We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / CERT-In Directions
CERT-In, MeitY · India

CERT-In Directions (Cyber Incident Reporting)

CERT-In’s directions on incident reporting, log retention and security practices.

Introduction: The CERT-In Cyber Incident Reporting Directions

On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), issued a set of Directions under sub-section (6) of Section 70B of the Information Technology Act, 2000. These Directions, formally numbered 20(3)/2022-CERT-In, fundamentally reshaped the cyber incident reporting and cyber-hygiene obligations of virtually every organisation that operates a computer system in or serving India. Unlike aspirational best-practice frameworks, the CERT-In Directions are legally binding, carry penal consequences for non-compliance, and impose some of the shortest breach-notification timelines in the world.

This guide is an auditor-grade deep-dive intended for Chief Information Security Officers (CISOs), Data Protection Officers, IT and infrastructure heads, managed service providers, data centres, cloud and VPS providers, virtual asset service providers, and the compliance and internal-audit teams that assure them. It walks through the letter and the operational intent of the Directions, the accompanying Frequently Asked Questions (FAQ) that CERT-In published on 18 May 2022, and the practical control set an assessor must verify. The aim is to help you move from a vague awareness that a six-hour reporting rule exists to a defensible, evidence-backed compliance posture that can withstand scrutiny during a CERT-In audit or a post-incident inquiry.

Source and copyright note
The CERT-In Directions dated 28.04.2022 and the associated FAQ are official Government of India publications issued by CERT-In / MeitY. This guide is original explanatory and advisory content authored by CyberSigma; it paraphrases and interprets the obligations for practitioner use and does not reproduce the verbatim text of the Directions or the FAQ. Always read the official CERT-In Directions and any subsequent amendments or clarifications on the CERT-In website (cert-in.org.in) as the authoritative and legally operative source. Where this guide and the official text differ, the official text prevails.

What are the CERT-In Directions?

CERT-In is the national nodal agency for responding to cyber security incidents, designated under Section 70B of the IT Act, 2000. That section empowers CERT-In not only to collect, analyse and disseminate information on cyber incidents, but also to issue directions and call for information from service providers, intermediaries, data centres, body corporates and any other person. The April 2022 Directions are the most consequential exercise of that power to date, because they convert a previously discretionary and often-ignored reporting regime into a mandatory, time-bound and audit-enforced obligation.

The Directions are best understood as six distinct but interlocking obligations bundled into a single instrument. First, mandatory reporting of a specified list of cyber incidents to CERT-In within six hours of noticing or being brought to notice. Second, mandatory synchronisation of all ICT system clocks to the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or to traceable NTP sources synchronised with them. Third, mandatory retention of ICT logs for a rolling period of 180 days within Indian jurisdiction. Fourth, an obligation on data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers to maintain specified customer registration (Know-Your-Customer style) data for five years. Fifth, an obligation on virtual asset service providers, virtual asset exchange providers and custodian wallet providers to maintain KYC and transaction records for five years. Sixth, the appointment and registration of a point of contact (PoC) with CERT-In to interface on these matters.

The Directions came into force sixty days from issuance, that is on 27 June 2022, giving entities a short runway to operationalise them. For micro, small and medium enterprises (MSMEs) and for certain aspects, CERT-In subsequently extended timelines to 25 September 2022 through a clarification. The reporting, clock-synchronisation and PoC obligations, however, applied broadly from the outset.

Why this matters
Non-compliance with a lawful CERT-In Direction is not a mere governance lapse. Under Section 70B(7) of the IT Act, failure to provide the called-for information or to comply with a direction is punishable with imprisonment for a term which may extend to one year, or with a fine which may extend to one lakh rupees, or both. Compliance is therefore a legal duty, not an optional maturity target.

Who must comply?

