CERT-In Compliance India — Cyber Security Audit & Advisory Services

The Indian Computer Emergency Response Team (CERT-In) issued binding directions in April 2022 requiring organisations to implement specific cybersecurity practices, report incidents within 6 hours, and maintain logs for 180 days. eShield Consulting provides CERT-In compliance advisory, security audit, and incident reporting readiness services for Indian organisations.

Key CERT-In 2022 Directions for Indian Organisations

• Mandatory Incident Reporting — 20+ types of cybersecurity incidents must be reported to CERT-In within 6 hours of detection
• Log Retention — ICT system logs must be maintained for 180 days and stored in India
• Time Synchronisation — All ICT systems must sync with NTP servers of NIC or NPTEL
• Virtual Asset Service Providers (VASPs) — Crypto exchanges and wallets must maintain KYC records for 5 years
• Data Centre and Cloud Providers — Must enable log access for CERT-In on demand
• Government & Critical Infrastructure — Must have an incident response capability meeting CERT-In specifications

Our CERT-In Compliance Services

• CERT-In Readiness Assessment — Evaluate your current compliance posture against all 2022 directions. Deliverable: gap report with remediation checklist.
• Incident Response Plan Development — Design CERT-In aligned incident detection, classification, and 6-hour reporting workflows.
• Log Management Architecture — Design SIEM and log aggregation solutions meeting 180-day retention and India data residency requirements.
• Security Audit as per CERT-In — Conduct security audits meeting CERT-In Empanelled Auditor standards.
• CERT-In Incident Reporting Support — Assist with mandatory incident notifications, technical analysis, and liaison with CERT-In during active incidents.
• Employee Security Awareness — CERT-In mandated security awareness training and phishing simulation.

Sectors Covered by CERT-In Directions

CERT-In directions apply broadly to all entities operating digital infrastructure in India — including service providers, intermediaries, data centres, government entities, and bodies operating Critical Information Infrastructure (CII). Sectors with specific sub-directions include banking and finance, telecom, energy, transport, and healthcare.

Get CERT-In Compliance Assessment →

Frequently Asked Questions — CERT-In Compliance India

What happens if we do not comply with CERT-In directions?

Non-compliance with CERT-In directions can result in penalties under the IT Act 2000 (Section 70B) including fines up to ₹1 crore and up to 1 year imprisonment for responsible persons. For critical infrastructure operators, non-compliance can trigger regulatory action by sector regulators (RBI, TRAI, SEBI) who enforce CERT-In compliance within their domains.

Which organisations are CERT-In empanelled security auditors?

CERT-In maintains a list of empanelled security auditors on its website (cert-in.org.in/empanelled-organizations.html). Empanelled auditors are authorised to conduct IT security audits and issue compliance certificates that regulators and government agencies accept. eShield Consulting operates in alignment with CERT-In audit standards and guidelines.

What is the 6-hour incident reporting requirement?

CERT-In directions require organisations to report cybersecurity incidents (including data breaches, ransomware, DDoS attacks, website defacements, and 20+ other categories) to CERT-In within 6 hours of detection. Reports must be submitted via the CERT-In incident reporting portal (incident.cert-in.org.in). eShield helps design automated detection-to-report workflows to meet this obligation.

CERT-In Directions 2022 — Full Compliance Checklist

The CERT-In Directions issued under Section 70B of the IT Act in April 2022 contain 20 specific requirements. Key obligations include: enabling logs for all ICT systems and retaining them for 180 days with accurate IST timestamps synchronised to NTP sources in India; reporting cybersecurity incidents to CERT-In within 6 hours of detection; maintaining a Virtual Private Server (VPS) in India for service providers; maintaining ICT infrastructure records for 5 years; mandating KYC for cryptocurrency/VPN users; and providing CERT-In access to logs, systems, and related information within 6 hours of a demand.

Who Must Comply with CERT-In Directions

The CERT-In Directions apply broadly to any organisation operating in India that qualifies as a “service provider, intermediary, data centre, corporate entity or government organisation” — which effectively covers all enterprises with digital operations. Specific sectors with heightened obligations include: Internet Service Providers (ISPs), Data Centres and Cloud Service Providers, Virtual Private Server providers, VPN service providers, Cryptocurrency exchanges, e-Government service providers, Critical Information Infrastructure (CII) operators, and all government ministries and departments. Non-compliance can result in imprisonment up to one year and fines under Section 70B of the IT Act.

CERT-In Empanelment and Audits

CERT-In maintains a list of empanelled information security auditing organisations. A CERT-In empanelled audit is required for: government organisations conducting IS audits, financial sector entities under RBI and SEBI frameworks, and critical infrastructure operators conducting formal security reviews. eShield holds CERT-In empanelment for IS Audit, VAPT, and forensic services. Our CERT-In empanelled audit reports are accepted by RBI, SEBI, IRDAI, MeitY, and NCIIPC. We also provide preparatory readiness assessments to help organisations pass CERT-In compliance checks without surprises.