In a welcome move, on July 25, 2025, CERT IN has provided a comprehensive Cyber Security Audit Guideline which should be a preferred audit guideline for ISMS audits in India.
CERT In derives its statutory authority from ITA 2000 and hence this guideline contributes to ITA 2000 compliance and does not stop at only being an industry best practice.
In April 2011, MeitY had issued the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
Under Para 8(1) it had been stated …
A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.
This was followed by the second paragraph stating
The international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
Upon clarifications sought, the MeitY had responded to an RTI query as follows
With the notification of the Comprehensive Cyber Security Guidelines by CERT-In under the powers bestowed on it under Section 70(B) of the Act, Section 43A rules of April2011 gets automatically amended.
We however request MeitY to issue an advisory in this respect indicating
“Comprehensive Cyber Security Guidelines dated 25th July 2025 issued by CERT-In shall be one such standard referred to in sub-rule (1)”
This guideline is applicable to all organizations in India using IT including private sector companies and is to be considered as binding for ITA 2000 compliance.
By virtue of a direct link between Section 43A and DPDPA, the guidelines may also be considered as a guideline under Rule 6 (g) of the Draft DPDPA Rules for “Reasonable Security for safe guarding personal Information under DPDPA”.
For the CERT-In empanelled auditors, adoption of this framework is considered mandatory for their ITA 2000 compliance audits.
At FDPPI we adopt this as a guideline for application of “Reasonable Security Practices for the Personal Data protection under Section 8 of DPDPA 2023”. This would be part of the DGPSI framework.
I request all DGPSI auditors to immediately adopt this framework as part of the DGPSI framework under MIS 15 and 16 of DGPSI-Lite or MIS 15, MIS 47 of DGPSI-Full version.
Also refer: https://www.cert-in.org.in/PDF/CyberSecurityAuditbaseline.pdf
Naavi
