CERT-In & ensures Data Privacy in Audits

By Anuradha Gandhi and Rachita Thakur

Introduction

On July 25, 2025, CERT-In issued the ‘Comprehensive Cyber Security Audit Policy Guidelines Version 1.0’[1] (hereinafter referred to as ‘CCSAP Guidelines’). The CCSAP guidelines provide cyber security auditing organizations (hereinafter referred to as ‘Auditors’) with a structured framework to conduct cyber security audits and help the organizations being audited (hereinafter referred to as ‘Auditees’) in preparing for such cyber security audits. Auditees can refer to these CCSAP Guidelines to ensure that their cyber security measures align with industry standards and regulations. The CCSAP Guidelines are binding on all CERT-In empaneled Auditor organizations and Auditee entities.

Legal Background of the CCSAP Guidelines

The Information Technology (Amendment) Act 2008[2] (hereinafter referred to as ‘IT Act 2008’) made CERT-In, the designated to serve as the national agency to perform various function related to cybersecurity including issuing of guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents. The CCSAP Guidelines is issued under Section 70B of the Information Technology Act, 2000 (hereinafter referred to as ‘IT Act 2000’).[3]

Applicability of the CCSAP Guidelines[4]

The CCSAP Guidelines are binding on all CERT-In empaneled Auditors and Auditees covered as per the definition provided.

Empaneled Auditors – CERT-In empanels Auditors to undertake various assessments and testing of computer systems, networks and applications.
Auditees – Auditees for the purpose of the cyber security audit includes both public and private organizations that own or operate systems, processes and infrastructure and are required to evaluate their cybersecurity posture, identify vulnerabilities, assess risks, and ensure compliance with regulatory standards and industry best practices. These may include service providers, intermediaries, data centers, body corporates and any other person.

Consequences of Non-Compliance[5]

In case of non-compliance, CERT-In can take action against such non-compliant entity under Section 70B(7) of the IT Act 2000 which prescribes a penalty of up to INR 1,00,00,000 or imprisonment up to 1 year or both. The penalties can also include empanelment withdrawal from CERT-In for the Auditors.

What is a Cybersecurity Audit?[6]

Clause 5(1) of the CCSAP Guidelines define a cybersecurity audit as a systematic and independent assessment of an organization’s security controls, policies, and procedures to evaluate their effectiveness in protecting information systems and data from cyber threats.

Basic Principles of a Cyber Security Audit[7]

The CCSAP Guidelines lay down core principles to be followed during a cybersecurity audit to ensure it is thorough, unbiased, and meets the established standards of quality. To achieve this the Auditors must be independent and base make objective judgements based on the facts and circumstances before them. Ethical principles must be upheld for the entire duration of the audit process by providing clear, accurate and truthful reports to the Auditee. The Auditors must also showcase professional skepticism, judgement and care while preserving the elements of transparency and accountability. The cybersecurity audit process must uphold the principles of confidentiality at all stages.

Interplay of CCSAP Guidelines and the DPDPA

Attribution of Roles as per the Data Protection Framework

For the purpose of cybersecurity audits, the Auditor Entity shall be the Data Fiduciary, determining the scope and purpose of the processing the data of the Auditee entity, which shall be the Data Principal. Therefore, the Auditor entity must comply with the prescribed Data Fiduciary obligations under the DPDPA while conducting the cybersecurity audits, some of which are, giving prior notice[8], obtaining consent[9], maintaining accurate and correct information[10], reporting of data breach[11], safeguarding the rights of the data principal[12].

Privacy and Confidentiality Principles

The CCSAP Guidelines put strong emphasis on data privacy and confidentiality. They expressly state that every Auditor entity must comply with the applicable data protection and privacy regulations released by the Government or the relevant regulators from time to time. This indicates that the Digital Personal Data Protection Act, 2023[13] (hereinafter referred to as ‘DPDPA’) shall be applicable to the Cybersecurity auditing process. CERT-In incorporates the essence of the DPDPA by mandating the Auditors to protect the privacy and integrity of the information to which they have access, ensuring it is not disclosed without proper authorization. The Auditors are further required to comply with the ‘Policy Guidelines for Handling Audit related Data’[14] as released by CERT-In to ensure confidentiality is maintained in the auditing process.

Reasonable Security Safeguards

The DPDPA mandates data fiduciaries to implement reasonable security safeguards to prevent personal data breaches. The CCSAP Guidelines provides details on reasonable security safeguards to be implemented by the Auditor engaging in a cyber-security audit.