The scope of the Directions is deliberately broad. CERT-In cast the net over the entire connected ecosystem rather than a narrow category of critical entities. In broad terms, the reporting, clock-synchronisation, log-retention and PoC obligations apply to every service provider, intermediary, data centre, body corporate and government organisation. The five-year customer-data retention obligations apply to a narrower set of infrastructure and virtual-asset providers. The table below summarises the principal categories and which obligations bite for each.

Entity categoryKey obligations that apply
Service providers, intermediaries and body corporates (general)6-hour incident reporting; NTP clock synchronisation; 180-day ICT log retention; PoC registration; enable and maintain logs
Data centresAll of the above, plus 5-year retention of subscriber/customer registration (KYC-style) records; validated names, addresses, contact details, ownership pattern
Virtual Private Server (VPS) providersAll general obligations, plus 5-year customer registration data (IP allotted, email, purpose, validated address and contact)
Cloud service providersAll general obligations, plus 5-year customer registration data for hired resources
Virtual Private Network (VPN) service providersAll general obligations, plus 5-year customer registration data (subscriber names, hired IPs, usage patterns, validated addresses and contact numbers)
Virtual asset service providers, exchange and custodian wallet providersAll general obligations, plus 5-year KYC and transaction records enabling identification of counterparties and beneficiaries
Government organisations and public-sector undertakings6-hour reporting; clock synchronisation; log retention; PoC; typically also bound by additional CERT-In and NCIIPC guidance
Managed Security Service Providers (MSSPs) and IT outsourcersReporting and log obligations for systems they operate on behalf of clients; contractual flow-down of the customer's CERT-In duties

Two points on scope deserve emphasis. First, there is no small-organisation carve-out from the core reporting and hygiene duties; a start-up with a single production server is as bound to report a ransomware event within six hours as a large bank. Second, the obligations follow the system, not merely the corporate headquarters, so foreign entities operating computer resources located in, or offering services to users in, India fall within reach.

Structure of the CERT-In Directions

The Directions are not organised into numbered control families in the manner of ISO 27001 Annex A or the NIST Cybersecurity Framework. Instead they comprise a preamble grounded in Section 70B, followed by a series of operative paragraphs, each imposing a specific duty, together with an Annexure listing the reportable incident types. For assessment purposes it is useful to reframe these operative paragraphs into logical control domains. The table below presents that reframing, mapping each domain to the underlying Direction and to the principal obligation it creates.

Control domainUnderlying Direction / paragraph and obligation
D1 - Incident reportingMandatory reporting of Annexure incident types to CERT-In within 6 hours of noticing; report by email, phone or the CERT-In web portal
D2 - Reportable incident taxonomyThe Annexure enumerating the categories of cyber incidents that must be reported
D3 - Clock synchronisationConnect and synchronise all ICT system clocks to NIC/NPL NTP servers or traceable, synchronised alternates
D4 - Log retention and jurisdictionEnable logs of all ICT systems and maintain them securely for 180 days within Indian jurisdiction; provide to CERT-In on order
D5 - Point of contact and cooperationDesignate a PoC, register with CERT-In, and provide information / assistance on cyber incidents and cyber-security when ordered
D6 - Data centre / VPS / cloud / VPN KYC retentionMaintain accurate validated customer registration information for 5 years or longer as mandated, even after cancellation
D7 - Virtual asset KYC and transaction recordsMaintain KYC and financial transaction records for 5 years to enable tracing and law-enforcement cooperation
D8 - Ongoing cooperation and directionsComply with subsequent orders, safeguards, and requests for action, information and assistance from CERT-In

These eight domains form the spine of the master assessment checklist that follows. An assessor should treat each as a discrete area requiring its own evidence, control owner and test procedure.

Master assessment checklist

This is the operational heart of the guide. For each control domain we set out the specific requirements an auditor must verify and the typical evidence that demonstrates conformance. Every domain in the structure above is covered; none is skipped. Where a requirement applies only to a subset of entities (for example the five-year KYC retention for infrastructure providers) that is called out. Assessors should record for each line item a status of Compliant, Partially Compliant, Non-Compliant or Not Applicable, with a supporting evidence reference.

