CERT-In's New Audit Guidelines Are Live Today: A 7-Day Action Plan for Indian SaaS Founders
CERT-In published CISG-2025-02 today (July 25, 2025) — a 69-page evidence-based audit framework. The 7-day internal sprint, third-party assessor pre-check, and audit-scope mapping for Indian SaaS founders.
Manvi
July 25, 202514 min read
0%
On July 25, 2025, CERT-In published the Comprehensive Cyber Security Audit Policy Guidelines (CISG-2025-02) — a 69-page document that, for the first time, defines what an Indian cybersecurity audit must cover, who can conduct it, and what evidence the auditor must collect. The big shift: CISG-2025-02 moves Indian audits from "checklist with screenshots" to "evidence with logs and timestamps." Sanjay Bahl (DG, CERT-In) framed it bluntly in the launch press: the new guidelines are designed to fix India's "checkbox" cybersecurity culture. If you are an Indian SaaS founder, this is the post you read this weekend so your next audit does not blow up your Q3 sales pipeline.
Jul 25, 2025
CISG-2025-02 published
69 pages
Audit framework document
Annual
Mandatory audit cadence
14+
Audit types named in scope
## The 60-Second Answer
CISG-2025-02 makes annual third-party cybersecurity audits the floor for Indian "public and private enterprises," with sectoral regulators (RBI, IRDAI, SEBI) free to demand higher cadence. The audit must be conducted by a CERT-In empanelled assessor against named domains: compliance, risk assessment, vulnerability assessment, penetration testing, source code review, application security testing, red team, cloud security, IoT security, AI system audit, and the various BOMs (SBOM, AIBOM, HBOM, QBOM, CBOM). The 7-day internal sprint below gets you ready before you write the procurement RFP for the assessor.
## Why This Matters Now
Indian audits have historically been a checkbox exercise — a 30-page report with red-amber-green dots, screenshots of MFA being on for one user, and a recommendation to "implement EDR in the next year." CISG-2025-02 explicitly targets this. The new framework requires the auditor to collect (a) evidence not just attestations, (b) logs not just configurations, and (c) repeatable test results not just opinions. That changes the work the audited entity has to do BEFORE the audit, because evidence-based audits fail loudly when the audited entity cannot produce the artefacts on request.
The second reason this matters now: cyber-insurance brokers have already started referencing CISG-2025-02 in their renewal questionnaires. Three of our SaaS clients received updated questionnaires from Tata AIG, ICICI Lombard, and HDFC ERGO in the week ending July 24 — all citing the new framework.
## The 14 Audit Types Named In CISG-2025-02
📋
Compliance audit
Mapping your controls to ISO 27001, SOC 2, PCI-DSS, sectoral regulator requirements. Documentation-heavy.
⚠️
Risk assessment
Threat modelling, asset criticality, residual risk. Annual minimum, more if your stack changes.
🔍
Vulnerability assessment
Authenticated and unauthenticated scans of every internet-facing IP and every internal subnet.
🛠️
Penetration testing
Black-box and grey-box testing of web apps, APIs, mobile apps. Manual + tooling.
🌐
Network infrastructure audit
Firewall rules, segmentation, VPN posture, BGP/OSPF hygiene if you run your own AS.
📜
IT security policy review
Are policies current, communicated, enforced? When did the AUP last get a board review?
💻
Source code review
Static analysis, secret scanning, dependency review. SAST + SCA on every production repo.
📱
Application security testing
DAST, API testing, mobile app testing. OWASP Top 10 + ASVS Level 2 expected for any production SaaS.
🥷
Red team assessment
Goal-based adversary simulation. Optional for most SMBs, mandatory if you handle financial or PII data at scale.
☁️
Cloud security testing
CSPM-style review of AWS, Azure, GCP. IAM, encryption, public buckets, key management.
📡
IoT security testing
Firmware analysis, default-cred audit, OTA update integrity. Relevant if your SaaS ships with hardware endpoints.
🤖
AI system audit
Training data provenance, model evaluation, prompt-injection resilience, output filtering. New domain in CISG-2025-02.
## The 7-Day Internal Sprint (Run This Before You Hire An Assessor)
Hiring a CERT-In empanelled assessor without internal prep is expensive — they bill ₹15,000-₹35,000/day, and they will sit waiting for your team to produce evidence. The 7-day internal sprint produces the evidence pack so the assessor's days are spent assessing, not waiting.
1
Day 1 (Mon) — Asset inventory
List every server, database, SaaS subscription, repo, and third-party integration that touches production data. A spreadsheet works. Columns: name, owner, criticality (high/medium/low), data classification (PII / financial / internal / public).
