Get Certified Compliant for MSME 2025
Get in Touch
CERT-In Logo
MSME Logo

CERT-In Compliance for MSMEs

The cybersecurity landscape for MSMEs in India has fundamentally changed. With CERT-In's mandatory annual cybersecurity audit requirements now in effect, compliance is no longer optional—it's a business imperative.

Understanding Compliance Requirements
  • Financial penalties for non-compliance
  • Legal implications for responsible personnel
  • Exclusion from government tenders
  • Potential impact on business reputation
Download Compliance Guidelines

What is CERT-In?

CERT-In Logo

Understanding India's cybersecurity authority and its implications for your business

About CERT-In

CERT-In (Indian Computer Emergency Response Team), established in 2004, operates under the Ministry of Electronics and Information Technology, Government of India.

Its primary mandate is to improve the country's cybersecurity by issuing advisories, guidelines, and best practices. It coordinates responses to cybersecurity incidents, ensuring a robust national defense against cyber threats.

CERT-In's Role for MSMEs

CERT-In plays a pivotal role in enhancing the security posture of organizations across India by establishing cybersecurity frameworks specifically designed for MSMEs.

As a CERT-In empanelled auditor, we ensure that your IT infrastructure complies with the highest security standards mandated by CERT-In.

New CERT-In Compliance Requirements for MSMEs

Mandatory Framework Effective September 2025

MSMEs now face a mandatory annual cybersecurity audit conducted by CERT-In empanelled auditors. This isn't optional—it's a legal requirement under Section 70B of the IT Act, 2000.

The 15 Elemental Cyber Defense Controls

The framework centers around 15 Elemental Cyber Defense Controls specifically designed for smaller businesses:

1. Effective Asset Management (EAM)

Establish and maintain an efficient asset management framework.

2. Network and Email Security (NES)

Safeguard networks and email systems against unauthorized access.

3. Endpoint & Mobile Security (EMS)

Safeguard end-user devices with security policies.

4. Secure Configurations (SC)

Implement secure configuration of hardware and software.

5. Patch Management (PM)

Reduce security vulnerabilities through systematic patching.

6. Incident Management (IM)

Ensure timely detection, reporting, and response to incidents.

7. Identity & Access Management (IAM)

Ensure only authorized users can access systems and data.

8. Data Protection (DP)

Implement encryption, backups, and secure storage practices.

9. Application Security (AS)

Protect applications through secure coding and testing.

10. Cloud Security (CS)

Ensure cloud environments follow strict security measures.

11. Backup & Recovery (BR)

Maintain regular backups and test recovery processes.

12. Security Awareness & Training (SAT)

Educate employees about threats and safe practices.

13. Vulnerability Management (VM)

Regularly scan and remediate vulnerabilities.

14. Third-Party Risk Management (TPRM)

Assess and secure third-party/vendor relationships.

15. Continuous Monitoring (CM)

Continuously monitor systems to detect anomalies.

Critical Requirements

  • Annual third-party security audits by CERT-In empanelled organizations
  • 6-hour incident reporting to CERT-In
  • 180-day log retention within Indian jurisdiction
  • Implementation of all 15 Elemental Cyber Defense Controls

How We Help with CERT-In Compliance

Our comprehensive approach to ensuring your business meets all requirements

CERT-In Empanelled Audits

As a CERT-In empanelled auditor, we provide comprehensive security audits that adhere to the stringent guidelines set by CERT-In.

Comprehensive Compliance

We help you navigate complex Indian regulations including PDPA, RBI, IT Act 2000, and PCI-DSS, safeguarding your data, infrastructure, and payments.

Ongoing Support

Our team provides continuous support to ensure your organization remains compliant and secure against evolving cyber threats.

Control Implementation
Employee Training
Certification Audit
CERT-In Audit Process Steps

CERT-In Compliance Certificate

CERT-In Compliance Certificate
×
-->

Ready to Achieve CERT-In Compliance?

Don't wait until it's too late. Our team of CERT-In empanelled experts is ready to guide you through the entire compliance process.

Get Your CERT-In Compliance Consultation

Fill out the form below and our CERT-In experts will contact you within 24 hours.

Please enter your name
Please enter a valid email address
Please enter your phone number
Please enter your company name
Please select your MSME type
Please select your industry
Please select your primary goal
Please select your timeline
Which controls do you need help with?
  • Which controls do you need help with?
  • EAM: Effective Asset Management
  • NES: Network and Email Security
  • EMS: Endpoint & Mobile Security
  • SC: Secure Configurations
  • PM: Patch Management
  • IM: Incident Management
  • LM: Logging and Monitoring
  • AT: Awareness and Training
  • TPRM: Third Party Risk Management
  • DPBR: Data Protection & Backup
  • GC: Governance and Compliance
  • RPP: Password Policy & MFA
  • ACIM: Access Control
  • PS: Physical Security
  • VAA: Vulnerability Assessments (VAPT)
Please select controls you need help with
You must agree to continue

Frequently Asked Questions

Everything you need to know about CERT-In MSME compliance

What is the new CERT-In compliance for MSMEs?

From September 2025, all MSMEs in India must undergo a mandatory annual cybersecurity audit by a CERT-In empanelled auditor. The audit evaluates organizations against 15 Elemental Cyber Defense Controls including asset management, patching, access control, incident response, and log retention.

Who needs to comply with this mandate?

All Micro, Small, and Medium Enterprises (MSMEs) that use IT infrastructure, store or process customer data, or operate digitally are required to comply, as per the MSME Ministry classification and IT Act Section 70B.

What are the penalties for non-compliance?

Non-compliance carries strict penalties:
Financial fines up to ₹1 crore
Criminal liability: up to 1 year imprisonment
Business risks: debarment from government contracts
Reputational damage and customer trust loss

What is the 6-hour incident reporting rule?

Organizations must report any cybersecurity incident — including data breaches, ransomware, unauthorized access, or major attacks — to CERT-In within 6 hours of detection. This is a legal requirement under Section 70B of the IT Act.

How often do audits need to be conducted?

CERT-In mandates that MSMEs undergo a cybersecurity audit every year. The audit report must be submitted to CERT-In within 5 days of completion and renewed annually.

How long does the certification process take?

The complete compliance cycle usually takes 16–20 weeks, covering:
1. Gap assessment
2. Control implementation
3. Employee training & process integration
4. Final certification audit by a CERT-In empanelled auditor

How can a VAPT service provider help with compliance?

As a VAPT provider, we assist MSMEs by:
– Conducting pre-audit readiness checks
– Performing Vulnerability Assessments & Penetration Testing
– Helping implement the 15 mandated CERT-In controls
– Coordinating with CERT-In empanelled auditors
– Providing continuous compliance support

What are the business benefits of compliance?

Beyond avoiding penalties, compliance offers:
Customer trust & stronger reputation
Competitive edge in security-conscious markets
Eligibility for government & enterprise contracts
Reduced cyber insurance premiums
Business continuity through stronger cyber resilience

Our Research Partners

iit kanpur
siic
make in india
dsci
ncoe
bel
Microsoft startup founders hub
AWS startups
AWS startups
chitkara

Copyright 2025 Cyethack Solutions.