CERT-In does not issue a formal compliance certificate. “CERT-In compliance” refers to guidelines and directions that organizations, whether small or large, operating in India are expected to follow to maintain a minimum level of cybersecurity.
These measures demonstrate that reasonable security practices were in place if any incident occurs. They are important not only for regulatory reasons but also for handling legal situations and supporting cyber insurance claims, where proof of following required controls is often necessary.
The purpose of this guide is to explain these requirements in a clear and practical way, so businesses can understand what is expected and follow a structured approach without confusion or last-minute pressure.
Mandatory CERT-In Compliance Requirements that MESME Must Follow
The CERT-In Compliance guidelines cover areas such as password practices, data protection, system and infrastructure security, along with specific expectations like conducting security assessments (such as VAPT), retaining logs for 180 days, and reporting cybersecurity incidents within a 6-hour window. These requirements focus on incident response, monitoring, and accountability. Below we have explained them in detail:
1. Mandatory 6-Hour Incident Reporting
Organizations must report cybersecurity incidents, such as data breaches, ransomware attacks, or unauthorized access, within 6 hours of detection. Timely reporting is critical to meet regulatory expectations and avoid penalties.
2. 180-Day Log Retention & Location
All system and network logs must be stored for at least 180 days and should be maintained within India. These logs must be available for investigation if required.
3. NTP Clock Synchronisation
Systems should follow a consistent and accurate time source using Network Time Protocol (NTP). Proper time synchronization ensures that logs and security events can be tracked and correlated correctly.
4. VAPT and Security Audits (Through Empanelled Auditors)
Organizations are expected to conduct regular Vulnerability Assessment and Penetration Testing (VAPT) or security audits. These assessments should be performed by auditors empanelled with CERT-In to ensure acceptance and compliance alignment.
5. KYC for VPN and Cloud Providers
Service providers such as VPN operators and cloud providers must maintain proper Know Your Customer (KYC) details of their users. This helps in traceability and accountability during investigations.
6. Appointing a Point of Contact (PoC)
Organizations must designate a Point of Contact (PoC) who will be responsible for coordinating with CERT-In. This person ensures timely communication, incident reporting, and compliance with directions.
These requirements are aimed at ensuring that organizations can detect, respond to, and investigate cybersecurity incidents effectively. For MSMEs, following these steps helps meet expectations during audits or compliance checks.
Step by Step Approach to CERT-In Mandated VAPT Certification
One of the key expectations under CERT-In directions is to perform regular security assessments such as VAPT at least once a year. A structured approach helps organizations complete this process without confusion or delays.
Step 1: Understand Your Requirement
Start by identifying why the VAPT is needed. It could be for a government project, client requirement, regulatory expectation, or internal security validation. This helps define the depth and urgency of the assessment.
Step 2: Define Scope Clearly
Clearly list what needs to be tested. This may include web applications, mobile apps, APIs, cloud environments, and network infrastructure. A well-defined scope avoids unnecessary testing and ensures nothing critical is missed.
Step 3: Perform Security Assessment
Engage a CERT-In empanelled auditor to conduct the VAPT. The assessment typically includes identifying vulnerabilities and testing whether they can be exploited.
Step 4: Fix Vulnerabilities
Once the report is shared, focus on fixing critical and high-risk vulnerabilities first. Addressing these issues quickly reduces exposure and helps move the process forward efficiently.
Step 5: Retesting and Validation
After fixes are implemented, the auditor performs retesting to verify that vulnerabilities have been properly resolved. This step is important to ensure the system is secure before final reporting.
Step 6: Final Report Review
Carefully review the final report to ensure it includes:
- Complete scope coverage
- Proper risk classification
- Evidence of vulnerability closure
- Alignment with compliance expectations
Following these steps helps organizations complete VAPT in a structured way, ensuring both security and alignment with CERT-In guidelines without last-minute pressure.
Step 7: Maintain Documentation
Once the VAPT process is completed, the next step is to maintain proper documentation. Keep records of assessment reports, vulnerability fixes, retesting results, and monitoring logs. This helps during compliance reviews and provides proof that required security measures are in place.
Organizations should also treat VAPT as an ongoing activity, not a one-time task. It is recommended to perform security assessments in situations such as:
- Before a product launch
- After major application updates or feature releases
- When there are infrastructure or cloud changes
- During periodic security reviews
Following this approach ensures that systems remain secure over time and aligned with expectations set by CERT-In.
Get CERT-In VAPT Certificate from Peneto Labs
When organizations plan a CERT-In aligned VAPT, they are not just looking for a test, they need a clear and accurate process. This is why many companies choose Peneto Labs for their security assessments. Peneto Labs has been empanelled by CERT-In to conduct information security auditing services. Here is why the top 1% Indian Companies Choose us.
1. Experienced Team Across Industries
Our highly qualified pentesters bring years of experience working with startups, enterprises, and regulated sectors. This helps in understanding different system architectures and compliance expectations from the start.
2. Manual Testing Along with Automation
Instead of relying only on automated tools, our pentester team performs manual penetration testing to identify deeper vulnerabilities that tools alone may miss. This results in more accurate and reliable findings.
3. Clear and Actionable Reports
Our VAPT Reports are structured to help both technical and non-technical teams. Each finding includes clear risk ratings and practical steps for fixing vulnerabilities, making remediation easier.
4. Free Retesting Support
After vulnerabilities are fixed, we provide free retesting to validate closure. This helps avoid additional costs and ensures the final report is complete.
5. Transparent Communication
Regular updates, clear timelines, and direct coordination with your team ensure there are no surprises during the engagement.
6. Focus on Compliance-Ready Output
The final reports are prepared in a way that supports compliance needs, including proper scope coverage, risk classification, and validation of fixes.
Choosing the right CERT-In empanelled partner makes a significant difference in both cost and outcome. With Peneto Labs experts, organizations get a structured approach that helps complete VAPT smoothly and prepare for compliance without delays.
Conclusion
CERT-In requirements may seem complex at first, but they become manageable when approached in a structured way. Instead of treating them as urgent tasks, organizations should focus on understanding what is expected, security assessments, timely incident reporting, proper logging, and implementation of basic security controls.
The key to avoiding confusion is planning ahead and following a step-by-step approach. Defining the right scope, conducting VAPT through empanelled auditors, fixing vulnerabilities, and maintaining proper documentation all contribute to a smooth process.
Most importantly, organizations should remember that this is not about obtaining a certificate. It is about maintaining a minimum level of security and being prepared in case of an incident. When systems are regularly tested and processes are in place, compliance becomes a routine activity rather than a last-minute challenge. With the right preparation and clarity, businesses can meet CERT-In expectations confidently, without panic or unnecessary delays.