CERT-In guidelines for cybersecurity: What every IT team should know

Ever felt like those "cybersecurity recommendations" sound more like warnings these days?

That's because the threat landscape has changed dramatically. In India alone, reported cyber incidents surged from 394,499 in 2019 to over 1.59 million in 2023—more than a fourfold increase in just four years.

To address this, the Indian government empowered CERT-In, the Indian Computer Emergency Response Team, to issue mandatory cybersecurity guidelines for organizations managing critical infrastructure, financial data, and public-sector services. These recommendations aren’t just best practices anymore; they’re baseline requirements your organization is expected to meet.

So, if your organization handles Aadhaar-linked data, manages sensitive financial systems, or supports public infrastructure, meeting CERT-In standards is now part of doing business in India.

But, what does CERT-In actually require? Let’s break down what they mean, why they matter, and how your IT team can stay compliant without the chaos.

What is CERT-In compliance?

CERT-In is India's national agency under the Ministry of Electronics and Information Technology (MeitY). It's responsible for issuing threat advisories, coordinating incident responses, and enforcing national cybersecurity standards.

In April 2022, CERT-In released Direction No. 20(3)/2022, establishing mandatory compliance rules under the IT Act, 2000. These CERT-In guidelines apply to both public and private organizations and aim to strengthen India’s digital defence ecosystem.

In simple terms, CERT-In compliance means adopting key cybersecurity measures to control user access, enforce internal policies, and respond swiftly to cyberthreats.

Key CERT-In compliance requirements for IT teams:

To align with CERT-In guidelines, IT and security teams must ensure the following capabilities:

• Log and monitor activity across critical infrastructure, endpoints, and systems
• Store audit logs securely for at least 180 days
• Report cybersecurity incidents to CERT-In within six hours of detection
• Appoint a dedicated point of contact (PoC) for CERT-In communications
• Provide logs and user access data during forensic investigations or audits

Failing to meet these requirements can result in financial penalties under the IT act, reputational harm, and disqualification from critical projects.

Who needs CERT-In certification?

CERT-In guidelines are no longer limited to central agencies. They now apply to a wide range of organizations that drive India’s digital economy.

Mandatory certification is required for:

• Government vendors: Companies providing IT software, hardware, or cloud services to any central or state departments.
• Gov.in and NIC hosting providers: Entities that host services on government digital platforms.
• RBI-regulated financial institutions: Banks, NBFCs, payment gateways, and digital lenders must comply with CERT-In and RBI cybersecurity standards.
• SEBI-registered market entities: Stock exchanges, brokers, and fintech companies governed by SEBI cybersecurity frameworks.
• UIDAI-linked organizations: Businesses that process Aadhaar data or integrate with UIDAI services.
• Public sector undertakings (PSUs) and critical infrastructure operators: Entities in telecom, healthcare, energy, transportation, or defence.

Beyond these, private enterprises businesses especially those managing sensitive data like personally identifiable information (PII), financial information, or cloud platforms are increasingly adopting CERT-In compliance to win public-sector contracts, build credibility with clients and partners, and demonstrate cybersecurity accountability.

Why CERT-In compliance is essential for Indian businesses

If you're working with sensitive data or regulated clients, CERT-In compliance is now part of the cost of doing business. The upside? It also helps you operate more securely and win trust faster.

Key benefits of CERT-In compliance for Indian businesses

1. Align with India’s core cyber security and privacy regulations

Complying with the CERT-In guidelines demonstrates that your organization aligns with key Indian regulations like the RBI Cyber Security Framework, SEBI’s guidelines, IRDAI’s IT governance mandates, and the DPDP Act. This alignment helps reduce regulatory friction, protects your business legally, and positions you as a secure and forward-thinking organization in India’s digital economy.

2. Boost audit readiness and investigation response

CERT-In compliance lays the foundation for smooth internal and external audits. Whether you're facing a routine review, a CERT-In empanelled audit, or a post-incident investigation, you'll have the right documentation—access logs, policies, and user activity records—ready to prove accountability and fast response.

3. Builds confidence with customers, partners, and regulators

In India’s competitive and reputation-driven market, proving adherence to CERT-In guidelines reassures stakeholders. It shows that your organization takes data protection seriously, which helps you gain trust from enterprise clients, regulators, and government partners alike.