D1 - Incident reporting within six hours

What to verifyTypical evidence
A documented incident-reporting procedure exists that mandates notification to CERT-In within 6 hours of noticing a reportable incidentIncident response plan / SOP; version-controlled policy document with owner and approval date
The procedure identifies the reporting channels (CERT-In email incident@cert-in.org.in, phone helpdesk, and the web portal) and the required report formatRunbook screenshots; CERT-In contact details embedded in the SOP; sample completed reporting form
A demonstrable capability to detect reportable incidents within a timeframe that makes 6-hour reporting feasible (monitoring, SIEM, alerting)SIEM / monitoring configuration; alerting rules; on-call rota; mean-time-to-detect metrics
Past reportable incidents were in fact reported within 6 hours, with evidence of the submissionCERT-In acknowledgement emails / ticket numbers; incident log with detection and reporting timestamps
The report captures the mandated fields (time of occurrence, affected systems, symptoms, incident type per Annexure, impact)Copies of submitted reports; incident record templates
Escalation and decision authority for the reporting decision is defined so that no incident stalls awaiting sign-offRACI matrix; delegation-of-authority document naming who may authorise a CERT-In report out-of-hours
Reporting is triggered whether the incident is self-detected or brought to notice by a third party (customer, CERT-In, researcher)Procedure text covering third-party notifications; intake process for external reports

D2 - Reportable incident taxonomy (Annexure)

The Annexure to the Directions lists the categories of incidents that are mandatorily reportable. This list is significantly broader than a traditional 'material data breach' threshold; it includes many events that other regimes would treat as informational. The assessor must confirm that the organisation's incident classification logic maps cleanly to every Annexure category so that reportable events are not misclassified as internal-only.

What to verifyTypical evidence
Incident classification scheme explicitly maps to each Annexure category: targeted scanning/probing of critical systems and networksClassification taxonomy document cross-referenced to the Annexure
Compromise of critical systems / information and unauthorised access to IT systems and data is a defined reportable classCategory definitions in the IR plan; detection use-cases per category
Defacement of websites and intrusions such as malicious code insertion are coveredWeb-defacement monitoring; file-integrity monitoring alerts
Malicious code attacks (ransomware, virus, worm, trojan, spyware, cryptominers) are coveredEDR/anti-malware alerting mapped to reporting workflow
Attacks on servers (database, mail, DNS) and network devices (routers) are coveredAsset-to-category mapping; server and network monitoring
Identity theft, spoofing and phishing attacks are coveredPhishing intake / abuse mailbox; brand-abuse monitoring
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are coveredDDoS mitigation logs and alerting thresholds
Attacks on critical infrastructure, SCADA, operational technology and wireless networks are covered where relevantOT/ICS monitoring; wireless intrusion detection
Attacks on applications (e-governance, e-commerce) and data breaches / data leaks are coveredApplication security monitoring; DLP alerts
Attacks on IoT devices, and on systems related to Big Data, Blockchain, virtual assets, robotics, 3D/4D printing, drones is covered where applicableCoverage statement for emerging-technology assets in scope
Fake mobile apps and attacks on cloud/hosted infrastructure are treated as reportableApp-store monitoring; cloud security posture alerts
Unauthorised access to social media accounts is treated as reportableSocial-media account governance and monitoring

D3 - Clock synchronisation to NIC/NPL NTP

What to verifyTypical evidence
All servers, network devices, security appliances and endpoints synchronise their clocks to NIC (samay.nic.in) or NPL NTP sources, or to internal NTP servers themselves synced to those sourcesNTP configuration files; group policy / MDM time settings; network time architecture diagram
A defined NTP hierarchy exists (stratum design) so that internal time servers trace back to NIC/NPLNTP topology document; output of ntpq / chronyc showing upstream peers
Time drift is monitored and alerts fire on loss of synchronisationMonitoring dashboards for time offset; alert history
Where alternate NTP sources are used, they are traceable to and do not deviate from NIC/NPL timeJustification note; comparison logs demonstrating traceability
Log and event timestamps across systems are consistent, supporting reliable forensic correlationCross-system timestamp comparison from correlated log samples
The timezone standard (IST) is applied consistently for reporting and log correlationSystem configuration showing IST; documented convention

