The 2025 guidelines don’t just tell organizations to perform audits—they reshape how those audits work. They set clear standards for planning, execution, and follow-up. They demand accountability from both auditors and organizations. And they expand the audit scope to include AI systems, mobile apps, cloud platforms, supply chains, and even blockchain infrastructure.
Most importantly, CERT-In now wants organizations to treat audits as a strategic defense tool, not just a legal requirement. The guidelines push leaders to ask: Are we truly secure? Not just: Are we compliant?
This article breaks down what changed, why it matters, and how your organization can get ahead of these sweeping new expectations.
What’s New in the CERT-In July 2025 Guidelines
CERT-In’s July 2025 guidelines go far beyond previous audit protocols. They focus on strengthening India’s digital defenses through clarity, structure, and real accountability. Here’s a look at the key changes every organization needs to understand:
1. Annual Cybersecurity Audits Are Now Mandatory
Organizations must now conduct full-scale cybersecurity audits every year. These audits must cover all key assets—networks, applications, cloud setups, operational technology (OT), and even mobile platforms. Sector regulators may also demand more frequent checks based on the nature of risk.
2. Audits Must Be Risk-Based, Not Just Regulatory
CERT-In urges organizations to align their audits with real-world threats, not just check off regulatory boxes. Audits must consider how systems actually function, how users interact, and where vulnerabilities might lead to serious harm.
3. Wider Scope: AI, Blockchain, and IoT Now Included
The new guidelines bring in cutting-edge systems under the audit lens:
- AI system audits (for security, ethics, and bias)
- Blockchain and smart contract reviews
- IoT and Industrial IoT (IIoT) security assessments
- Supply chain and vendor risk audits
This reflects a clear message: if your tech stack is complex, your audit must be too.
4. Dual Scoring: CVSS + EPSS Now Required
Auditors must now use two scoring systems to rank vulnerabilities:
- CVSS shows how severe a vulnerability is.
- EPSS predicts how likely it is to be exploited in the wild.
This dual approach helps prioritize what matters most and what needs fast action.
5. Stronger Rules for Auditors and Audit Reports
Only CERT-In-approved professionals can perform audits. No interns, third-party contractors, or freelancers allowed. Audit teams must document everything: tools used, methods followed, issues found, and how they confirmed results.
Every audit report must include:
- A full scope and timeline
- Risk-ranked findings (with CVE/CWE references)
- Secure evidence and audit artifacts
- A clear summary for board-level decision makers
6. Follow-Up Audits and Remediation Are Non-Negotiable
Organizations must act on audit findings—and prove they’ve fixed them. Auditing teams must perform follow-up checks to confirm that fixes were applied properly. Only then can the final report be closed.
7. CERT-In Gets Real-Time Visibility
Auditors must now share audit metadata with CERT-In within 5 days of completion. This helps the government track security trends, raise national alert levels, and improve standards across sectors.
Reimagining Responsibilities: Auditee vs. Auditor
CERT-In’s 2025 guidelines draw a clear line between what auditors must deliver and what organizations (auditees) must own. The message is simple: cybersecurity is a shared responsibility—but accountability starts at the top.
🔹 Auditee Organizations: Take Full Ownership
Auditee organizations no longer have the luxury of passive involvement. The new rules require them to:
1. Lead From the Top
Executives and board members must review and approve audit plans. They also need to track whether teams fix the issues the audit uncovers. Cybersecurity is now a boardroom issue, not just an IT checklist.
2. Own Remediation
Once the audit identifies vulnerabilities, the auditee must fix them promptly. Teams must patch systems, close gaps, and prepare for follow-up reviews. If something isn’t fixed, the organization—not the auditor—is held responsible.
3. Enforce Secure Design and Development
Before an audit begins, auditee organizations must ensure that their apps follow secure-by-design practices. Auditors won’t assess insecure or untested systems. This prevents “compliance theater” and encourages proactive security from Day 1.
4. Control Infrastructure and Access
Organizations must:
- Use genuine, updated software
- Apply least-privilege access controls
- Enforce multi-factor authentication (MFA) for remote access
- Maintain a secure inventory of assets and logs
Security now starts at configuration—not during damage control.
5. Support the Audit Without Interference
Auditees must provide full access to systems, people, and data in scope. They must also avoid any changes to systems during the audit and maintain integrity throughout the process.
🔹 Auditing Organizations: Raise the Bar
The auditors themselves face stricter rules and higher expectations.
1. Use Only CERT-In Declared Staff
Only personnel declared to CERT-In can perform audits. Auditors cannot deploy interns, freelancers, or third-party consultants. Every team member must meet CERT-In’s eligibility and ethical standards.
2. Maintain Independence and Integrity
Auditors must avoid conflicts of interest. Audit fees cannot depend on results. Auditors must report if the auditee tries to influence findings or pressure them during the process.
3. Handle Data Securely
All audit data must:
- Stay within India
- Be stored in encrypted form
- Be permanently wiped after project completion
Auditors must issue a certificate confirming secure deletion of sensitive data.
4. Communicate Clearly and Consistently
Auditors must:
- Define scope and methods before starting
- Get formal consent for high-risk tests (like DoS or red team exercises)
- Deliver clear, readable, and complete reports
- Present findings directly to senior management in entry/exit briefings
5. Stay Updated and Professional
Audit teams must understand the latest threats, tools, and regulatory standards. CERT-In expects continuous skill-building—not just past experience.