4. Open doors to government tenders and PSU partnerships

More procurement processes, especially via the Government e-Marketplace (GeM), or PSU channels, now include CERT-In compliance as a baseline requirement. Demonstrating compliance can give your proposals an edge, speed up approvals, and help you qualify for high-value public-sector collaborations.

5. Drive continuous cybersecurity maturity

CERT-In isn’t a one-time box to tick—it encourages continuous improvements in access control, password enforcement, and risk mitigation. This momentum helps reduce incident response time, limit vulnerabilities, and future-proof your business against emerging threats.

Understanding the five CERT-In control categories

To help organizations standardize their cybersecurity approach, the CERT-In guidelines are structured around five core control categories. These form the foundation of every compliance audit and provide a clear framework for assessing security maturity across identity, access, response, and recovery.

Here’s a breakdown of each category:

1. Management controls: This category evaluates how your organization governs cybersecurity internally. It includes documented policies, risk management strategies, and defined roles and responsibilities. Auditors look for signs that leadership is not just aware of security risks—but actively managing them through structured decision-making and policy enforcement.
2. Protective controls: Protective controls focus on your organization’s ability to prevent unauthorized access and data breaches. This includes network defences (like firewalls and endpoint protection), encryption standards, secure coding practices, and physical safeguards in data centres. Strong protective controls reduce the attack surface and make it less likely for malicious actors to gain entry in the first place.
3. Detection controls: These controls ensure your organization can detect suspicious or malicious activity in real time. This often involves continuous monitoring, alerting systems, and visibility into access attempts or configuration changes. While SIEM and IDS systems play a role here, IAM tools that track permission changes and login anomalies also contribute to early detection.
4. Response controls: Once a threat is identified, your response plan comes into play. This control area looks at whether your team has a documented incident response policy, defined escalation paths, and designated roles for communication and containment. CERT-In expects that incidents are not just handled, but handled quickly, with clear logs and timelines that can be shared if needed.
5. Recovery controls: No system is breach-proof. Recovery controls assess your ability to bounce back after an incident. This includes backup strategies, system restoration processes, and business continuity planning. Auditors will verify whether recovery tests are performed, how fast data can be restored, and whether critical systems are resilient to long downtimes.

Common challenges faced for IT teams in CERT-In compliance

The CERT-In guidelines provide a solid structure—but applying them across growing IT ecosystems takes coordination, planning, and the right systems in place. Many Indian IT teams are already making progress, but a few recurring challenges still emerge during implementation. Here are some of the most common challenges IT teams face:

• Resource limitations in fast-growing teams: Smaller IT teams or scaling startups may find it difficult to allocate dedicated resources for identity governance, access reviews, and compliance documentation. These tasks often compete with day-to-day operations, making automation and delegation essential for progress.
• Meeting tight reporting deadlines: CERT-In requires certain cybersecurity incidents to be reported within six hours—a timeline much shorter than global frameworks like GDPR. Organizations need efficient incident detection and escalation protocols to stay compliant, which calls for well-defined workflows and faster visibility into risks.
• Managing broader threat categories: As CERT-In expands the list of reportable events to include cloud, IoT, and third-party platform incidents, security teams must extend their visibility. This creates an opportunity to integrate monitoring across systems and centralize key audit information.
• Disjointed access and identity controls: Fragmented tools and environments can make it difficult to enforce access policies consistently or maintain a unified audit trail. Centralizing IAM operations—like privilege tracking and approval-based access—can help address this gap and simplify audit readiness.
• Moving from reactive to proactive security: CERT-In compliance encourages a shift toward continuous oversight—regular access reviews, policy enforcement, and entitlement validations. With the right systems, this becomes part of business-as-usual rather than a reactive exercise during audits.

Consequences for non-compliance with CERT-In guidelines

Failing to comply with the CERT-In guidelines can have serious implications—not just from a legal standpoint, but also for your organization’s reputation, operational continuity, and future opportunities.

