Advisory & GRC

CERT-In Advisory Services

6-Hour Incident Reporting Capability. Full CERT-In Compliance.

Built for: All Indian Businesses with Internet Presence
Request This Service View Our Approach

What Is CERT-In Advisory Services?

CERT-In (Indian Computer Emergency Response Team) Advisory Services help Indian businesses understand, implement, and maintain compliance with CERT-In's cybersecurity directives — which apply to virtually every organisation with an internet presence in India.

CERT-In's April 2022 directives fundamentally changed the cybersecurity compliance landscape for Indian businesses. The requirements include mandatory 6-hour incident reporting, 180-day log retention within Indian jurisdiction, specific VPN logging requirements, and designated point-of-contact registration. Non-compliance can trigger enforcement actions from CERT-In and referrals to sector-specific regulators.

Verentix guides Indian businesses through the entire CERT-In compliance process — from initial gap assessment through implementation to ongoing maintenance — ensuring you meet requirements without disrupting business operations.

Why Your Business Needs This

Most Indian businesses we speak to are either unaware of their CERT-In obligations or have only partially implemented the requirements. The 6-hour incident reporting requirement alone requires capabilities that most organisations do not have — real-time threat detection, documented incident response procedures, and a trained response team that can identify, classify, and report incidents within an extremely tight window.

The 180-day log retention requirement creates specific technical challenges — especially for companies using cloud services with data centres outside India. Log localisation, storage capacity planning, and log integrity protection all need to be addressed.

For regulated industries — banking, fintech, insurance, healthcare — CERT-In non-compliance compounds with sector-specific regulatory risks. RBI, SEBI, and IRDAI expect their regulated entities to comply with CERT-In directives, and non-compliance with CERT-In can trigger sector-specific enforcement actions.

What You Get

Every CERT-In Advisory Services engagement with Verentix delivers concrete, actionable outcomes:

Complete gap assessment against all CERT-In directive requirements
Incident response plan development with 6-hour reporting capability
Log retention architecture design for 180-day compliance within India
VPN logging and subscriber record compliance implementation
Point-of-contact registration and communication setup with CERT-In
Ongoing compliance monitoring and quarterly reviews

Our Approach

Gap Assessment (Week 1): We map your current security practices against every CERT-In requirement and identify specific gaps. This produces a clear compliance status report showing exactly where you stand.

Real Results for Indian Businesses

A fintech startup in Bengaluru achieved full CERT-In compliance in 5 weeks — from zero incident response capability to a tested, documented programme with real-time detection and 6-hour reporting capability.

An insurance company in Mumbai was referred to IRDAI for CERT-In non-compliance after a security incident. We fast-tracked their compliance implementation in 3 weeks and helped them demonstrate remediation to both CERT-In and IRDAI, avoiding further regulatory action.

A SaaS company serving government clients in Delhi needed CERT-In compliance as a prerequisite for a ₹4.5 crore contract. Our advisory service delivered full compliance — including log retention architecture on AWS within Indian regions — in 6 weeks, enabling them to secure the contract.

Frequently Asked Questions

Does CERT-In compliance apply to my business?expand_more
If you are a service provider, intermediary, data centre, body corporate, or government organisation with an internet presence in India — yes. The directives apply broadly. If you handle digital data from Indian users, you should assume the requirements apply to you.
What happens if we do not comply?expand_more
CERT-In can direct you to implement specific measures, block your IT resources, and refer non-compliance to sector regulators (RBI, SEBI, IRDAI) who have significant penalty powers. More practically, if you suffer a breach without compliance, the regulatory consequences are significantly more severe.
How long does it take to become compliant?expand_more
Typically 4-8 weeks depending on your current maturity level. Organisations with existing security programmes can achieve compliance faster. Startups building from scratch typically need 6-8 weeks.
Do you help with actual incident reporting?expand_more
Yes. If your organisation experiences a reportable incident, we can assist with incident classification, evidence collection, report preparation, and communication with CERT-In — all within the 6-hour window.

Related Services

Other security services that complement CERT-In Advisory Services.

GRC Services — Governance, Risk & Compliance

Multi-Framework Compliance Built By Offensive Security Experts.

Learn More →

ISO 27001 Audit & Implementation

Certified in 12-16 Weeks. Controls That Actually Stop Attacks.

Learn More →

Threat Modeling as a Service

Find Design Flaws Before Code Is Written. 10-100x Cheaper Fixes.

Learn More →

Ready to Get Started with CERT-In Advisory Services?

30-minute free consultation. No obligation. Honest assessment of whether this service is right for your business.

Find My Security Gaps View All Services