; it requires a comprehensive framework that integrates multiple standards and regulations. Organisations should adopt a layered approach combining:

  • International standards such as ISO/IEC 27001 for information security management
  • Regulatory frameworks like the Reserve Bank of India's (RBI) Cyber Security Framework for financial institutions
  • Sector-specific guidelines from the National Critical Information Infrastructure Protection Centre (NCIIPC)

Hailey control mapping

This multi-framework approach ensures both regulatory compliance and practical security effectiveness. Organisations can simplify cross-framework alignment through compliance automation, with platforms such as 6clicks enabling automated mapping across multiple frameworks using AI. With 6clicks, organisations can align overlapping requirements instantly, match internal controls to specific requirements and identify gaps within seconds, and enhance accuracy while eliminating manual work.

Considerations for implementing integrated compliance frameworks include:

  • Establishing a robust governance structure that includes board-level oversight, clearly defined roles and responsibilities, and regular security assessments
  • Maintaining detailed asset inventories
  • Implementing network segmentation between critical and non-critical systems
  • Establishing 24/7 security operations centers

Implementation roadmap for Indian organisations

To achieve compliance with the new CERT-In guidelines, organisations in critical sectors can take the following steps, leveraging the 6clicks platform as an all-in-one solution for risk, compliance, and audit management:

6clicks blog - CERT-In guidelines_ Steps to compliance

Step 1: Establish governance and oversight

Involve the board and senior leadership in audit planning, scoping, and remediation oversight. Establish a clear chain of accountability, with reporting dashboards for audit progress and compliance status. 6clicks offers customisable dashboards that provide instant access to key metrics such as high-priority incidents, control effectiveness, and ongoing risk treatments.

Step 2: Conduct a risk-based gap assessment

Begin with a comprehensive review of existing IT, OT, and cloud environments against CERT-In guidelines, the IT Act, DPDP Act, and sector-specific regulations. Use 6clicks' built-in question-based and requirement-based assessment functionality to conduct enterprise-level and system-level assessments, identifying gaps in technical controls, reporting processes, and documentation.

Step 3: Build a unified control framework

Map requirements from multiple standards (e.g., ISO/IEC 27001, ISO/IEC 27002, RBI Cyber Security Framework, NCIIPC advisories) into a single control set. This reduces duplication and simplifies evidence collection during audits. With 6clicks, organisations can manage controls, assign owners and responsibilities, and launch remediation actions in one centralised system.

Step 4: Integrate supply chain risk management

Extend compliance to vendors and third parties by requiring generation and retention of Software/Hardware/AI BOMs (SBOM, HBOM, AIBOM). With 6clicks' integrated  vendor management module, organisations can automate vendor risk assessments, extract risks and issues directly from security reviews, and ensure continuous monitoring of critical suppliers.

Step 5: Implement continuous compliance monitoring

Deploy automated tools to monitor security controls such as log retention, access management, and incident response readiness on an ongoing basis. 6clicks' continuous control monitoring capability enables automated control testing for real-time compliance validation and instant alerts of control failures, ensuring consistent alignment with CERT-In requirements and proactive response when issues arise.

Step 6: Automate audit preparation and evidence management

Use 6clicks to centralise audit evidence, track remediation tasks, and generate audit-ready reports. This reduces manual effort and supports repeatable, defensible audit outcomes.

Summary

India’s regulatory landscape has entered a new phase with CERT-In’s 2025 audit guidelines, placing unprecedented accountability on critical infrastructure operators, government entities, and organisations handling sensitive data. To stay compliant and resilient, organisations should focus on:

  • Annual third-party audits covering IT, OT, cloud, supply chain, and physical security

  • Continuous compliance monitoring to ensure consistent control validation

  • Supply chain accountability with expanded BOM requirements and vendor risk assessments

  • Integrated frameworks that align ISO/IEC standards and sector-specific requirements

  • Board-level governance and oversight to track audit progress and remediation

By adopting integrated frameworks, leveraging automation, and maintaining executive oversight, organisations can turn regulatory pressure into a catalyst for stronger, more adaptive cybersecurity programs.

Get started with 6clicks

Stay ahead of CERT-In's new compliance era and India's wider regulatory mandates with an AI-powered cyber GRC platform that simplifies compliance, strengthens resilience, and ensures continuous audit readiness.



Frequently asked questions

What are the key requirements of CERT-In's new audit rules for critical infrastructure?

CERT-In’s 2025 audit guidelines mandate annual third-party cybersecurity audits for organisations in critical sectors, with expanded scope covering IT, OT, cloud, supply chain, and physical security. The rules also build on existing mandates such as six-hour incident reporting and 180-day log retention, while introducing stricter requirements for supply chain accountability through BOM generation and monitoring.

How can AI-driven GRC solutions help meet CERT-In compliance requirements?

AI-driven GRC platforms streamline compliance by automating control mapping, gap analysis, and evidence collection, reducing the manual effort required for annual audits. They enable continuous control monitoring, ensuring real-time visibility into compliance status and rapid detection of issues like log retention gaps. Advanced features such as automated risk extraction, remediation task generation, and cross-framework alignment help organisations stay audit-ready while improving accuracy and speed.

What is the recommended implementation approach for organisations starting their compliance journey?

Organisations should begin with a risk-based gap assessment against CERT-In guidelines, the IT Act, DPDP Act, and sectoral regulations to identify compliance gaps. Next, they should establish a unified control framework that consolidates requirements from multiple standards and simplifies evidence collection. From there, implementing continuous monitoring, supply chain risk management, and automated audit preparation ensures ongoing readiness and reduces compliance fatigue.



Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.