CERT-In's 2022 Cyber Security Directions — incident reporting, logging, and 180-day retention requirements.
Service providers, intermediaries, data centres, body corporates, and government organisations operating in India.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Mandatory incident reporting to CERT-In within 6 hours for prescribed incident categories.
180-day log retention for ICT systems used in India.
Time synchronisation with NTP sources designated by CERT-In.
Designated point of contact registration with CERT-In.
KYC and 5-year retention for VPN/VPS/cloud and crypto service providers.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
CERT-In reporting workflow with 6-hour timer per incident category.
Log retention enforcement (180-day floor) with audit-ready storage.
NTP attestation evidence.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
CERT-In incident report draft.
Log retention attestation.
POC registration record.
These frameworks share substantial control overlap with CERT-In. Customers running one assessment typically satisfy the others with the same evidence base.
India
India's first omnibus personal data protection law — phased rollout underway, with sectoral overlays from RBI, SEBI, and CERT-In.
India
RBI's cybersecurity framework spanning circulars for banks, urban co-operatives, NBFCs, and payment system operators.
India
SEBI's Cybersecurity and Cyber Resilience Framework — applicable to stock exchanges, depositories, brokers, AMCs, and other SEBI-registered intermediaries.
India
India's protection regime for Critical Information Infrastructure designated under Section 70 of the IT Act.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.