Introduction: The CERT-In Cyber Incident Reporting Directions
On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In), operating under the Ministry of Electronics and Information Technology (MeitY), issued a set of Directions under sub-section (6) of Section 70B of the Information Technology Act, 2000. These Directions, formally numbered 20(3)/2022-CERT-In, fundamentally reshaped the cyber incident reporting and cyber-hygiene obligations of virtually every organisation that operates a computer system in or serving India. Unlike aspirational best-practice frameworks, the CERT-In Directions are legally binding, carry penal consequences for non-compliance, and impose some of the shortest breach-notification timelines in the world.
This guide is an auditor-grade deep-dive intended for Chief Information Security Officers (CISOs), Data Protection Officers, IT and infrastructure heads, managed service providers, data centres, cloud and VPS providers, virtual asset service providers, and the compliance and internal-audit teams that assure them. It walks through the letter and the operational intent of the Directions, the accompanying Frequently Asked Questions (FAQ) that CERT-In published on 18 May 2022, and the practical control set an assessor must verify. The aim is to help you move from a vague awareness that a six-hour reporting rule exists to a defensible, evidence-backed compliance posture that can withstand scrutiny during a CERT-In audit or a post-incident inquiry.
What are the CERT-In Directions?
CERT-In is the national nodal agency for responding to cyber security incidents, designated under Section 70B of the IT Act, 2000. That section empowers CERT-In not only to collect, analyse and disseminate information on cyber incidents, but also to issue directions and call for information from service providers, intermediaries, data centres, body corporates and any other person. The April 2022 Directions are the most consequential exercise of that power to date, because they convert a previously discretionary and often-ignored reporting regime into a mandatory, time-bound and audit-enforced obligation.
The Directions are best understood as six distinct but interlocking obligations bundled into a single instrument. First, mandatory reporting of a specified list of cyber incidents to CERT-In within six hours of noticing or being brought to notice. Second, mandatory synchronisation of all ICT system clocks to the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or to traceable NTP sources synchronised with them. Third, mandatory retention of ICT logs for a rolling period of 180 days within Indian jurisdiction. Fourth, an obligation on data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers to maintain specified customer registration (Know-Your-Customer style) data for five years. Fifth, an obligation on virtual asset service providers, virtual asset exchange providers and custodian wallet providers to maintain KYC and transaction records for five years. Sixth, the appointment and registration of a point of contact (PoC) with CERT-In to interface on these matters.
The Directions came into force sixty days from issuance, that is on 27 June 2022, giving entities a short runway to operationalise them. For micro, small and medium enterprises (MSMEs) and for certain aspects, CERT-In subsequently extended timelines to 25 September 2022 through a clarification. The reporting, clock-synchronisation and PoC obligations, however, applied broadly from the outset.
Who must comply?
The scope of the Directions is deliberately broad. CERT-In cast the net over the entire connected ecosystem rather than a narrow category of critical entities. In broad terms, the reporting, clock-synchronisation, log-retention and PoC obligations apply to every service provider, intermediary, data centre, body corporate and government organisation. The five-year customer-data retention obligations apply to a narrower set of infrastructure and virtual-asset providers. The table below summarises the principal categories and which obligations bite for each.
| Entity category | Key obligations that apply |
|---|---|
| Service providers, intermediaries and body corporates (general) | 6-hour incident reporting; NTP clock synchronisation; 180-day ICT log retention; PoC registration; enable and maintain logs |
| Data centres | All of the above, plus 5-year retention of subscriber/customer registration (KYC-style) records; validated names, addresses, contact details, ownership pattern |
| Virtual Private Server (VPS) providers | All general obligations, plus 5-year customer registration data (IP allotted, email, purpose, validated address and contact) |
| Cloud service providers | All general obligations, plus 5-year customer registration data for hired resources |
| Virtual Private Network (VPN) service providers | All general obligations, plus 5-year customer registration data (subscriber names, hired IPs, usage patterns, validated addresses and contact numbers) |
| Virtual asset service providers, exchange and custodian wallet providers | All general obligations, plus 5-year KYC and transaction records enabling identification of counterparties and beneficiaries |
| Government organisations and public-sector undertakings | 6-hour reporting; clock synchronisation; log retention; PoC; typically also bound by additional CERT-In and NCIIPC guidance |
| Managed Security Service Providers (MSSPs) and IT outsourcers | Reporting and log obligations for systems they operate on behalf of clients; contractual flow-down of the customer's CERT-In duties |
Two points on scope deserve emphasis. First, there is no small-organisation carve-out from the core reporting and hygiene duties; a start-up with a single production server is as bound to report a ransomware event within six hours as a large bank. Second, the obligations follow the system, not merely the corporate headquarters, so foreign entities operating computer resources located in, or offering services to users in, India fall within reach.
