If you're the IT head at an Indian company with 50 to 2,000 employees, you've probably had one of these conversations in the last few months: your auditor mentioned CERT-In. Your CEO forwarded an article about mandatory cybersecurity audits. A consultant cold-messaged you on LinkedIn offering "end-to-end CERT-In compliance." Maybe all three.
And now you're trying to figure out what you actually need to do — without spending ₹40 lakhs on an enterprise SIEM that your three-person IT team will never fully use.
This guide is for you. We'll break down exactly what CERT-In requires, what the 2025 guidelines changed, and what mid-market companies actually need to focus on to pass their audit — without building a Security Operations Center or buying tools designed for companies ten times your size.
Two major things happened last year that affect every mid-market company in India.
July 25, 2025: CERT-In released the Comprehensive Cyber Security Audit Policy Guidelines. For the first time, this made annual third-party cybersecurity audits mandatory for all public and private sector organizations that own or operate digital systems. Not just banks. Not just critical infrastructure. Everyone. The audits must be conducted by CERT-In empaneled auditing organizations and align with frameworks like ISO/IEC 27001.
September 1, 2025: CERT-In followed up with the "15 Elemental Cyber Defense Controls for MSMEs" — a baseline framework with 45 specific security recommendations mapped to 15 control areas. This was designed specifically for smaller organizations. It acknowledges that MSMEs can't meet the same bar as large enterprises, so it prescribes a minimum standard of protection. But "minimum" doesn't mean "optional." MSMEs are expected to conduct baseline audits against these controls through CERT-In empaneled auditors at least once a year.
These two guidelines sit on top of CERT-In's 2022 directive, which already required all organizations to report cyber incidents within 6 hours and retain system logs for 180 days. That directive is still very much in force.
Put it all together and the compliance landscape for an Indian mid-market company now looks like this: mandatory annual audits, 15 baseline controls to meet, 180-day log retention, and a 6-hour incident reporting window. If that sounds like a lot — it is. But it's also more manageable than most vendors will tell you.
When you read through the guidelines, the 15 Elemental Controls cover everything from asset management to physical security to supply chain risk. It's comprehensive. But if you're starting from near-zero and need to get audit-ready, three areas will determine whether you pass or fail.
This is the foundation. The 2022 CERT-In directive requires you to maintain logs of all ICT systems for 180 days, stored securely within Indian jurisdiction. The 2025 MSME guidelines reinforce this with "continuous logging and monitoring of systems and networks to detect anomalies."
What this means in practice: every firewall event, every application access log, every authentication attempt, every server event needs to be collected, stored, and retrievable for six months. If CERT-In asks for your logs — whether during a routine audit or after an incident — you need to produce them.
This is where most mid-market companies fail their first audit. Not because they don't have firewalls or endpoint protection, but because their logs are scattered across 15 different systems with no central collection, retention is set to 30 days by default, and nobody has ever actually tried to pull a log from three months ago.
The fix isn't complicated: centralized log collection with a 180-day retention policy. This is the core function of a SIEM (Security Information and Event Management) system. But here's where the market fails you — the SIEMs that do this well (Splunk, QRadar, Sentinel) are designed for enterprises with dedicated SOC teams and budgets starting at ₹40 lakhs per year. For a 200-person company with two IT admins, that's not realistic.
Under the CERT-In directive, you must report cybersecurity incidents within 6 hours of detection. Not 6 hours of completing your investigation. Not 6 hours of confirming the breach. Six hours from the moment you notice something wrong.
The list of reportable incidents is broad: data breaches, ransomware, phishing, denial-of-service attacks, unauthorized access, website defacement, malware infections, and more. CERT-In has published a detailed Incident Reporting Form, and they've acknowledged that your initial report may have limited information — you can provide supplemental details later. But the clock starts when you detect.
For the audit, you need two things: a documented Incident Response Plan (who does what, when, how), and evidence that you can actually execute it. The plan should include detection procedures, escalation paths, the CERT-In reporting workflow, and post-incident review. Many auditors will also look for evidence of drills or tabletop exercises.
This is where logging ties directly into incident management. You can't report an incident in 6 hours if you don't have the monitoring to detect it in the first place. And you can't investigate or contain it without logs.
The MSME guidelines require you to assign a security lead, maintain a comprehensive security policy, and demonstrate compliance with CERT-In and regulatory guidelines. This is the "paper trail" part of the audit — and it's where many technically competent IT teams get caught off guard.
You need: a written information security policy (it doesn't have to be 200 pages — clarity matters more than length), a named person responsible for security (this can be your existing IT head, it doesn't have to be a CISO), documented procedures for the controls you've implemented, and evidence of periodic review and updates.
The auditor isn't just checking that you have a firewall. They're checking that you have a policy that says you should have a firewall, that someone is responsible for it, and that you reviewed it within the last year. Process and documentation matter as much as technology.
The remaining 12 controls from the MSME framework are important, but most mid-market companies are already partially meeting many of them through existing IT practices. Here's a practical prioritization.
