Cyber threats are growing every day in India. If you run a business, you already know how serious the risks are. A single breach can damage your reputation and cost you huge losses.
To deal with this, the government has made strict cybersecurity rules. The Indian Computer Emergency Response Team (CERT-In) is leading this effort. Its guidelines for Vulnerability Assessment and Penetration Testing (VAPT) help organizations reduce risks and fight cyberattacks effectively.
If your company deals with sensitive customer data, online transactions, or critical services, you must understand these rules. In this blog, we’ll explain the important CERT-In guidelines for VAPT, their impact on businesses, and how you can stay compliant without confusion.
Key CERT-In Guidelines for VAPT
To protect sensitive data and ensure legal compliance, organizations must follow CERT-In’s VAPT guidelines carefully. These rules provide a structured approach for auditing, testing, reporting, and remediating vulnerabilities.
1. Hire CERT-In Empanelled Auditors
IT security compliance is a legal requirement for organizations in critical sectors such as banking, finance, telecom, power, healthcare, government, and other industries that handle sensitive data or provide essential services.
You must note that as per government directives and regulatory norms, only CERT-In empanelled IT security auditors are authorized to perform security audits of such sectors.
CERT-In publishes and updates the official list of CERT-In empanelled auditors for businesses to choose from. Engaging with these approved auditors ensures that the audit process follows the right methodology and the final report is often preferred by regulatory bodies.
However, you can still engage with non-CERT-In empanelled vendors for internal security checks, routine VAPT, or pre-compliance testing.
2. Report Incidents Within Six Hours
CERT-In directives require reporting specified cyber incidents within six hours because quick reporting enables coordinated response and helps limit further damage. Appoint a single point of contact to communicate with CERT-In promptly about the cyber incident.
3. Test Regularly
VAPT is not a one-time task. Vulnerability testing should be regular and after major system, software changes or new deployments. While testing, you must:
- Include network, application, cloud, mobile, API, and infrastructure testing in scope.
- Define clear scope, rules of engagement, and legal authorization before testing.
- Obtain written permission and document testing windows and allowed techniques.
- Use non-disclosure agreements to protect sensitive findings and customer privacy.
- Prioritize remediation based on severity, impact, and exploit likelihood immediately.
- After fixes, perform retesting to verify issues closed and controls effective.
- Document remediation steps, timelines, and responsible persons for audit trails.
4. Maintain Security Logs
Maintain system logs and evidence for investigations, they help to identify suspicious activity during compliance audits. CERT-In expects logs to be retained for a rolling 180-day period. Store logs securely, make them tamper-evident, and ensure quick access.
5. Cover Third-Party and Cloud Systems
If you rely on third party vendors or cloud platforms, include them in your extended security perimeter. Include vendor systems in your risk assessment and VAPT requirements early. Weak vendor security can still expose your business.
6. Share Threat Intelligence
CERT-In encourages businesses to share threat data. This collective approach helps strengthen India’s overall cyber defense. Threat intelligence sharing helps detect patterns and prevents repeated attacks faster.
- Share anonymized indicators with CERT-In and trusted sector information-sharing groups.
- Prepare evidence packs with screenshots, logs, and remediation verification documents.
- Keep customer notification processes ready for incidents affecting personal data or privacy.
- Non-compliance can lead to regulatory action, fines, and reputational harm.
7. Fix and Retest
Finding issues is not enough, you must act on them. Once vulnerabilities are identified, fix them without delay. Hackers often exploit known issues that remain unpatched for weeks or months. Quick remediation reduces your exposure and protects sensitive data.
After fixing, don’t assume the problem is solved. Always retest your systems to confirm the vulnerabilities are fully closed and that no new risks were introduced during the fix. Document every step- what was found, how it was fixed, and the results of retesting. These remediation records are important for compliance audits and also build confidence with stakeholders.
8. Define Roles and Responsibilities
Clear roles and responsibilities are critical for effective VAPT. Your organization must provide full access to systems, logs, and required documentation. Teams should cooperate with auditors and implement recommended fixes promptly. Meanwhile, auditors are responsible for following impartial methodologies, maintaining confidentiality, and preparing accurate reports. Clearly defining these responsibilities ensures the audit runs smoothly and meets all regulatory expectations.