Structure of the CERT-In Directions
The Directions are not organised into numbered control families in the manner of ISO 27001 Annex A or the NIST Cybersecurity Framework. Instead they comprise a preamble grounded in Section 70B, followed by a series of operative paragraphs, each imposing a specific duty, together with an Annexure listing the reportable incident types. For assessment purposes it is useful to reframe these operative paragraphs into logical control domains. The table below presents that reframing, mapping each domain to the underlying Direction and to the principal obligation it creates.
| Control domain | Underlying Direction / paragraph and obligation |
|---|---|
| D1 - Incident reporting | Mandatory reporting of Annexure incident types to CERT-In within 6 hours of noticing; report by email, phone or the CERT-In web portal |
| D2 - Reportable incident taxonomy | The Annexure enumerating the categories of cyber incidents that must be reported |
| D3 - Clock synchronisation | Connect and synchronise all ICT system clocks to NIC/NPL NTP servers or traceable, synchronised alternates |
| D4 - Log retention and jurisdiction | Enable logs of all ICT systems and maintain them securely for 180 days within Indian jurisdiction; provide to CERT-In on order |
| D5 - Point of contact and cooperation | Designate a PoC, register with CERT-In, and provide information / assistance on cyber incidents and cyber-security when ordered |
| D6 - Data centre / VPS / cloud / VPN KYC retention | Maintain accurate validated customer registration information for 5 years or longer as mandated, even after cancellation |
| D7 - Virtual asset KYC and transaction records | Maintain KYC and financial transaction records for 5 years to enable tracing and law-enforcement cooperation |
| D8 - Ongoing cooperation and directions | Comply with subsequent orders, safeguards, and requests for action, information and assistance from CERT-In |
These eight domains form the spine of the master assessment checklist that follows. An assessor should treat each as a discrete area requiring its own evidence, control owner and test procedure.
Master assessment checklist
This is the operational heart of the guide. For each control domain we set out the specific requirements an auditor must verify and the typical evidence that demonstrates conformance. Every domain in the structure above is covered; none is skipped. Where a requirement applies only to a subset of entities (for example the five-year KYC retention for infrastructure providers) that is called out. Assessors should record for each line item a status of Compliant, Partially Compliant, Non-Compliant or Not Applicable, with a supporting evidence reference.
D1 - Incident reporting within six hours
| What to verify | Typical evidence |
|---|---|
| A documented incident-reporting procedure exists that mandates notification to CERT-In within 6 hours of noticing a reportable incident | Incident response plan / SOP; version-controlled policy document with owner and approval date |
| The procedure identifies the reporting channels (CERT-In email incident@cert-in.org.in, phone helpdesk, and the web portal) and the required report format | Runbook screenshots; CERT-In contact details embedded in the SOP; sample completed reporting form |
| A demonstrable capability to detect reportable incidents within a timeframe that makes 6-hour reporting feasible (monitoring, SIEM, alerting) | SIEM / monitoring configuration; alerting rules; on-call rota; mean-time-to-detect metrics |
| Past reportable incidents were in fact reported within 6 hours, with evidence of the submission | CERT-In acknowledgement emails / ticket numbers; incident log with detection and reporting timestamps |
| The report captures the mandated fields (time of occurrence, affected systems, symptoms, incident type per Annexure, impact) | Copies of submitted reports; incident record templates |
| Escalation and decision authority for the reporting decision is defined so that no incident stalls awaiting sign-off | RACI matrix; delegation-of-authority document naming who may authorise a CERT-In report out-of-hours |
| Reporting is triggered whether the incident is self-detected or brought to notice by a third party (customer, CERT-In, researcher) | Procedure text covering third-party notifications; intake process for external reports |
D2 - Reportable incident taxonomy (Annexure)
The Annexure to the Directions lists the categories of incidents that are mandatorily reportable. This list is significantly broader than a traditional 'material data breach' threshold; it includes many events that other regimes would treat as informational. The assessor must confirm that the organisation's incident classification logic maps cleanly to every Annexure category so that reportable events are not misclassified as internal-only.
