CERT-In Security Audit Services
Securexocean delivers CERT-In security audit services for organizations subject to India's cybersecurity directives — covering incident reporting compliance, security controls assessment, vulnerability management, and documentation review against CERT-In's mandated requirements.
Service Introduction
CERT-In operates under MeitY as India's national cybersecurity agency under Section 70B of the IT Act, 2000. CERT-In's April 2022 directions significantly expanded compliance obligations for service providers, intermediaries, data centres, and body corporates — imposing six-hour incident reporting timelines, 180-day log retention requirements, NTP synchronization mandates, and requirements for documented cybersecurity policies and a designated CERT-In point of contact.
Regulated sectors including financial services, healthcare, and government connected entities must use CERT-In empanelled auditors for security audits — making empanelment a qualifying criterion for the auditor. Securexocean is a CERT-In empanelled security auditor, satisfying this requirement across all sectors that mandate it.
THREAT LANDSCAPE
CERT-In's directions are legally binding under the IT Act. Non-compliance with mandatory incident reporting, log retention, or audit obligations constitutes a statutory violation. Organizations that have not implemented required controls are operating with unresolved legal non-compliance.
CERT-In's six-hour reporting obligation requires detection, escalation, and reporting capabilities to already exist before an incident occurs. Organizations discovering this gap only after an incident have already violated their reporting obligation. A CERT-In security audit identifies these gaps while there is still time to remediate them.
Control Gaps Identified Through CERT-In Security Audit
Absence of documented cybersecurity policies covering CERT-In direction domains
No designated point of contact or contact details not formally registered with CERT-In
Log management not meeting 180-day retention requirement or lacking tamper-evident storage
NTP synchronization not configured against the National Physical Laboratory time server
Incident detection insufficient to support the six hour reporting timeline
Absence of formal vulnerability management procedures with defined remediation timelines
Third-party arrangements without contractual security obligations or audit rights
Comprehensive review of security documentation including policies, incident response procedures, log management configurations, access control policies, network architecture, and vendor security contracts. Gaps between existing documentation and CERT-In requirements identified and recorded.
Technical assessment of controls against CERT-In direction requirements and established best practices. Network security configurations, access controls, logging systems, NTP synchronization, data backup procedures, and incident response tooling each evaluated for design adequacy and operational effectiveness.
VAPT conducted across in-scope network infrastructure, internet-facing applications, and internal systems. All findings manually validated before inclusion in the report with risk ratings, exploitation evidence, and remediation guidance provided.
Findings compiled across all three assessment phases into a comprehensive report. Findings walkthrough conducted with your team. Remediation support provided. Closure verification conducted before final report issuance.
Audit Toolset
Our team uses CERT-In direction compliance assessment frameworks, network and application security testing tools for mandated VAPT, asset discovery and classification tools, third-party risk assessment frameworks, access control review methodologies, log management configuration review tools, and NTP synchronization assessment tools.
CERT-In direction compliance assessment report covering all mandatory control domains
VAPT report with risk-rated findings and remediation guidance
Gap analysis mapping current posture against CERT-In direction requirements
Incident response and reporting readiness assessment with six-hour notification capability evaluation
Log management and NTP synchronization configuration review findings
Final audit report formatted for regulatory submission
Regulatory Alignment
Sector regulators specifying CERT-In empanelled auditors for security audits. Securexocean's empanelled status satisfies this qualification across all applicable sectors.
Primary instrument. All assessment domains and report format directly follow CERT-In 2022 directions applicable to covered entities.
CERT-In audit findings are mapped to ISO 27001 controls where applicable, supporting organizations pursuing certification alongside CERT-In compliance.
Organizations processing personal data subject to DPDP Act obligations benefit from CERT-In audit scope coverage of incident detection and response controls relevant to data breach notification requirements.
CERT-In Security Audit FAQs
Enterprise-grade VAPT, GRC advisory, compliance consulting, and AI-assisted threat management for modern businesses.
© 2026 Securexocean. All rights reserved.