2
Day 2 (Tue) — Policy pack assembly
Acceptable Use Policy, Information Security Policy, Incident Response Plan, Access Control Policy, BCP/DR, Data Retention Policy. If a policy is more than 18 months old without review, mark it stale and put a date on the calendar to refresh.
3
Day 3 (Wed) — Evidence collection: identity
Export: list of all admin users (across M365, AWS/GCP, GitHub, production DB), MFA status per user, last sign-in per user, OAuth-app inventory, service-principal sign-in logs for the last 90 days.
4
Day 4 (Thu) — Evidence collection: technical
Export: latest Nessus or Qualys scan, latest SAST/SCA report (e.g. Semgrep, Snyk), backup-restore test logs from the last 90 days, EDR coverage report, firewall rule snapshot.
5
Day 5 (Fri) — Vendor + third-party file
For every vendor with access to production data: name, what they access, contractual SLA on breach notification, last attestation (SOC 2 letter, ISO cert, or self-attestation), date of last review.
6
Day 6 (Sat) — Incident log + lessons
Pull the last 12 months of security incidents (suspected phishing, account compromise, dependency CVEs, etc.). For each: timeline, root cause, remediation, evidence of remediation. Even "low severity" incidents count.
7
Day 7 (Sun) — Self-assessment + gap list
Walk the asset inventory + evidence pack against the CISG-2025-02 audit-type list. For each domain, mark "have evidence", "partial evidence", or "no evidence". The "no evidence" rows are the discovery items for the assessor.
## How To Pick A CERT-In Empanelled Assessor
CERT-In maintains a public list of empanelled auditors — currently 152 firms across India. Three filters that matter for SaaS founders:
Filter
What to look for
Red flag
Domain depth
Firm has named projects in your sector (fintech, edtech, e-commerce, SaaS B2B)
Generic "we audit everyone" pitch with no sector references
Methodology
Maps deliverables to specific CISG-2025-02 audit types and provides log-level evidence schedules
Templated reports, "we use industry standard methodology" with no specifics
Team named
Lead auditor + senior engineer assigned by name with CV/cert references
"Our team" pitch with no individuals named
Pricing
Day-rate + scope-based, with deliverable schedule
Single annualised number with no scope discussion
Tooling
Names the tools used (Burp, Nessus, Semgrep, custom) and shares sample reports under NDA
Refuses to discuss tooling "for confidentiality reasons"
For a 50-200 staff Indian SaaS, the typical first-time CISG-2025-02-aligned audit is ₹4-9 lakh and takes 4-8 weeks. Annual recurring audits are 60-70% of the first-year price.
## What CISG-2025-02 Adds That Was Not Required Before
## A Real Example: 60-Staff Bengaluru SaaS, July 2025
A B2B SaaS client (60 staff, ARR ~₹14 cr) handles HR + payroll data for Indian SMBs. Their last audit (July 2024) was a 22-page report with 3 findings, all "implemented." When CISG-2025-02 dropped, the CTO asked us to re-baseline against the new framework. We ran the 7-day internal sprint with their team. The gap list: no AI system audit (they ship a payroll-classification ML model, never tested), no AIBOM (model and training data undocumented), no source code review for the last 14 months (last one was for SOC 2), evidence pack for vendor management was 9 months stale. Total estimated rework before next audit: 14 engineering days + ₹2.4 lakh in tooling + ₹6 lakh for the empanelled auditor. Stack ranked highest-leverage first: AIBOM (covered by our August 26 SBOM/AIBOM post), then source-code review, then vendor file refresh.
## Common Mistakes Indian SaaS Founders Make On First Audit
Picking the cheapest empanelled assessor. A ₹2 lakh audit and a ₹6 lakh audit produce different reports. The cheap report passes you internally and fails you when an enterprise customer asks for it during procurement. Pay for the one that finds things.
Treating the audit as a one-shot project. CISG-2025-02 explicitly anticipates continuous monitoring between audits. If the assessor finds 12 issues in July, you cannot wait until the next July to fix them — the broker, the customer, and the regulator all expect a remediation timeline within 30-60 days.
Skipping the AI system audit because "we just use OpenAI." If your SaaS sends customer data to a third-party LLM, the AI system audit covers the data-handling chain, the prompt sanitisation, the output filter, and the contractual posture with the LLM vendor. "We use OpenAI" is the start of the audit, not the end of it.