Here’s what’s at stake:

1. Regulatory fines under the IT act

CERT-In violations such as delayed incident reporting, lack of log retention, or failure to cooperate during investigations can result in enforcement action under the Information Technology Act, 2000. This may include fines of up to ₹1 crore and other corrective actions, depending on the severity of non-compliance.

2. Reputational damage and reduced business eligibility

Compliance gaps are often flagged during audits, tenders, or due diligence processes. This can impact your ability to:

• Win public-sector contracts
• Pass partner security assessments
• Build long-term client confidence

In sectors like finance, healthcare, and digital infrastructure, even small missteps can delay onboarding or raise red flags during evaluations.

3. Increased legal and leadership accountability

Regulators may seek explanations from organizational leadership if procedures are found lacking. Without strong policies and documentation, security teams and decision-makers may be held accountable for perceived negligence or non-compliance.

4. Operational disruption and audit rejections

CERT-In may enforce compliance by requiring non-compliant organizations to undergo re-audits or implement mandatory remediation measures. In some cases, access to government infrastructure or data-sharing privileges may be temporarily restricted until compliance is proven.

To meet CERT-In’s identity and access control requirements, many organizations are adopting ManageEngine AD360—a solution trusted by over 280,000 global customers and recognized as a Market Leader in KuppingerCole’s 2024 Leadership Compass for IGA.

How Manageengine AD360 supports CERT-In compliance

ManageEngine AD360 is an integrated IAM solution that empowers Indian organizations to meet these stringent CERT-In expectations efficiently across on-premises, cloud, and hybrid environments.

More than a compliance enabler, AD360 gives SOC teams real-time visibility into identity-related risks, helping them reduce exposure, accelerate response, and maintain full audit trails during emergencies.

Here’s how AD360 maps to key CERT-In requirements across access control, risk detection, auditing, and recovery:

• Role-based access control (RBAC) Define granular access policies based on job roles using AD groups, OUs, and automation rules. This enforces the principle of least privilege, reduces insider risk, and ensures only authorized users access sensitive systems.
• Access certification and entitlement review Run periodic access reviews using certification campaigns. Managers can review, approve, or revoke user permissions to eliminate excessive or orphaned access.
• Help desk delegation with a restricted scope Assign user management tasks (resets, unlocks, group assignments) to non-admins without compromising directory-level access. AD360 restricts scope by OU, group, or attribute—ensuring security and traceability.
• Audit-ready compliance reports

  Generate over 200+ prebuilt reports covering:

  • User logons and logoffs
  • Group memberships
  • Admin privilege assignments
  • File/folder permission changes

  Reports can be auto-scheduled and exported—helping organizations retain logs, prove compliance, and prepare for audits.

• Password policy enforcement Enforce strong password rules (length, complexity, banned words) beyond native AD limitations. Prevent weak, reused, or breached credentials.
• Self-service password reset and account unlock (SSPR) Enable users to securely reset passwords and unlock accounts using MFA—without help desk intervention. Reduces downtime and enforces credential hygiene.
• Multi-factor authentication (MFA) Protect key workflows (e.g., logins, SSPR, admin access) with MFA. Supports OTP via SMS/email, TOTP apps, and integration with Duo or RSA.
• Permission change tracking Track changes to group memberships, access rights, and admin privileges in real time. Alerts can flag unauthorized or risky escalations.
• Account lockout reports & login analyzers Identify the root cause of account lockouts and monitor login failures to detect brute-force or password spray attacks. Provides real-time alerts and detailed diagnostics for incident investigation.
• Risk exposure management for SOC teams

  Detect identity-related risks before they escalate. AD360’s built-in Risk Exposure Management flags:

  • Privilege escalations and abnormal login behaviour
  • Dormant and orphaned accounts
  • High-risk users accessing sensitive systems security teams can instantly revoke access, trigger alert workflows, and document containment efforts—supporting CERT-In’s detection and response mandates.
• Workflow automation with approval-based provisioning Automate identity tasks like user onboarding, offboarding, and privilege requests with custom workflows and multi-level approvals. Ensures consistency and accountability.
• AD backup and granular recovery Schedule incremental backups and restore individual users, groups, or entire OUs. Prevent data loss, maintain operational continuity, and reduce recovery time during incidents.

FAQs