9. Follow a Standardized Audit Framework
CERT-In mandates that all VAPT audits follow a uniform framework. This framework ensures consistency, accuracy, and acceptance of audit reports by regulatory authorities. By adhering to a structured process- covering planning, testing, reporting, and follow-up, organizations can improve the credibility of their security assessments and reduce the risk of gaps in compliance.
10. Plan and Define Scope Carefully
Before starting VAPT, organizations should clearly define the audit scope. This includes specifying which systems, applications, and networks are to be tested. Organizations must also establish rules of engagement, set authorized testing windows, and define allowed techniques. Obtaining written approval for the scope prevents legal issues and ensures the audit does not disrupt business operations.
11. Document Reporting and Evidence Properly
Accurate reporting is a key part of compliance. Audit reports should detail findings, risk levels, and recommended remediation steps. Supporting evidence- such as logs, screenshots, and verification reports, must be included to validate each finding. Proper documentation not only facilitates audits but also demonstrates your commitment to cybersecurity best practices.
12. Prioritize Critical Assets and Risks
Not all systems carry the same level of risk. Organizations should identify their most sensitive applications and data and prioritize vulnerabilities based on potential impact. Risk-based testing ensures that resources focus on the areas most likely to be exploited, making security efforts more effective and efficient.
13. Follow Up and Track Remediation
Finding vulnerabilities is just the beginning. After remediation, organizations must track all fixes, record closure dates, and retest systems to confirm that issues are fully resolved. Sharing evidence of remediation with auditors is essential for compliance verification. This formal follow-up ensures that vulnerabilities do not persist and that your organization meets regulatory requirements.
14. Train Staff and Build Awareness
Employees are often the first line of defense against cyber threats. Organizations should provide regular training on detecting, reporting, and responding to security incidents. CERT-In recommends integrating security awareness programs into daily operations, as human error is a common cause of data breaches.
15. Understand Full Non-Compliance Consequences
Failing to comply with CERT-In guidelines can have serious consequences. Beyond fines under Section 70B(7) of the IT Act, 2000, organizations may face mandatory remediation orders, operational restrictions, or regulatory oversight. Following all guidelines strictly helps protect your business legally, operationally, and reputationally.
About Peneto Labs, an Expert Web Application Penetration Testing Company
Peneto Labs is a cybersecurity company headquartered in Chennai, India. Peneto Labs has been empanelled by CERT-In to conduct information security auditing services. Established in 2017, we have quickly gained a reputation as a reliable partner for organizations looking to enhance their cybersecurity and meet regulatory compliance requirements. We provide a wide range of cybersecurity services, including:
- Application Penetration Testing: Examining web, mobile, and API applications to uncover vulnerabilities.
- Network Penetration Testing: Assessing both internal and external network infrastructure for security weaknesses.
- Vulnerability Assessment and Penetration Testing (VAPT): Performing detailed evaluations to identify and mitigate potential security risks.
- Red Teaming: Simulating advanced cyber threats to test and strengthen organizational defenses.
- IoT, OT, and SCADA Security Audits: Protecting critical infrastructure and operational technology systems.
The company follows globally recognized standards and methodologies, such as OWASP, NIST, and PTES, ensuring that all assessments are thorough, reliable, and aligned with best practices in the cybersecurity industry.
Final Thoughts
Following CERT-In VAPT guidelines helps businesses identify vulnerabilities, strengthen defenses, and stay compliant with legal requirements. By adopting these guidelines, businesses not only reduce risks but also build trust with customers, partners, and regulators.
Remember, cybersecurity is a continuous journey. Regular VAPT, staff training, and proactive threat intelligence sharing can make the difference between a secure organization and costly breaches.
Engaging experts like Peneto Labs, who follow internationally recognized methodologies and provide thorough assessments, ensures your organization remains protected against evolving cyber threats. Take action today to secure your systems and stay ahead of cyber risks.