CERT-In Security Audit
Meet CERT-In's Section 70B directions and the 2025 comprehensive audit guidelines.
70B Directions Gap
Against the Section 70B directions
Comprehensive ICT Audit
Full-estate audit with VAPT
Signed Certificate
CERT-In-format report with sign-off
CERT-In Auditors
Empanelled, recognised auditors
What it is
CERT-In's 28 April 2022 Directions under Section 70B of the IT Act 2000 impose mandatory cyber-incident reporting within 6 hours, 180-day log retention within India, and clock synchronisation to NIC/NPL NTP servers. CERT-In also empanels the auditors that financial regulators require.
Who must comply
All body corporates, service providers, intermediaries, data centres and government organisations, plus VPN/VPS, cloud and crypto providers operating in or serving India.
How IntelligenceX helps
Frequently Asked Questions
Specified cyber incidents must be reported to CERT-In within 6 hours of detection, in the prescribed format. This is one of the world's tightest reporting windows, so an incident-response playbook and 24x7 detection are practical prerequisites.
RBI, SEBI and IRDAI all require CERT-In empanelled auditors for VAPT and IS audits. Using an empanelled firm makes one audit usable across multiple regulator filings.
CERT-In's July 2025 guidelines call for an annual comprehensive ICT audit with independent reviewers and signed certificates. We scope the full estate, run the audit and VAPT, and deliver the report in CERT-In format with the required sign-offs.