D4 - Log retention within Indian jurisdiction (180 days)

What to verifyTypical evidence
Logging is enabled across all ICT systems (servers, network, security devices, applications, databases)Logging configuration baselines; log source inventory in the SIEM
Logs are retained securely for a rolling 180 days minimumRetention policy; log storage sizing; retention configuration in SIEM/log store
Logs are maintained within Indian jurisdiction (stored in India or accessible and producible from within India)Data-residency evidence; storage location attestation; cloud region configuration
Log integrity is protected against tampering (write-once, hashing, access control)WORM storage config; log signing/hashing; access-control lists for log stores
Logs can be produced to CERT-In promptly on lawful orderLog-export procedure; documented retrieval SLA; sample export
Coverage includes authentication, access, administrative actions, network flows, and security-relevant eventsSample log records demonstrating event coverage per source type
Backup and disaster-recovery arrangements ensure the 180-day window survives an outage or attackBackup schedule for log data; immutability of backups; restore test evidence

D5 - Point of contact and cooperation with CERT-In

What to verifyTypical evidence
A named Point of Contact (PoC) is designated to interface with CERT-InAppointment memo; PoC name, designation and contact details
The PoC details have been formally registered / communicated to CERT-In in the required formatRegistration submission; CERT-In acknowledgement
The PoC details are kept current and re-submitted on any changeChange-management record; updated registration
A deputy / alternate PoC exists to ensure 24x7 reachabilityAlternate PoC appointment; escalation contact tree
Procedures exist to respond to CERT-In orders for information, action or assistance within stipulated timeframesDocumented response procedure; log of past CERT-In interactions
The organisation cooperates with directed safeguards, response and recovery actions when orderedRecords of actions taken in response to CERT-In directions/advisories

D6 - Data centre / VPS / cloud / VPN customer data retention (5 years)

This domain applies specifically to data centres, VPS providers, cloud service providers and VPN service providers. Assessors working with such entities must verify accurate, validated customer records are captured and retained for five years, even after a customer relationship ends.

What to verifyTypical evidence
Validated customer names and complete addresses are captured at onboardingKYC/onboarding records; validation process documentation
Contact numbers, email addresses and (for subscribers) ownership pattern / purpose of hiring are recordedSample subscriber records with mandated fields populated
IP addresses allotted to / used by the subscriber and the period of allotment are recordedIP allocation register; DHCP/assignment logs correlated to subscriber
The registration data is validated (not merely self-declared) using a defined verification methodValidation SOP; evidence of document / identity checks
Records are retained for at least 5 years and retained even after cancellation or withdrawal of serviceRetention policy; archive of terminated-customer records showing retention
The data is stored securely with access controls and is producible to CERT-In on orderAccess-control configuration; retrieval procedure; sample lawful-request response

D7 - Virtual asset KYC and transaction records (5 years)

This domain applies to virtual asset service providers, virtual asset exchange providers and custodian wallet providers. It aligns closely with financial KYC/AML expectations.

What to verifyTypical evidence
KYC of every customer is performed at onboarding following recognised norms (e.g., RBI-style KYC, PMLA aligned)KYC policy; sample onboarded-customer KYC packs
Records enabling identification of parties to each transaction are maintainedTransaction ledgers linking wallet addresses to verified identities
Records include nature, amount, date and parties (individual/beneficiary) of transactionsTransaction record samples with mandated fields
All records are retained for a minimum of 5 yearsRetention policy; archived records demonstrating the retention window
Records are producible to CERT-In and law-enforcement on lawful orderRetrieval SOP; log of past disclosures
Suspicious activity and reporting linkages to FIU-IND / AML obligations are maintained where applicableSTR/SAR procedures; AML programme documentation

