CERT-In Compliance Checklist for Indian Enterprises 2026: Complete Guide

By /

CERT-In Compliance Checklist for Indian Enterprises 2026: Complete Implementation Guide

The CERT-In (Indian Computer Emergency Response Team) mandatory cybersecurity directions of April 2022 impose significant obligations on Indian organisations — from 6-hour incident reporting to 180-day log retention. This comprehensive compliance checklist helps Indian IT and security teams understand, implement, and maintain CERT-In compliance in 2026.

What is CERT-In?

CERT-In is India’s national cybersecurity authority under the Ministry of Electronics and Information Technology (MeitY). The April 2022 CERT-In directions (under Section 70B of the IT Act 2000) apply to all service providers, intermediaries, data centres, body corporates, and government organisations in India. Non-compliance can result in imprisonment up to 1 year and fines up to ₹1 crore under Section 70B(7) of the IT Act.

Key CERT-In Requirements

  • 6-Hour Incident Reporting: Report 20 categories of cyber incidents to CERT-In within 6 hours of detection — including data breaches, ransomware, DDoS attacks, unauthorised access, and cryptocurrency fraud
  • 180-Day Log Retention: Maintain ICT system logs (application logs, server logs, network logs, database logs) for a minimum of 180 days within India’s jurisdiction
  • NTP Clock Synchronisation: All IT systems must synchronise clocks with NIC’s NTP server (time.cdac.in or nas.cdac.in) or other accurate NTP sources
  • KYC for Virtual Private Network (VPN) Users: VPN service providers must maintain validated subscriber records (name, email, address, contact number, purpose) for 5 years
  • Virtualised Resource Logs: Cloud service providers must maintain logs of virtual resource allocation and access
  • Data Centre Records: Data centres must maintain power, cooling, physical access, and asset records

CERT-In Compliance Checklist

Step 1 – Incident Response Plan: Establish a formal Cyber Incident Response Plan (CIRP) with defined roles, escalation procedures, and CERT-In reporting workflows. Assign a CERT-In reporting officer responsible for submitting incident reports within 6 hours.

Step 2 – Log Management Infrastructure: Deploy a centralised log management solution (SIEM) that collects logs from all ICT systems — servers, network devices, firewalls, endpoints, applications, and databases. Ensure logs are retained for 180 days with tamper-proof storage. Microsoft Sentinel, Splunk, or IBM QRadar are commonly used in India.

Step 3 – NTP Configuration: Configure all servers, network devices, and endpoints to synchronise with NIC’s NTP server (time.cdac.in). Verify synchronisation via Windows Time Service (w32tm) or Linux chronyc/ntpq.

Step 4 – Incident Detection Capabilities: Deploy EDR on all endpoints, SIEM for centralised alerting, and network monitoring to detect the 20 incident categories defined by CERT-In — including data breaches, malware, DDoS, and unauthorised access.

Step 5 – Incident Reporting Process: Register on CERT-In’s incident reporting portal (https://www.cert-in.org.in) and test your reporting process. Prepare an incident report template covering: incident type, affected systems, date/time of detection, affected users/data, and containment measures.

Step 6 – Data Localisation: Ensure all ICT system logs are stored within India. If using cloud services (AWS, Azure, GCP), configure data residency in Indian regions (Mumbai, Pune, Chennai) and disable cross-border log replication.

Step 7 – Audit & Documentation: Conduct internal CERT-In compliance audits quarterly. Document all security controls, log management configurations, and incident response procedures for regulatory review.

CERT-In vs ISO 27001 vs DPDP Act

CERT-In compliance is mandatory under Indian law. ISO 27001 is a voluntary international information security standard. The DPDP Act 2023 (Digital Personal Data Protection) adds data privacy obligations on top of CERT-In’s cybersecurity requirements. Most regulated Indian enterprises need to comply with all three frameworks simultaneously. Virajo AutoSoft helps organisations implement overlapping controls efficiently.

Frequently Asked Questions

Q: Which organisations must comply with CERT-In directions?
All service providers, intermediaries (including cloud services, VPN providers, data centres), body corporates, and government entities operating in India. There is no size threshold — even SMBs fall under these directions if they qualify as “intermediaries” under the IT Act.

Q: What are the 20 incident categories CERT-In requires reporting for?
The 20 categories include: targeted scanning/probing, compromised IT systems, malicious code deployment, attacks on critical infrastructure, DDoS attacks, DNS/BGP hijacking, phishing/BEC, ransomware, data breaches, rogue mobile apps, and more.

Q: How can Virajo AutoSoft help with CERT-In compliance?
Virajo AutoSoft provides CERT-In compliance gap assessments, SIEM deployment for log retention (180 days), NTP configuration, incident response plan development, EDR deployment for detection, and ongoing compliance monitoring services.

Need CERT-In compliance support? Contact Virajo AutoSoft for a free CERT-In compliance gap assessment and implementation roadmap.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top