| What to verify | Typical evidence |
|---|---|
| Incident classification scheme explicitly maps to each Annexure category: targeted scanning/probing of critical systems and networks | Classification taxonomy document cross-referenced to the Annexure |
| Compromise of critical systems / information and unauthorised access to IT systems and data is a defined reportable class | Category definitions in the IR plan; detection use-cases per category |
| Defacement of websites and intrusions such as malicious code insertion are covered | Web-defacement monitoring; file-integrity monitoring alerts |
| Malicious code attacks (ransomware, virus, worm, trojan, spyware, cryptominers) are covered | EDR/anti-malware alerting mapped to reporting workflow |
| Attacks on servers (database, mail, DNS) and network devices (routers) are covered | Asset-to-category mapping; server and network monitoring |
| Identity theft, spoofing and phishing attacks are covered | Phishing intake / abuse mailbox; brand-abuse monitoring |
| Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are covered | DDoS mitigation logs and alerting thresholds |
| Attacks on critical infrastructure, SCADA, operational technology and wireless networks are covered where relevant | OT/ICS monitoring; wireless intrusion detection |
| Attacks on applications (e-governance, e-commerce) and data breaches / data leaks are covered | Application security monitoring; DLP alerts |
| Attacks on IoT devices, and on systems related to Big Data, Blockchain, virtual assets, robotics, 3D/4D printing, drones is covered where applicable | Coverage statement for emerging-technology assets in scope |
| Fake mobile apps and attacks on cloud/hosted infrastructure are treated as reportable | App-store monitoring; cloud security posture alerts |
| Unauthorised access to social media accounts is treated as reportable | Social-media account governance and monitoring |
D3 - Clock synchronisation to NIC/NPL NTP
| What to verify | Typical evidence |
|---|---|
| All servers, network devices, security appliances and endpoints synchronise their clocks to NIC (samay.nic.in) or NPL NTP sources, or to internal NTP servers themselves synced to those sources | NTP configuration files; group policy / MDM time settings; network time architecture diagram |
| A defined NTP hierarchy exists (stratum design) so that internal time servers trace back to NIC/NPL | NTP topology document; output of ntpq / chronyc showing upstream peers |
| Time drift is monitored and alerts fire on loss of synchronisation | Monitoring dashboards for time offset; alert history |
| Where alternate NTP sources are used, they are traceable to and do not deviate from NIC/NPL time | Justification note; comparison logs demonstrating traceability |
| Log and event timestamps across systems are consistent, supporting reliable forensic correlation | Cross-system timestamp comparison from correlated log samples |
| The timezone standard (IST) is applied consistently for reporting and log correlation | System configuration showing IST; documented convention |
D4 - Log retention within Indian jurisdiction (180 days)
| What to verify | Typical evidence |
|---|---|
| Logging is enabled across all ICT systems (servers, network, security devices, applications, databases) | Logging configuration baselines; log source inventory in the SIEM |
| Logs are retained securely for a rolling 180 days minimum | Retention policy; log storage sizing; retention configuration in SIEM/log store |
| Logs are maintained within Indian jurisdiction (stored in India or accessible and producible from within India) | Data-residency evidence; storage location attestation; cloud region configuration |
| Log integrity is protected against tampering (write-once, hashing, access control) | WORM storage config; log signing/hashing; access-control lists for log stores |
| Logs can be produced to CERT-In promptly on lawful order | Log-export procedure; documented retrieval SLA; sample export |
| Coverage includes authentication, access, administrative actions, network flows, and security-relevant events | Sample log records demonstrating event coverage per source type |
| Backup and disaster-recovery arrangements ensure the 180-day window survives an outage or attack | Backup schedule for log data; immutability of backups; restore test evidence |
D5 - Point of contact and cooperation with CERT-In
| What to verify | Typical evidence |
|---|---|
| A named Point of Contact (PoC) is designated to interface with CERT-In | Appointment memo; PoC name, designation and contact details |
| The PoC details have been formally registered / communicated to CERT-In in the required format | Registration submission; CERT-In acknowledgement |
| The PoC details are kept current and re-submitted on any change | Change-management record; updated registration |
| A deputy / alternate PoC exists to ensure 24x7 reachability | Alternate PoC appointment; escalation contact tree |
| Procedures exist to respond to CERT-In orders for information, action or assistance within stipulated timeframes | Documented response procedure; log of past CERT-In interactions |
| The organisation cooperates with directed safeguards, response and recovery actions when ordered | Records of actions taken in response to CERT-In directions/advisories |
D6 - Data centre / VPS / cloud / VPN customer data retention (5 years)
This domain applies specifically to data centres, VPS providers, cloud service providers and VPN service providers. Assessors working with such entities must verify accurate, validated customer records are captured and retained for five years, even after a customer relationship ends.