D8 - Ongoing cooperation, safeguards and directions

What to verifyTypical evidence
The organisation monitors CERT-In advisories, vulnerability notes and directions and actions themRegister of CERT-In advisories received and closure status
A process exists to implement directed safeguards / response actions within required timeframesChange / action tracker mapped to CERT-In directions
Evidence of past compliance with specific CERT-In requests is retainedCorrespondence archive; closure evidence
Awareness of the penal consequences of non-compliance (Section 70B(7)) is embedded in governanceGovernance / board briefing records; compliance obligation register

Scoping the assessment

Scoping a CERT-In Directions assessment is about determining which of the eight domains apply, and to which systems and business units. Because the core reporting, clock, log and PoC duties apply universally, the scoping question is rarely 'do the Directions apply?' but rather 'which additional obligations apply and where do the in-scope ICT systems sit?'.

  • Establish the legal footprint: identify every computer resource operated by, or on behalf of, the entity that is located in India or serves Indian users, since the Directions reach both.
  • Classify the entity type: general body corporate versus data centre / VPS / cloud / VPN provider versus virtual asset service provider, to determine whether D6 or D7 apply.
  • Inventory all ICT systems that generate security-relevant logs and require clock synchronisation, including cloud workloads, SaaS-adjacent infrastructure, OT/ICS and IoT where present.
  • Map data flows and storage locations to confirm log data and customer records can be retained within Indian jurisdiction and produced on order.
  • Identify outsourced and managed services (MSSPs, hosting, cloud) and confirm contractual flow-down of reporting, logging and cooperation duties.
  • Define what is out of scope with documented justification (for example, personal devices not connected to corporate systems), avoiding under-scoping that would leave reportable systems uncovered.
  • Confirm ownership: for shared-responsibility cloud models, document which party (customer or provider) is responsible for each control.
Scoping pitfall
The most common scoping error is treating the Directions as a data-privacy or breach-only obligation and scoping only systems holding personal data. The Annexure is technology- and event-centric, not personal-data-centric: a DDoS attack, a website defacement or a compromised social-media account are all reportable even if no personal data is involved. Scope by ICT system and event type, not by data sensitivity alone.

Implementation approach

A structured, phased implementation converts the Directions from a compliance shock into an embedded operating capability. The following four phases move an organisation from unaware to audit-ready, each with concrete activities and deliverables.

Phase 1 - Discover and baseline (Weeks 1-3)

  • Activities: confirm entity classification and applicable domains; inventory ICT systems, log sources and time sources; assess current reporting readiness against the six-hour standard; identify data-residency gaps for logs and customer records.
  • Deliverables: applicability determination memo; ICT and log-source inventory; NTP/time-source map; gap-assessment report against all eight domains; risk-ranked remediation backlog.

Phase 2 - Foundational controls (Weeks 3-8)

  • Activities: designate and register the PoC and alternate with CERT-In; configure NTP synchronisation to NIC/NPL across the estate; enable and centralise logging; establish 180-day retention within Indian jurisdiction; draft the incident-reporting SOP with the six-hour trigger.
  • Deliverables: CERT-In PoC registration acknowledgement; NTP architecture implemented and monitored; centralised log store with retention configured; approved incident-reporting SOP and Annexure-mapped classification taxonomy.

Phase 3 - Operationalise and rehearse (Weeks 8-14)

  • Activities: integrate detection with the reporting workflow; define out-of-hours escalation and reporting authority; run tabletop and live-fire drills that exercise the six-hour clock; implement five-year customer/KYC and transaction retention where D6/D7 apply; establish the CERT-In advisory intake process.
  • Deliverables: reporting playbooks per incident type; completed tabletop reports with timing metrics; validated retention archives; advisory register and action tracker.

Phase 4 - Assure and sustain (Ongoing)

  • Activities: conduct internal audits against the master checklist; track KPIs; review and re-register PoC changes; maintain evidence continuously; brief the board on obligations and penal exposure; refresh training.
  • Deliverables: periodic internal audit reports; KPI dashboard; refreshed evidence pack; management review minutes; sustained readiness state.