Adopting Industry standard Security testing methods: The Auditors must adopt industry standard methodologies and best practices for security testing of the Information Technology Infrastructure.[15]
Audit Evidence and Documentation: Auditors are mandated to store the audit evidence securely, with access restricted to authorized personnel. Measures such as encryption and access controls must be implemented by the Auditors while storing such audit evidence.[16]
Handling Audit related Data – Data related to the audit must be kept confidential and must be handled with diligence. Temporary employees or employees due for transition or retirement must not be given access to this data. Details related to the implementation of such access control must be conveyed the Auditee. The entire data set must be stored in an encrypted form on Auditor’s servers as well as mobile devices. [17]

Data Minimization and Purpose Limitation

The scope of the cyber security audit must be derived and limited to the consolidated and updated asset inventory of the Auditee, as reviewed and updated periodically by its IT team. The scope should be submitted to the Auditor after vetting by the internal audit team in consultation with the Chief Information Security Officer (CISO). [18]

Storage Limitation and Data Retention

Deletion of Audit Data from Mobile Devices & Laptops – All audit related data stored on mobile devices such as laptops during the audit process must be wiped upon completion of the process and such deleted data must not be subject to retrieval through forensic methods. A certificate to this effect must be issued to the Auditee.[19]
Retention of Audit related data – The agreement between the Auditor and the Auditee would govern the retention of audit related data. The specific period of retention and the process of collection, preservation and disposal of data must be mentioned in the agreement. If no such specifics are mentioned in the agreement, the data should be retained by the Auditor for a period of 1 year. The retained data should not consist of any Auditee data other than the Audit reports. [20]

Governance and Accountability Framework

Top Management Oversight – The top management of the Auditee should review and approve the audit program including the scope of remedial measures taken by the organization to address and solve the vulnerabilities identified in the audit without undue delay.[21] The risk treatment techniques such as retain, avoid, transfer and reduce for any reported vulnerabilities to the IT infrastructure must be accepted and authorized by the head of the Auditee entity.[22]
Entry and Exit Conferences – The senior management of the Auditee entity must organize and attend the Entry and the Exit conferences. The entry conference refers to a meeting wherein clear expectations of the audit are set which include the scope of the audit, objectives, timeline, and key responsibilities. The exit conference refers to a structured forum wherein the Auditor presents preliminary findings, highlight key risks, vulnerabilities and areas of concern identified during the audit.[23]

Cross Border Data Transfer Restriction

Data Localization – Data related to the Auditee should be stored only on systems located in India with adequate safeguards and the Auditor should keep the Auditee informed of the means & location of the storage.[24]
Consent required for overseas sharing – The Auditee related data shall not be shared or disclosed to any overseas entity or partner, unless specific consent in writing is obtained from the Auditee, except where such disclosure is mandated by law or required by designated regulatory bodies and competent authorities. [25]

Breach Notification Requirements/ Cyber Incident Management[26]

The Auditor entity must put in place an effect incident management plan to ensure that, in case of an incident where the Auditee related data is leaked to unauthorized entity, the intimation of the such incident is given to the Auditee without undue delay and further take necessary steps to address the incident and assist the Auditee as may be required.

Specific guidelines to audit systems containing Personal Sensitive Information?

The CCSAP Guidelines prescribe specific conditions for conducting cybersecurity audits of Critical systems of Ministries, Departments, Secretariats, and Offices, where sensitive personal identifiable information data is involved. The Auditor shall verify compliance with the ‘Comprehensive Audit Program Checklist – Cyber and Information Security Audit’ released by Ministry of Electronics and Information Technology (hereinafter referred to as ‘MeitY’) through the ‘Guidelines on Mandatory Features of Cybersecurity Architecture to be Ensured in all Ministries/Departments’ which comprises of 282 control points. This must be the default and mandatory audit scope for the Auditor entity.[27]

Enforcement of the CCSAP Guidelines

In July 2025, CERT-In empaneled 200 cyber security auditors across the country[28] and published the list[29] of the same on its website. The past cyber security audit figures for the financial year 2024-25 were submitted in the Rajya Sabha on July 26, 2025 stating that CERT-In has conducted 9708 cyber security audits across the sectors of Power & Energy, Transport, Banking, financial services, and Insurance. Now, the Central government, through MeitY, is pushing from compliance with the CCSAP guidelines. MeitY has directed all concerned entities including all ministries, state governments, public sector units and government funded institutions to align with the CCSAP guidelines. The Central Government may also issue directives for the Private Sector entities to comply with these CCSAP guidelines in the near future.

Prateek Chandgothia, Assessment Intern at S.S.Rana & Co. has assisted in the research of this article.

[1] https://www.cert-in.org.in/PDF/Comprehensive_Cyber_Security_Audit_Policy_Guidelines.pdf

[2] https://www.indiacode.nic.in/bitstream/123456789/15386/1/it_amendment_act2008.pdf

[3] https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

[4] Chapter 4, CCSAP Guidelines

[5] Section 70B, IT Act

[6] Chapter 5, CCSAP Guidelines

[7] Chapter 7, CCSAP Guidelines

[8] Section 5, DPDPA

[9] Section 6, DPDPA

[10] Section 8(3), DPDPA

[11] Section 8(6), DPDPA