Free Tool · 5-Minute Self-Assessment

CERT-In Direction Readiness Checklist

Twenty practitioner-grade questions to test whether your business actually complies with India's most under-complied-with cyber instrument — the 28 April 2022 CERT-In directions. Applies to every Indian body corporate.

Questions

Time

5 min

Output

Score band

Email gate

None

Start the Checklist Read the Full Guide

20 questions · 5 minutes · Score band on completion

Your readiness

0 / 20

The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the document or evidence today. Score reveals when you complete all twenty.

Awareness & Designation

Step zero — does your organisation know the directions exist and who owns compliance?

A senior officer in our organisation has read the CERT-In directions of 28 April 2022 and understands they apply to every body corporate in India.

We have designated a Point of Contact for cyber incident communication with documented name, designation, email, and phone.

Our designated email POC is monitored 24x7 (or routed to an on-call rotation) and can receive CERT-In communication outside business hours.

A security.txt file is published in the well-known directory of our website with our cyber POC contact details.

Logging & Retention

The 180-day in-India log retention is the most-violated obligation in the directions.

All ICT systems (servers, applications, network appliances, endpoints) generate audit logs and these logs are enabled by default.

Logs are retained for at least 180 days online (queryable) — not just archived to cold storage that takes days to retrieve.

Log storage is physically located within India — no logs in foreign cloud regions for in-scope systems.

Logs have integrity protection (immutable storage, write-once buckets, or signed log streams) and access is restricted and reviewed.

Incident Reporting

Six hours from awareness. The clock starts before you have full root-cause analysis.

We have an Incident Response runbook with a CERT-In email template pre-drafted (per Annexure II of the directions).

Our SOC and on-call team know the 6-hour reporting window and have practised it in a tabletop exercise within the last 12 months.

We can trigger reporting at 3am on a Sunday — the on-call has authority to send the initial notification without waiting for management sign-off.

We have classified our last 12 months of cyber events against the 20 reportable categories and reported every applicable one.

Server Time, KYC & Service-Specific

NTP sync to NIC/NPL and (for VPN/cloud/datacentre) 5-year KYC retention.

All servers, network appliances, and VM hosts synchronise their time to NIC (samay1.nic.in) or NPL (time.nplindia.org) NTP servers, documented in our IT runbook.

If we are a VPN provider, cloud provider, datacentre, VPS provider, or VASP — we collect and validate subscriber KYC and retain it for at least 5 years post-cancellation.

For VASP / virtual asset operations: we maintain transaction records with KYC linkage retained for at least 5 years.

Our cloud provider contracts and our internal infrastructure docs explicitly reference CERT-In compliance requirements (logging, retention, NTP).

Validation & Continuous Compliance

Tested processes, audit-ready evidence, and the discipline to stay compliant year-on-year.

In our most recent internal audit or external assessment, CERT-In compliance was a discrete review area with documented findings and closure.

We can demonstrate, on demand, the last 90 days of authentication logs, application logs, and cloud audit trails for our critical systems.

We have an active subscription to CERT-In advisories and act on relevant ones with documented response (e.g. patching, rule updates).

Our cyber-incident playbook is rehearsed at least annually with a tabletop exercise that includes the 6-hour reporting flow end-to-end.

What "Ready" Looks Like

Three Bands. Three Plays.

0–7

Critical exposure

You are materially non-compliant with the 2022 directions. This is the cheapest compliance to fix — 30 days of focused work. Logs in India for 180 days, NIC/NPL NTP, designated POC, 6-hour reporting playbook.

8–14

At risk

Foundations exist but coverage is patchy. Close log retention gaps (especially foreign-region storage), formalise the 6-hour reporting flow with a tabletop, and publish your security.txt POC. 30-day plan.

15–20

Compliant

You are CERT-In-compliant. Move to continuous validation: include CERT-In as an audit area in internal audit, refresh your reporting playbook annually, and subscribe to advisories for proactive defence.

FAQ

Common Questions

Does CERT-In really apply to small companies? +

Yes. The directions apply to every "body corporate" — including private companies, LLPs, sole proprietorships engaged in commercial activity. A 5-person SaaS startup is in scope just like a 50,000-person bank.

What does "6 hours from awareness" mean? +

The clock starts when an authorised person in your organisation becomes aware of a reportable incident — through a SOC alert, customer report, vendor notification, or any reasonable indication. It does not wait for full investigation. Report what you know and update as you learn more.

Are logs in AWS us-east-1 OK? +

No. Logs for in-scope systems must be physically stored in India. AWS Mumbai (ap-south-1), Hyderabad (ap-south-2), Azure Central India / South India, GCP Mumbai / Delhi are the compliant regions. CloudWatch / S3 / blob storage in foreign regions is a localisation breach.

What are the penalties? +

Under IT Act §70B(7), failure to comply can result in imprisonment up to 1 year, fine up to ₹1 lakh, or both. Reputational and contractual penalties are usually larger — a CERT-In notice during enterprise sales diligence kills deals.

What is the difference between this checklist and the buyer's guide? +

The checklist diagnoses readiness in 5 minutes. The full CERT-In guide walks through every reportable category, the reporting mechanics, log retention specifics, NTP configuration, KYC obligations for service providers, and a 30-day compliance roadmap.

30-day compliance plan

Skip the Guesswork. Get a 30-Day Plan.

A 30-minute consultation. Walk away with a prioritised remediation list mapped to the CERT-In directions and the cheap quick wins to close in the next 30 days.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.