Maturity and capability model

Although the Directions impose a binary legal duty, a maturity lens is useful for tracking the journey and prioritising investment. The following five-level model helps an assessor characterise the current state of each domain and set improvement targets. Note that Levels 1 and 2 represent legal non-compliance; Level 3 is the minimum defensible state.

LevelCharacteristics
Level 1 - AbsentNo PoC registered, no reporting procedure, logs not retained or not in India, clocks unsynchronised. Legally non-compliant and exposed to penalty.
Level 2 - Ad hocSome logging and awareness exist, but no six-hour capability, informal or missing PoC, retention gaps. Non-compliant in practice.
Level 3 - DefinedPoC registered, documented SOPs, NTP synced, 180-day retention in India, Annexure-mapped classification. Baseline compliance achieved.
Level 4 - ManagedReporting rehearsed and measured, detection tuned to make six hours realistic, retention integrity assured, advisory actioning tracked with KPIs.
Level 5 - OptimisedAutomated detection-to-report pipelines, continuous evidence, integrated with wider ISMS (ISO 27001) and privacy (DPDP), proactive drills and metrics-driven improvement.

Assessment and audit approach

A rigorous assessment follows a repeatable sequence that combines documentation review, technical inspection and interview, and culminates in an evidenced findings report.

  1. Confirm applicability and scope: determine entity classification and which of the eight domains apply, and enumerate in-scope ICT systems and business units.
  2. Review governance artefacts: obtain the incident-reporting SOP, log-retention policy, NTP architecture, PoC registration and (where applicable) KYC/retention policies.
  3. Test D1-D2 reporting: walk through the reporting workflow, review past incident records and CERT-In acknowledgements, and verify Annexure-to-classification mapping.
  4. Inspect D3 clock synchronisation: sample device configurations and NTP query output to confirm traceability to NIC/NPL and monitor for drift.
  5. Inspect D4 logging: verify log sources, retention duration, Indian-jurisdiction storage, integrity controls and producibility.
  6. Verify D5 PoC and cooperation: confirm registration currency, alternate coverage and past cooperation with CERT-In requests.
  7. Verify D6/D7 retention where applicable: sample customer/KYC and transaction records for completeness, validation and five-year retention.
  8. Test D8 ongoing cooperation: review the advisory register and evidence of directed actions being implemented.
  9. Perform an operational drill: run or review a tabletop exercise measuring the elapsed time from simulated detection to CERT-In report, targeting well under six hours.
  10. Consolidate findings: rate each line item Compliant / Partial / Non-Compliant / Not Applicable, attach evidence references, and produce a prioritised remediation plan with owners and dates.

Evidence request list

Assemble the following categorised evidence in advance of any assessment or CERT-In inquiry. A well-organised evidence pack dramatically shortens both audits and post-incident response.

  • Governance and policy: incident-reporting SOP with six-hour trigger; log-retention policy; NTP/time-synchronisation policy; CERT-In obligation register; delegation-of-authority for out-of-hours reporting.
  • Point of contact: PoC and alternate appointment memos; CERT-In registration submission and acknowledgement; change records for PoC updates.
  • Incident reporting: incident register with detection and reporting timestamps; copies of submitted CERT-In reports; CERT-In acknowledgement emails / ticket numbers; Annexure-mapped classification taxonomy.
  • Detection and monitoring: SIEM configuration; alerting rules; on-call rota; mean-time-to-detect and mean-time-to-report metrics.
  • Clock synchronisation: NTP architecture diagram; device configuration samples; ntpq/chronyc output; time-drift monitoring evidence.
  • Log management: log-source inventory; retention configuration; data-residency attestation; log-integrity controls (WORM/hashing); log-export/producibility procedure and sample export; backup and restore-test evidence for log data.
  • Customer / KYC retention (D6/D7 entities): onboarding and validation SOP; sample customer/KYC records with mandated fields; IP allocation register; transaction ledgers; five-year retention archive including terminated customers.
  • Cooperation and advisories: CERT-In advisory register with closure status; correspondence archive; evidence of directed actions implemented.
  • Assurance: internal audit reports; tabletop exercise reports with timing metrics; management review minutes; training and awareness records; board briefing on penal exposure.