You're probably already doing these (verify and document): Access Control (unique IDs, role-based access — if you're using Active Directory or Google Workspace, you're halfway there), Endpoint & Mobile Security (if you have antivirus on company machines, that's a start), Network and Email Security (basic firewall and email filtering), and Patch Management (if you're running auto-updates, document it).
These need specific attention: Effective Asset Management (create and maintain an inventory of all IT assets — hardware, software, cloud services), Data Protection, Backup, and Recovery (encrypted backups, offsite storage, tested restore procedures), Secure Configurations (hardened system configs, disabled default accounts), and Vulnerability Audits (annual third-party vulnerability assessment — this may happen as part of your CERT-In audit itself).
These are organizational, not technical: Training & Culture Building (security awareness training for all employees — even a quarterly 30-minute session counts), Physical Security (restrict server room access, track who has what equipment), Risk and Incident Management (your incident response plan covers most of this), and Third-Party & Supply Chain Risk Management (evaluate vendor security practices — start with your most critical vendors).
Let's be direct about what the compliance landscape does not require for mid-market companies.
You don't need a SOC team. The MSME guidelines are explicitly designed for companies that don't have dedicated security staff. Your IT team can manage compliance — they just need the right tools and documentation.
You don't need Splunk. Or QRadar, or Sentinel, or any enterprise SIEM that requires a team of analysts to operate. You need log collection, retention, and basic alerting. That's a fraction of what enterprise SIEMs do (and charge for).
You don't need a ₹40L+ annual security budget. The MSME guidelines acknowledge economic constraints and prescribe minimum standards, not enterprise-grade requirements. Smart tool selection and process documentation can get you compliant at a fraction of the cost.
You don't need ISO 27001 certification. The guidelines reference ISO 27001 as a framework, but MSME compliance is based on the 15 Elemental Controls, which are a simpler baseline. ISO certification is a good goal for later, but it's not a prerequisite for passing your CERT-In audit.
You don't need to hire a CISO. You need a named security lead. That can be your IT manager with "cybersecurity" added to their responsibilities, backed by the right tools and a clear policy.
If you're a mid-market company that hasn't started CERT-In compliance, here's a practical 90-day plan.
Month 1 — Foundation. Appoint a security lead (even if it's a hat on an existing role). Create a basic information security policy. Build an IT asset inventory. Review your current logging: what's being logged, where it's stored, and how long it's retained. The gap between your current retention and 180 days is your most urgent technical problem.
Month 2 — Technical. Implement centralized log collection with 180-day retention. Set up basic alerting for critical events (failed logins, unauthorized access attempts, malware detections). Write and distribute your Incident Response Plan. Run one tabletop exercise (it can be a 45-minute meeting walking through "what would we do if we got a ransomware email right now").
Month 3 — Audit prep. Conduct a self-assessment against all 15 Elemental Controls. Document what you've implemented, what's in progress, and what gaps remain. Schedule your annual audit with a CERT-In empaneled auditing organization. Review CERT-In's incident reporting format so you're not seeing it for the first time during an actual incident.
This isn't a complete security transformation. It's the minimum viable compliance path — getting you through your first audit while building the foundation for continuous improvement.
Here's the uncomfortable truth about the current landscape: the compliance tools available to mid-market Indian companies are either too much or too little.
On one end, you have enterprise SIEMs — Splunk, IBM QRadar, Microsoft Sentinel — that cost ₹40 lakhs to ₹4 crore per year, require dedicated analysts to operate, and offer hundreds of features you'll never use. They're built for companies with 50-person SOC teams and global threat intelligence requirements.
On the other end, you have ManageEngine and similar tools that handle individual functions (log management, endpoint monitoring) but don't connect them into a compliance-ready workflow. You end up stitching together four or five tools, none of which talk to each other, and none of which generate the audit documentation you need.
In between, there's a gap: a compliance-focused SIEM built for companies that need to pass their CERT-In audit without building a SOC. One that handles log collection, 180-day retention, incident reporting workflows, and audit-ready dashboards — without requiring security analysts to operate it.
That's what we're building at Suvant.
We're in early development, working directly with security consultants and mid-market IT teams to make sure we build the right thing. If your company is navigating CERT-In compliance and you want a tool that solves this specific problem, get in touch. We'd genuinely like to hear about your situation — what's working, what's not, and what would actually help.
April 28, 2022: CERT-In Directive on incident reporting (6-hour window) and 180-day log retention. In force since September 2022.
July 25, 2025: Comprehensive Cyber Security Audit Policy Guidelines (CISG-2025-02). Mandatory annual third-party audits for all organizations.
September 1, 2025: 15 Elemental Cyber Defense Controls for MSMEs (CISG-2025-03). Baseline framework with 45 recommendations across 15 control areas.
Official sources: MSME Controls (PDF) · Audit Policy Guidelines (PDF) · 2022 Directive (PDF)