| What to verify | Typical evidence |
|---|---|
| Validated customer names and complete addresses are captured at onboarding | KYC/onboarding records; validation process documentation |
| Contact numbers, email addresses and (for subscribers) ownership pattern / purpose of hiring are recorded | Sample subscriber records with mandated fields populated |
| IP addresses allotted to / used by the subscriber and the period of allotment are recorded | IP allocation register; DHCP/assignment logs correlated to subscriber |
| The registration data is validated (not merely self-declared) using a defined verification method | Validation SOP; evidence of document / identity checks |
| Records are retained for at least 5 years and retained even after cancellation or withdrawal of service | Retention policy; archive of terminated-customer records showing retention |
| The data is stored securely with access controls and is producible to CERT-In on order | Access-control configuration; retrieval procedure; sample lawful-request response |
D7 - Virtual asset KYC and transaction records (5 years)
This domain applies to virtual asset service providers, virtual asset exchange providers and custodian wallet providers. It aligns closely with financial KYC/AML expectations.
| What to verify | Typical evidence |
|---|---|
| KYC of every customer is performed at onboarding following recognised norms (e.g., RBI-style KYC, PMLA aligned) | KYC policy; sample onboarded-customer KYC packs |
| Records enabling identification of parties to each transaction are maintained | Transaction ledgers linking wallet addresses to verified identities |
| Records include nature, amount, date and parties (individual/beneficiary) of transactions | Transaction record samples with mandated fields |
| All records are retained for a minimum of 5 years | Retention policy; archived records demonstrating the retention window |
| Records are producible to CERT-In and law-enforcement on lawful order | Retrieval SOP; log of past disclosures |
| Suspicious activity and reporting linkages to FIU-IND / AML obligations are maintained where applicable | STR/SAR procedures; AML programme documentation |
D8 - Ongoing cooperation, safeguards and directions
| What to verify | Typical evidence |
|---|---|
| The organisation monitors CERT-In advisories, vulnerability notes and directions and actions them | Register of CERT-In advisories received and closure status |
| A process exists to implement directed safeguards / response actions within required timeframes | Change / action tracker mapped to CERT-In directions |
| Evidence of past compliance with specific CERT-In requests is retained | Correspondence archive; closure evidence |
| Awareness of the penal consequences of non-compliance (Section 70B(7)) is embedded in governance | Governance / board briefing records; compliance obligation register |
Scoping the assessment
Scoping a CERT-In Directions assessment is about determining which of the eight domains apply, and to which systems and business units. Because the core reporting, clock, log and PoC duties apply universally, the scoping question is rarely 'do the Directions apply?' but rather 'which additional obligations apply and where do the in-scope ICT systems sit?'.
- Establish the legal footprint: identify every computer resource operated by, or on behalf of, the entity that is located in India or serves Indian users, since the Directions reach both.
- Classify the entity type: general body corporate versus data centre / VPS / cloud / VPN provider versus virtual asset service provider, to determine whether D6 or D7 apply.
- Inventory all ICT systems that generate security-relevant logs and require clock synchronisation, including cloud workloads, SaaS-adjacent infrastructure, OT/ICS and IoT where present.
- Map data flows and storage locations to confirm log data and customer records can be retained within Indian jurisdiction and produced on order.
- Identify outsourced and managed services (MSSPs, hosting, cloud) and confirm contractual flow-down of reporting, logging and cooperation duties.
