The Indian Computer Emergency Response Team (CERT-In) has issued the Cyber Security Audit Policy Guidelines (Version 1.0, July 2025) to bring uniformity, clarity, and accountability to audits across government, critical infrastructure, and private enterprises, making them dependable tools for risk reduction.
The policy provides a blueprint for organisations to systematically measure, manage, and enhance their cyber security posture in a structured and auditable way.
Further, the guidelines set out a structured audit workflow covering planning, scope definition, technical assessments, asset discovery, vulnerability scanning, and evidence collection, and specify that findings be classified by severity and reported in standardised formats.
By establishing a repeatable lifecycle, CERT-In seeks to ensure that each assessment delivers verifiable outcomes that reduce concrete risks.
The framework covers a wide range of entities, including operators of critical infrastructure such as power, transport, and healthcare, along with financial institutions, information technology (IT) service providers, data centres, cloud platforms, and government departments.
In regulated sectors these guidelines will serve as the reference model for both internal and external audits. Even without a reported incident, organisations will be expected to demonstrate readiness through structured compliance.
Furthermore, the policy requires the use of CERT-In-approved templates for planning, documentation, and evidence submission, and stresses traceability by obliging auditors to show exactly how issues were identified and categorised.
Additionally, audits must be performed by CERT-In empanelled professionals to ensure consistency and quality. Every vulnerability or control gap must be rated as critical, high, medium, or low, with corresponding remediation timelines, so resources focus on the most severe threats, including potential breaches, ransomware, or disruption of essential services.
The guidelines also extend to emerging areas, including cloud services, the internet of things, artificial intelligence platforms, blockchain systems, and operational technology/industrial control systems, and address supply chain security. By introducing scoring models such as the common vulnerability scoring system combined with the exploit prediction scoring system, the framework supports more precise prioritisation of vulnerabilities.