Enforcement and Accountability
CERT-In’s 2025 guidelines come with serious teeth. The framework doesn’t just advise best practices—it enforces them with clear consequences. Organizations and auditors who ignore responsibilities or fail to meet standards will face swift and graded action.
1. Accountability for Auditees
Organizations can no longer push blame onto auditors. Under the new rules, if a breach happens due to poor remediation, delayed fixes, or weak internal practices, the auditee holds the primary responsibility.
Auditees must:
- Prove they’ve acted on audit findings
- Document all patching and remediation steps
- Be ready for follow-up checks
Failing to act on critical vulnerabilities, especially those with known exploitation risks, puts the organization at regulatory and reputational risk.
2. CERT-In’s Deter & Punish Framework for Auditors
CERT-In introduced a graded penalty system for empaneled auditors who fall short. These include:
| Violation Type | Consequence |
| Minor lapses (e.g., vague reports, missed details) | Watchlist + Warning + Written Commitment |
| Repeat failures or poor audit quality | Temporary Suspension |
| Malpractice or gross negligence | De-empanelment under GFR rules |
| Data breaches or misconduct | Penal & Legal Action |
CERT-In won’t wait for repeated violations. Even a single serious breach of trust can trigger immediate penalties.
3. CERT-In Can Step In Anytime
CERT-In has the right to:
- Join audits as observers
- Request full audit data and evidence
- Investigate quality or ethics concerns
- Act on complaints from auditee organizations
This oversight helps ensure that both sides—auditors and auditees—treat audits with the seriousness they demand.
4. Mandatory Reporting Within 5 Days
Auditors must share audit metadata and outcomes with CERT-In within five working days of audit completion. This requirement:
- Helps CERT-In detect systemic issues across sectors
- Feeds into national cyber threat intelligence
- Promotes consistency and transparency in audit standards
Failure to report on time is a compliance breach.
Strategic Implications for Enterprises and Sectors
CERT-In’s 2025 guidelines don’t just change how audits are done—they change how organizations prepare for and respond to cyber risk. The impact stretches across leadership, technology, procurement, compliance, and even vendor management.
1. CISOs and Security Leaders Must Reframe Priorities
CISOs and IT security heads must shift from reactive fixes to proactive planning. The new framework expects leaders to:
- Conduct risk-based, full-scope audits every year
- Plan for follow-up audits and remediation cycles
- Align security strategy with CERT-In’s evolving frameworks
Security teams can no longer silo audits under compliance. They must treat audits as tools to detect, correct, and improve continuously.
2. Board-Level Awareness and Action Are Now Essential
CERT-In now involves the Board of Directors and senior executives at key points:
- Onboarding presentations to set scope and expectations
- Exit conferences to discuss risk posture and next steps
- Executive summaries tailored for leadership, not just tech teams
This demands a cultural shift where cyber risk becomes part of business risk—and leadership treats it with equal urgency.
3. DevSecOps Must Be Audit-Ready by Design
For development teams, the message is clear: you can’t audit your way out of insecure code.
Applications must be:
- Built with secure-by-design principles
- Reviewed with SAST and DAST tools
- Version-controlled with artifact tracking
- Hosted in environments that match the audit scope
If the software doesn’t follow these steps, auditors can reject it outright.
4. Procurement and Vendor Teams Need New Evaluation Standards
Supply chain and third-party risks are now audit scope items. Procurement teams must:
- Verify that vendors follow CERT-In-compatible practices
- Include security controls and audit obligations in contracts
- Request SBOM, QBOM, or AIBOM declarations where needed
Vendor risk is now your risk—and CERT-In will hold you accountable for it.
5. Cloud, OT, and Emerging Tech Require Deeper Scrutiny
Sectors using:
- Cloud infrastructure
- Operational Technology (OT) or Industrial Control Systems (ICS)
- Blockchain, IoT, or AI systems
…must now include these technologies in audit scope. The era of ignoring “non-traditional” infrastructure in security audits is over.
6. Audits Become Part of the Business Lifecycle
Organizations must now build audits into:
- Annual planning and budgeting
- System upgrade and migration strategies
- Software development life cycles
- Third-party evaluations and acquisitions
Treating audits as end-of-year rituals will no longer work.
The Bottom Line
CERT-In’s 2025 guidelines tell every enterprise—large or small—that security is not a department. It’s a shared responsibility that touches every system, contract, and decision. The earlier leaders embrace this, the stronger their organization will stand against modern threats.
Conclusion: Turning Regulation into Resilience
The CERT-In July 2025 guidelines signal more than a regulatory update—they mark a shift in national cybersecurity thinking. With clearer rules, deeper scopes, and stricter enforcement, India has laid the foundation for a resilience-first digital future.
Organizations that embrace these changes won’t just pass audits—they’ll build systems that can withstand evolving threats, adapt to new technologies, and inspire trust across ecosystems.
This is not the time to aim for the bare minimum. It’s a call to lead through security, to weave protection into every layer of operations, and to treat audits as tools for growth. Those who act now will not only meet CERT-In’s standards—they’ll help raise the bar for the entire ecosystem.
At SPOG.AI, we are committed to empowering organizations with intelligent, risk-aware security solutions that go beyond compliance—helping you build true cyber resilience in line with CERT-In’s vision for a secure digital India.