- Define what is out of scope with documented justification (for example, personal devices not connected to corporate systems), avoiding under-scoping that would leave reportable systems uncovered.
- Confirm ownership: for shared-responsibility cloud models, document which party (customer or provider) is responsible for each control.
Implementation approach
A structured, phased implementation converts the Directions from a compliance shock into an embedded operating capability. The following four phases move an organisation from unaware to audit-ready, each with concrete activities and deliverables.
Phase 1 - Discover and baseline (Weeks 1-3)
- Activities: confirm entity classification and applicable domains; inventory ICT systems, log sources and time sources; assess current reporting readiness against the six-hour standard; identify data-residency gaps for logs and customer records.
- Deliverables: applicability determination memo; ICT and log-source inventory; NTP/time-source map; gap-assessment report against all eight domains; risk-ranked remediation backlog.
Phase 2 - Foundational controls (Weeks 3-8)
- Activities: designate and register the PoC and alternate with CERT-In; configure NTP synchronisation to NIC/NPL across the estate; enable and centralise logging; establish 180-day retention within Indian jurisdiction; draft the incident-reporting SOP with the six-hour trigger.
- Deliverables: CERT-In PoC registration acknowledgement; NTP architecture implemented and monitored; centralised log store with retention configured; approved incident-reporting SOP and Annexure-mapped classification taxonomy.
Phase 3 - Operationalise and rehearse (Weeks 8-14)
- Activities: integrate detection with the reporting workflow; define out-of-hours escalation and reporting authority; run tabletop and live-fire drills that exercise the six-hour clock; implement five-year customer/KYC and transaction retention where D6/D7 apply; establish the CERT-In advisory intake process.
- Deliverables: reporting playbooks per incident type; completed tabletop reports with timing metrics; validated retention archives; advisory register and action tracker.
Phase 4 - Assure and sustain (Ongoing)
- Activities: conduct internal audits against the master checklist; track KPIs; review and re-register PoC changes; maintain evidence continuously; brief the board on obligations and penal exposure; refresh training.
- Deliverables: periodic internal audit reports; KPI dashboard; refreshed evidence pack; management review minutes; sustained readiness state.
Maturity and capability model
Although the Directions impose a binary legal duty, a maturity lens is useful for tracking the journey and prioritising investment. The following five-level model helps an assessor characterise the current state of each domain and set improvement targets. Note that Levels 1 and 2 represent legal non-compliance; Level 3 is the minimum defensible state.
| Level | Characteristics |
|---|---|
| Level 1 - Absent | No PoC registered, no reporting procedure, logs not retained or not in India, clocks unsynchronised. Legally non-compliant and exposed to penalty. |
| Level 2 - Ad hoc | Some logging and awareness exist, but no six-hour capability, informal or missing PoC, retention gaps. Non-compliant in practice. |
| Level 3 - Defined | PoC registered, documented SOPs, NTP synced, 180-day retention in India, Annexure-mapped classification. Baseline compliance achieved. |
| Level 4 - Managed | Reporting rehearsed and measured, detection tuned to make six hours realistic, retention integrity assured, advisory actioning tracked with KPIs. |
| Level 5 - Optimised | Automated detection-to-report pipelines, continuous evidence, integrated with wider ISMS (ISO 27001) and privacy (DPDP), proactive drills and metrics-driven improvement. |
Assessment and audit approach
A rigorous assessment follows a repeatable sequence that combines documentation review, technical inspection and interview, and culminates in an evidenced findings report.
- Confirm applicability and scope: determine entity classification and which of the eight domains apply, and enumerate in-scope ICT systems and business units.
- Review governance artefacts: obtain the incident-reporting SOP, log-retention policy, NTP architecture, PoC registration and (where applicable) KYC/retention policies.
- Test D1-D2 reporting: walk through the reporting workflow, review past incident records and CERT-In acknowledgements, and verify Annexure-to-classification mapping.
- Inspect D3 clock synchronisation: sample device configurations and NTP query output to confirm traceability to NIC/NPL and monitor for drift.
- Inspect D4 logging: verify log sources, retention duration, Indian-jurisdiction storage, integrity controls and producibility.
- Verify D5 PoC and cooperation: confirm registration currency, alternate coverage and past cooperation with CERT-In requests.
- Verify D6/D7 retention where applicable: sample customer/KYC and transaction records for completeness, validation and five-year retention.