## Pre-Audit Self-Assessment Checklist
Asset inventory exported and dated within the last 7 days
Policy pack: AUP, ISP, IRP, Access Control, BCP/DR, Data Retention — all reviewed within 18 months
Identity evidence: admin list, MFA status, OAuth-app inventory, service principal logs (90 days)
Self-assessment vs CISG-2025-02 audit-type list complete with gap labels
Empanelled assessor shortlist of 3 firms with sector references checked
Budget approved for first-year audit + remediation reserve
Calendar invite for next-year audit set 12 months out
## When CISG-2025-02 Does Not Apply To You (Yet)
The 69-page document is the framework; sectoral regulators turn it into binding obligation. As of July 2025, you are most directly bound if you are (a) a regulated entity under RBI, IRDAI, SEBI, or a similar body that has historically required CERT-In empanelled audits, (b) a critical information infrastructure (CII) or protected system per the IT Act, (c) a vendor to government departments via GeM, or (d) a SaaS firm whose enterprise customers have already started referencing CISG-2025-02 in their vendor questionnaires.
If you are a 15-staff SaaS with consumer customers and no regulated data, CISG-2025-02 is a forward-looking signal not an immediate obligation. Run the 7-day internal sprint anyway — it tightens your stack and you will need it within 12 months as your customer base shifts upmarket.
If you only do one thing this week: run Day 1 of the sprint. The asset inventory is 4 hours of work and is the foundation of every audit conversation that follows. Founders who skip this end up writing it under deadline pressure during the actual audit.
## A Common Question We Get About Audit Frequency
> "We just passed SOC 2 Type II. Do we still need a CISG-2025-02 audit?"
Probably yes, with negotiation. SOC 2 is a private attestation framework popular with US enterprise buyers. CISG-2025-02 is an Indian regulatory framework for the Indian operating environment. Many controls overlap (access management, encryption, change control, incident response), so a competent CERT-In empanelled assessor will accept a recent SOC 2 report as evidence for those overlapping domains and focus their work on the India-specific add-ons (AI system audit, AIBOM, sectoral cadence, CERT-In incident reporting). Net effect: the second audit is 40-60% cheaper than the first if you sequence them well. Our security and engineering team has run this exact bridging exercise for two SOC 2 attested clients in 2025 — saved them roughly ₹5 lakh apiece on the CISG-2025-02 baseline.
## FAQ
### Is CISG-2025-02 mandatory for all Indian companies?
The framework is mandatory for entities that fall under sectoral regulators that have adopted it (RBI, IRDAI, SEBI), CII/protected systems under the IT Act, and government suppliers. For other entities, CISG-2025-02 is a strongly recommended baseline that procurement, insurance, and enterprise customers are already using as a de-facto requirement. Treat it as binding within 12-18 months.
### How much does a first-time CISG-2025-02 audit cost?
For a 50-200 staff Indian SaaS, ₹4-9 lakh for a competent CERT-In empanelled assessor over 4-8 weeks. Annual recurring audits are 60-70% of first-year. Below 50 staff, ₹2-4 lakh is feasible if scope is well-defined. Above 500 staff, the number can run to ₹15-25 lakh depending on red-team scope.
### Who is on the empanelled assessor list?
CERT-In maintains 152 empanelled firms as of July 2025. The list spans large consultancies (Deloitte, EY, KPMG, PwC), specialist firms (NII Consulting, Lucideus, Net-Square), and smaller boutiques. Pick by sector depth and methodology, not by brand recognition.
### Does CISG-2025-02 require a Data Protection Officer?
No, that is a DPDP Act requirement. CISG-2025-02 is an audit framework, not a data-protection framework. They are complementary — your DPDP Act DPO will be the named contact for many audit conversations.
### How do CISG-2025-02 and the SBOM/AIBOM guidelines interact?
CISG-2025-02 references the BOM frameworks as part of the audit scope. If you are subject to the audit, your SBOM, AIBOM, and any other applicable BOMs (HBOM, QBOM, CBOM) will be in scope. See our August 26 follow-up post for the BOM-specific compliance sprint.
### What counts as "evidence" under the new framework?
Logs with timestamps, configuration exports with version control, signed attestations from named individuals, screenshots tied to specific test runs (not generic), and tool output (e.g. Nessus, Burp, Semgrep) with the scan date. A statement from the CTO that "we have MFA on" is not evidence; an export from Microsoft Entra showing 100% MFA enrollment as of July 24, 2025 is.
### How does this interact with cyber-insurance?
Brokers (Tata AIG, ICICI Lombard, HDFC ERGO, Bajaj Allianz) are already updating renewal questionnaires to reference CISG-2025-02 evidence. Demonstrating an empanelled-assessor audit, even a partial one, reduces premiums in our experience by 8-15% on renewals after July 2025. Our founder Vivek Singh tracks regulator-broker alignment in his weekly cybersec digest.
Need a CERT-In compliance audit?
Our security and engineering team runs the 7-day internal sprint, helps you shortlist empanelled assessors, and stays on the call during the audit to translate finding-to-remediation. Fixed scope, ₹1.4-3.2 lakh depending on company size. The first call is with Manvi, our QA and security lead. Related reading: DPDP Act rules action plan, SharePoint vendor audit, Radiant Finance compliance case study.