Centre ramps up cybersecurity scrutiny: Ministries, PSUs told to comply with new audit guidelines

The Centre has asked all ministries, state governments, public sector units (PSUs), and government-funded institutions to align with India’s newly introduced cybersecurity audit guidelines, significantly tightening oversight of digital risk management across the public sector.

In an office memorandum dated July 29, according to Moneycontrol report, the Ministry of Electronics and Information Technology (MeitY) directed all concerned entities to take “necessary action” in accordance with the Comprehensive Cyber Security Audit Policy Guidelines, issued by the Indian Computer Emergency Response Team (CERT-In) on July 25.

Read more: IAMAI slams telecom cybersecurity rules for overreach; writes to DoT

In July, CERT-IN empaneled 200 cybersecurity organizations for carrying out these audits. The comprehensive guidelines CERT-IN serve two purposes. Firstly, they assist organizations being audited (auditees) in preparing for audits, understanding requirements, and addressing deficiencies. This helps ensure that their cyber security measures align with industry standards and regulations, enabling proactive improvement of security practices. Secondly, the guidelines provide auditing organizations with a structured framework to conduct rigorous, fair, and transparent cyber security audits. They outline the auditor’s responsibilities, methodologies, and best practices, enabling them to provide independent, impartial and constructive recommendations that strengthen the auditee’s cyber security.

The latest MeitY's memorandum underscores the growing threat landscape and the need for structured, regular audits to identify vulnerabilities, strengthen defenses, and comply with security regulations. It calls for every government body, be it a ministry, PSU, or department, to treat the guidelines as mandatory for ensuring national cyber resilience.

“With the increasing number of cyber threats and the need for robust protection measures in today’s digital landscape, cybersecurity is a major concern for enterprises,” the memo reportedly stated.

CERT-In earlier issued the necessary guidelines for setting up of State/sectoral Computer Security Incident Response Teams (CSIRTs). Sector-specific CSIRTs, such as CSIRT in Finance sector (CSIRT-Fin) and CSIRT in Power sector (CSIRT-Power), are operational to coordinate cyber security issues and improve cyber resilience within respective sectors.

Read more: Mobile verification mandate under new Cybersecurity Rules could disrupt digital platforms; spark regulatory overreach fears

Additionally, Centre for Development of Advanced Computing (C-DAC) has developed a range of indigenous cyber security tools in mobile security, forensics, log collection & analytics etc. to reduce reliance on foreign solutions.

CERT-In has also formulated a Cyber Crisis Management Plan (CCMP) for all government bodies to counter cyber-attacks and cyber-terrorism. CCMP provides strategic framework to coordinate recovery from cyber-crisis and enhance resilience.

In addition, guideline documents and templates have been published to assist development and implementation of state-level/sectoral Crisis Management Plans.

While CERT-In’s framework does not spell out penalties for non-compliance, it does make it mandatory for agencies to implement audit recommendations within a defined timeframe and report compliance.