- Test D8 ongoing cooperation: review the advisory register and evidence of directed actions being implemented.
- Perform an operational drill: run or review a tabletop exercise measuring the elapsed time from simulated detection to CERT-In report, targeting well under six hours.
- Consolidate findings: rate each line item Compliant / Partial / Non-Compliant / Not Applicable, attach evidence references, and produce a prioritised remediation plan with owners and dates.
Evidence request list
Assemble the following categorised evidence in advance of any assessment or CERT-In inquiry. A well-organised evidence pack dramatically shortens both audits and post-incident response.
- Governance and policy: incident-reporting SOP with six-hour trigger; log-retention policy; NTP/time-synchronisation policy; CERT-In obligation register; delegation-of-authority for out-of-hours reporting.
- Point of contact: PoC and alternate appointment memos; CERT-In registration submission and acknowledgement; change records for PoC updates.
- Incident reporting: incident register with detection and reporting timestamps; copies of submitted CERT-In reports; CERT-In acknowledgement emails / ticket numbers; Annexure-mapped classification taxonomy.
- Detection and monitoring: SIEM configuration; alerting rules; on-call rota; mean-time-to-detect and mean-time-to-report metrics.
- Clock synchronisation: NTP architecture diagram; device configuration samples; ntpq/chronyc output; time-drift monitoring evidence.
- Log management: log-source inventory; retention configuration; data-residency attestation; log-integrity controls (WORM/hashing); log-export/producibility procedure and sample export; backup and restore-test evidence for log data.
- Customer / KYC retention (D6/D7 entities): onboarding and validation SOP; sample customer/KYC records with mandated fields; IP allocation register; transaction ledgers; five-year retention archive including terminated customers.
- Cooperation and advisories: CERT-In advisory register with closure status; correspondence archive; evidence of directed actions implemented.
- Assurance: internal audit reports; tabletop exercise reports with timing metrics; management review minutes; training and awareness records; board briefing on penal exposure.
Roles and responsibilities
| Role | Responsibilities under the CERT-In Directions |
|---|---|
| Board / senior management | Accept accountability for compliance and penal exposure; approve policy and resourcing; review compliance status periodically |
| CISO / Head of Information Security | Own the overall compliance programme; approve the incident-reporting SOP; ensure detection makes six-hour reporting achievable |
| CERT-In Point of Contact (and alternate) | Interface with CERT-In; submit reports and registration; respond to CERT-In orders and advisories within timeframes |
| Security Operations / SOC | Detect reportable incidents; classify against the Annexure; initiate the six-hour reporting workflow; maintain monitoring |
| IT / Infrastructure team | Implement and maintain NTP synchronisation, logging, 180-day retention and Indian-jurisdiction storage |
| Incident Response team | Execute IR playbooks; capture timestamps; ensure the reporting decision is made and actioned without delay |
| Legal / Compliance | Track statutory obligations; advise on penal exposure; manage lawful-disclosure responses; maintain the obligation register |
| Data Centre / VPS / Cloud / VPN operations (where applicable) | Capture and validate customer registration data; maintain five-year retention and producibility |
| Virtual asset compliance / AML (where applicable) | Perform KYC; maintain transaction records; retain for five years; coordinate with FIU-IND / law enforcement |
| Internal Audit | Independently assess conformance against the master checklist; report findings and track remediation |
KPIs to track
- Mean time to detect (MTTD) a reportable incident, trended over time.
- Mean time to report to CERT-In from detection, with the six-hour threshold as a hard ceiling.
- Percentage of reportable incidents reported within six hours (target 100%).
- Percentage of ICT systems synchronised to NIC/NPL NTP with zero unexplained time drift.
- Percentage of in-scope log sources with 180-day retention within Indian jurisdiction (target 100%).
- Log-integrity assurance rate (proportion of log stores with tamper-protection verified).
- PoC registration currency (days since last verification/update; alternate coverage confirmed).
- Number and closure rate of CERT-In advisories actioned within target timeframe.
- For D6/D7 entities: percentage of customer/KYC records validated and retained for the full five years.
- Tabletop/drill cadence and the elapsed detection-to-report time achieved in each exercise.
- Number of overdue remediation items from the last internal audit.