Roles and responsibilities

RoleResponsibilities under the CERT-In Directions
Board / senior managementAccept accountability for compliance and penal exposure; approve policy and resourcing; review compliance status periodically
CISO / Head of Information SecurityOwn the overall compliance programme; approve the incident-reporting SOP; ensure detection makes six-hour reporting achievable
CERT-In Point of Contact (and alternate)Interface with CERT-In; submit reports and registration; respond to CERT-In orders and advisories within timeframes
Security Operations / SOCDetect reportable incidents; classify against the Annexure; initiate the six-hour reporting workflow; maintain monitoring
IT / Infrastructure teamImplement and maintain NTP synchronisation, logging, 180-day retention and Indian-jurisdiction storage
Incident Response teamExecute IR playbooks; capture timestamps; ensure the reporting decision is made and actioned without delay
Legal / ComplianceTrack statutory obligations; advise on penal exposure; manage lawful-disclosure responses; maintain the obligation register
Data Centre / VPS / Cloud / VPN operations (where applicable)Capture and validate customer registration data; maintain five-year retention and producibility
Virtual asset compliance / AML (where applicable)Perform KYC; maintain transaction records; retain for five years; coordinate with FIU-IND / law enforcement
Internal AuditIndependently assess conformance against the master checklist; report findings and track remediation

KPIs to track

  • Mean time to detect (MTTD) a reportable incident, trended over time.
  • Mean time to report to CERT-In from detection, with the six-hour threshold as a hard ceiling.
  • Percentage of reportable incidents reported within six hours (target 100%).
  • Percentage of ICT systems synchronised to NIC/NPL NTP with zero unexplained time drift.
  • Percentage of in-scope log sources with 180-day retention within Indian jurisdiction (target 100%).
  • Log-integrity assurance rate (proportion of log stores with tamper-protection verified).
  • PoC registration currency (days since last verification/update; alternate coverage confirmed).
  • Number and closure rate of CERT-In advisories actioned within target timeframe.
  • For D6/D7 entities: percentage of customer/KYC records validated and retained for the full five years.
  • Tabletop/drill cadence and the elapsed detection-to-report time achieved in each exercise.
  • Number of overdue remediation items from the last internal audit.

Readiness checklist

  • Entity classification and applicable domains formally determined and documented.
  • CERT-In Point of Contact and alternate appointed and registered with CERT-In; acknowledgement retained.
  • Incident-reporting SOP with a six-hour trigger approved, published and rehearsed.
  • Incident classification taxonomy mapped to every category in the CERT-In Annexure.
  • Detection and monitoring capability sufficient to make six-hour reporting realistic and measured.
  • Out-of-hours escalation and reporting authority defined so no report stalls awaiting sign-off.
  • All ICT system clocks synchronised to NIC/NPL NTP with drift monitoring in place.
  • Logging enabled across all ICT systems and centralised.
  • Logs retained for 180 days within Indian jurisdiction with integrity protection and producibility.
  • Backup and restore of log data validated to protect the 180-day window.
  • For D6/D7 entities: validated customer/KYC and transaction records captured and retained for five years, including terminated customers.
  • CERT-In advisory intake and action-tracking process operating.
  • Evidence pack maintained continuously and internal audit performed against the master checklist.
  • Board briefed on obligations and Section 70B(7) penal exposure.

