CERT-In Directives + CISG-2025-02

CERT-In Directions under Section 70B of IT Act 2000 (6-hour reporting, 180-day log retention, NTP sync) combined with CISG-2025-02 guidelines effective July 25, 2025 mandating annual third-party cyber audits for every public and private enterprise.

Composition

29 controls currently indexed; participates in 21 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI content labelling — testing consent, deep fakes, SGI, deployer notices
• AI data governance — provenance, preparation, external reporting
• AI incident reporting — serious incidents to authorities
• AI post-deployment monitoring and incident response
• AI resource inventory — data, tooling, systems, people across AI lifecycle
• AI-generated content provenance — C2PA, watermarking, SGI
• Authentication architecture and multi-factor authentication
• Centralised logging with retention, tamper protection, and integrity
• Comprehensive asset inventory with classification and ownership
• Cyber resilience metrics — KPIs, KRIs, Board reporting cadence
• Data localisation — DPDPA SDF traffic data + sectoral requirements
• Forensic capability and evidence collection
• GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination
• Incident response execution — detection through eradication, recovery, and lessons learned
• Incident response plan preparation, independent review, and risk-response planning
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• Multi-regulator incident notification with coordinated submission timelines
• Secure SDLC — threat modelling, secure coding, SAST/DAST, dependency scanning, DevSecOps
• Security reporting governance — CISO, DPO, incident reporting, compliance reporting
• VAPT cycle — vulnerability assessment and penetration testing programme
• Vulnerability management programme — discovery, prioritisation, remediation