Readiness checklist
- Entity classification and applicable domains formally determined and documented.
- CERT-In Point of Contact and alternate appointed and registered with CERT-In; acknowledgement retained.
- Incident-reporting SOP with a six-hour trigger approved, published and rehearsed.
- Incident classification taxonomy mapped to every category in the CERT-In Annexure.
- Detection and monitoring capability sufficient to make six-hour reporting realistic and measured.
- Out-of-hours escalation and reporting authority defined so no report stalls awaiting sign-off.
- All ICT system clocks synchronised to NIC/NPL NTP with drift monitoring in place.
- Logging enabled across all ICT systems and centralised.
- Logs retained for 180 days within Indian jurisdiction with integrity protection and producibility.
- Backup and restore of log data validated to protect the 180-day window.
- For D6/D7 entities: validated customer/KYC and transaction records captured and retained for five years, including terminated customers.
- CERT-In advisory intake and action-tracking process operating.
- Evidence pack maintained continuously and internal audit performed against the master checklist.
- Board briefed on obligations and Section 70B(7) penal exposure.
Common gaps
- No registered PoC, or a PoC whose details have gone stale after a personnel change, leaving CERT-In unable to reach the organisation.
- Reporting procedures that quote the six-hour rule but lack the detection capability to notice an incident within a timeframe that makes six hours achievable.
- Treating the Directions as a personal-data breach obligation and under-scoping non-data events like DDoS, defacement and social-media compromise that are nonetheless reportable.
- Logs retained for less than 180 days, or stored exclusively outside Indian jurisdiction with no producible copy in India.
- Clock synchronisation configured to arbitrary public NTP pools with no traceability to NIC/NPL, undermining forensic timestamp correlation.
- Log integrity unprotected, so logs could be tampered with and would not withstand scrutiny.
- Out-of-hours reporting blocked by an approval bottleneck, causing the six-hour clock to expire before sign-off.
- For infrastructure and virtual-asset providers, self-declared (unvalidated) customer data, or retention that purges records on customer exit rather than holding them for five years.
- No rehearsal: the first time the reporting workflow is exercised is during a real incident, and timings blow past six hours.
- Advisory fatigue: CERT-In advisories received but not tracked to closure, leaving directed safeguards unimplemented.
CERT-In Directions mapped to other frameworks
The CERT-In Directions do not exist in isolation. Most obligations can be satisfied by extending controls an organisation may already operate under ISO 27001, the NIST Cybersecurity Framework, the Digital Personal Data Protection Act 2023 and, for regulated entities, RBI or SEBI cyber frameworks. The table below maps each CERT-In domain to the nearest analogue in these frameworks to help teams reuse existing controls and evidence.
| CERT-In domain | Nearest analogue in other frameworks |
|---|---|
| D1/D2 - Incident reporting and taxonomy | ISO 27001 A.5.24-A.5.28 (incident management); NIST CSF RESPOND (RS.CO communications); DPDP breach intimation to Data Protection Board; RBI/SEBI incident-reporting timelines |
| D3 - Clock synchronisation | ISO 27001 A.8.17 (clock synchronisation); NIST CSF PROTECT (PR.PT); PCI DSS Requirement 10.6 (time synchronisation) |
| D4 - Log retention and jurisdiction | ISO 27001 A.8.15/A.8.16 (logging and monitoring); NIST CSF DETECT (DE.AE, DE.CM); PCI DSS Requirement 10 (logging and 12-month retention) |
| D5 - PoC and cooperation | ISO 27001 A.5.5/A.5.6 (contact with authorities and special interest groups); NIST CSF GOVERN (GV.RR) |
| D6 - DC/VPS/cloud/VPN KYC retention | ISO 27001 A.5.9/A.5.34 (asset and privacy); NIST CSF IDENTIFY (ID.AM); RBI/telecom KYC norms |
| D7 - Virtual asset KYC and transactions | PMLA / FIU-IND KYC-AML obligations; ISO 27001 A.5.34 (privacy and PII); FATF Travel Rule expectations |
| D8 - Ongoing cooperation and directions | ISO 27001 A.5.5 (contact with authorities); NIST CSF GOVERN and IMPROVE (GV, ID.IM); threat-intelligence and advisory management |
Frequently asked questions
Need help with CERT-In Directions?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