Common gaps

  • No registered PoC, or a PoC whose details have gone stale after a personnel change, leaving CERT-In unable to reach the organisation.
  • Reporting procedures that quote the six-hour rule but lack the detection capability to notice an incident within a timeframe that makes six hours achievable.
  • Treating the Directions as a personal-data breach obligation and under-scoping non-data events like DDoS, defacement and social-media compromise that are nonetheless reportable.
  • Logs retained for less than 180 days, or stored exclusively outside Indian jurisdiction with no producible copy in India.
  • Clock synchronisation configured to arbitrary public NTP pools with no traceability to NIC/NPL, undermining forensic timestamp correlation.
  • Log integrity unprotected, so logs could be tampered with and would not withstand scrutiny.
  • Out-of-hours reporting blocked by an approval bottleneck, causing the six-hour clock to expire before sign-off.
  • For infrastructure and virtual-asset providers, self-declared (unvalidated) customer data, or retention that purges records on customer exit rather than holding them for five years.
  • No rehearsal: the first time the reporting workflow is exercised is during a real incident, and timings blow past six hours.
  • Advisory fatigue: CERT-In advisories received but not tracked to closure, leaving directed safeguards unimplemented.

CERT-In Directions mapped to other frameworks

The CERT-In Directions do not exist in isolation. Most obligations can be satisfied by extending controls an organisation may already operate under ISO 27001, the NIST Cybersecurity Framework, the Digital Personal Data Protection Act 2023 and, for regulated entities, RBI or SEBI cyber frameworks. The table below maps each CERT-In domain to the nearest analogue in these frameworks to help teams reuse existing controls and evidence.

CERT-In domainNearest analogue in other frameworks
D1/D2 - Incident reporting and taxonomyISO 27001 A.5.24-A.5.28 (incident management); NIST CSF RESPOND (RS.CO communications); DPDP breach intimation to Data Protection Board; RBI/SEBI incident-reporting timelines
D3 - Clock synchronisationISO 27001 A.8.17 (clock synchronisation); NIST CSF PROTECT (PR.PT); PCI DSS Requirement 10.6 (time synchronisation)
D4 - Log retention and jurisdictionISO 27001 A.8.15/A.8.16 (logging and monitoring); NIST CSF DETECT (DE.AE, DE.CM); PCI DSS Requirement 10 (logging and 12-month retention)
D5 - PoC and cooperationISO 27001 A.5.5/A.5.6 (contact with authorities and special interest groups); NIST CSF GOVERN (GV.RR)
D6 - DC/VPS/cloud/VPN KYC retentionISO 27001 A.5.9/A.5.34 (asset and privacy); NIST CSF IDENTIFY (ID.AM); RBI/telecom KYC norms
D7 - Virtual asset KYC and transactionsPMLA / FIU-IND KYC-AML obligations; ISO 27001 A.5.34 (privacy and PII); FATF Travel Rule expectations
D8 - Ongoing cooperation and directionsISO 27001 A.5.5 (contact with authorities); NIST CSF GOVERN and IMPROVE (GV, ID.IM); threat-intelligence and advisory management
How CyberSigma helps
CyberSigma helps organisations move from awareness to defensible, audit-ready CERT-In compliance. Our CERT-In empanelled and PCI QSA practitioners run a full applicability and gap assessment against all eight domains, design and register your Point of Contact, engineer NIC/NPL clock synchronisation and 180-day in-jurisdiction log retention, and build an Annexure-mapped incident-reporting workflow that reliably beats the six-hour clock. We rehearse it with live-fire tabletop drills, stand up the five-year KYC and transaction retention required of infrastructure and virtual-asset providers, and integrate the whole programme with your ISO 27001, DPDP and RBI/SEBI obligations so a single control set satisfies many regulators. The result is continuous, evidence-backed readiness that withstands both a CERT-In audit and a real incident. Talk to CyberSigma to build your CERT-In Directions compliance programme.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

What is the CERT-In 6-hour rule?
The April 2022 directions require covered organisations to report specified cyber incidents to CERT-In within 6 hours of noticing or being made aware of them.
How long must logs be retained?
ICT system logs must be maintained securely for a rolling period of 180 days and stored within India.

Need help with CERT-In Directions?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.