Introduction
For years, many organizations have treated cybersecurity audits as a necessary evil. A "tick-box" exercise to satisfy regulators or close a deal. That era effectively ended on July 25, 2025.
With the release of the Comprehensive Cyber Security Audit Policy Guidelines (Version 1.0), CERT-In has fundamentally rewritten the rules of engagement. This is not just another advisory; it is a binding framework issued under the statutory authority of the IT Act, 2000.
For CISOs, Heads of Internal Audit, and business leaders, the message is clear: the scope has widened, the scoring has changed, and the consequences for "bad audits" are now severe.
If your current audit strategy relies on a simple vulnerability scan and a generic report, you are no longer just "at risk"! You are likely non-compliant.
We have analyzed the 69-page directive and here is a layman's breakdown of the five critical changes you need to make to your audit strategy immediately.
Shift 1: The Death of "Basic" VAPT
For a long time, an audit was considered "complete" if it checked your web applications against the OWASP Top 10. The new guidelines explicitly state that this is no longer enough.
CERT-In now mandates that "limited lists" like OWASP Top 10 or SANS Top 25 should not be considered standards for audits. Instead, your audit scope must be comprehensive.
What has changed? Your audit must now cover modern technologies that were previously ignored or treated as "extras." This includes:
- AI Systems: Testing for adversarial manipulation and data integrity.
- Supply Chain Transparency: Evaluating the Software Bill of Materials (SBOM) to find risks in third-party components.
- Cloud & IoT: Specific controls for cloud architecture and connected devices.
The Takeaway: If your auditor is still only quoting you for a "standard web app test," they are missing the mandatory baseline.
Shift 2: New Scoring Rules (EPSS Is Now Mandatory)
How do you decide which bug to fix first? Historically, we used CVSS (Common Vulnerability Scoring System), which tells you how severe a vulnerability is (e.g., Critical, High, Medium, Low).
But severity doesn't tell you if a hacker is actually using that vulnerability right now.
The new guidelines make it mandatory to use EPSS (Exploit Prediction Scoring System) alongside CVSS.
- CVSS tells you: "How bad is it if this breaks?"
- EPSS tells you: "What is the probability this will actually be exploited in the wild?"
The Takeaway: Your audit reports must now give you both scores. This helps you prioritize the 5% of bugs that hackers are actually using, rather than wasting time on the 95% that aren't.
Shift 3: Strict Independence (No More "Pay-for-Pass")
A dangerous practice in the industry has been the "contingent fee" model, where an auditor is paid the full amount only after they issue a "clean" certificate. This creates a conflict of interest, incentivizing auditors to ignore problems.
CERT-In has banned this. The guidelines state that payments to auditing organizations must not be contingent on the outcome of the audit (favourable or unfavourable) or the issuance of closure reports.
The Takeaway: You need to hire an auditor based on their competence and independence, not their willingness to guarantee a certificate. An honest report with findings is now more valuable and legally safer than a fake clean report.
Shift 4: The "Auditee" (You) Owns the Risk
There is often a misconception that once you hire an auditor, security becomes their problem. The new guidelines clarify that the ultimate responsibility for the security posture rests with you (the Auditee).
Specifically, you must:
- Own the Inventory: You must maintain the asset inventory; the auditor cannot audit what you don't track.
- Fix the Issues: The auditor identifies the gaps, but you are responsible for patching them. The auditor cannot be the one to implement the fix (to avoid conflict of interest).
