ISO 27001 · CERT-In
CERT-In's Directions,
Mapped to Your ISMS
The April 2022 CERT-In directions bind virtually every organization operating in India — six-hour incident reporting, 180 days of logs kept in-country, clocks synced to Indian time sources. None of it requires ISO 27001; all of it becomes routine inside one. Here is the obligation-by-obligation mapping.
Also answered below: what “CERT-In empanelled” actually means — and why consultancies (ours included) should say “delivered with empanelled partners,” not claim the badge.
Maps the 70B(6) directions to ISO 27001:2022 · Auditor-led · Last reviewed July 2026
CERT-In's directions of 28 April 2022 impose operational duties — not certifications — on service providers, intermediaries, data centres, body corporates, and government organizations: report notified incidents within six hours, retain ICT logs for a rolling 180 days within India, synchronize clocks to NIC/NPL time sources, and designate a point of contact. Each duty lands on a specific Annex A control — A.8.17 exists precisely for clock synchronization — which is why an ISO 27001 program is the cheapest way to make CERT-In compliance boring. The mapping below is the working table we use in engagements; the FAQs cover the empanelment question everyone asks and the reach of the directions for foreign providers.
The Crosswalk
Direction by Direction → Control by Control
| CERT-In duty | Detail | ISO 27001:2022 home |
|---|---|---|
| Report notified cyber incidents to CERT-In within 6 hours of noticing | The list of reportable incident types is set out in the directions' annexure — from targeted intrusions and ransomware to defacements and data breaches. | A.5.24–A.5.26 (incident planning, assessment, response) + A.6.8 (event reporting) — with the 6-hour clock, an on-call owner, and pre-drafted formats rehearsed |
| Retain ICT system logs for a rolling 180 days, within India | Logs must be maintained and furnished to CERT-In when ordered. | A.8.15 (logging) + A.8.16 (monitoring) — with retention architecture and jurisdiction designed in, not bolted on |
| Synchronize system clocks to NIC/NPL NTP servers | Entities must sync to the prescribed Indian time sources (or traceable equivalents for global infrastructure). | A.8.17 (clock synchronization) — the single most literal mapping in the whole crosswalk |
| Designate a point of contact for CERT-In | A named PoC to receive directions and coordinate. | A.5.2 (roles) + A.5.5 (contact with authorities) |
| Service-provider duties: validated customer records retained 5 years (VPS/VPN/cloud/data-centre providers) | KYC-style subscriber records and usage history. | A.5.31 (legal & regulatory requirements) + A.5.33 (records protection) — sector-specific, sits alongside the ISMS |
Indicative mapping. The directions bind independently of any standard; refer to CERT-In's published directions and FAQs for authoritative scope.
CERT-In × ISO 27001 — Common Questions
The clocks, the logs, and what empanelment means.
Does CERT-In require ISO 27001 certification?
No. CERT-In's directions of 28 April 2022 (issued under section 70B(6) of the IT Act, effective from late June 2022) impose operational obligations — 6-hour incident reporting, 180-day log retention, NTP synchronization, a point of contact, and record-keeping duties for certain service providers — but do not mandate any certification. ISO 27001 is the management system most organizations use to make those obligations routine and evidenced rather than heroic; the directions bind you either way.
What must be reported to CERT-In within 6 hours?
The directions' annexure lists the reportable incident types — including targeted scanning/probing of critical systems, compromise of critical systems, unauthorized access, defacement, malware and ransomware attacks, identity theft and phishing, DDoS, attacks on servers and network appliances, and data breaches and leaks. The clock runs from noticing the incident. Inside an ISMS, that means detection-to-classification-to-notification procedures (A.5.24–A.5.26) drilled against six hours, with the reporting formats pre-staged.
How do the 180-day log requirements interact with ISO 27001 logging controls?
A.8.15 (logging) and A.8.16 (monitoring) give you the control framework; the directions add three specifics the ISMS must encode: a rolling 180-day retention floor across ICT systems, storage within Indian jurisdiction, and the ability to furnish logs to CERT-In on order. Design log architecture against all three once — retrofitting jurisdiction is the expensive version.
What does "CERT-In empanelled" mean — and is TCSA empanelled?
CERT-In empanels information security auditing organizations that qualify through its assessment process; regulators like SEBI and IRDAI then require audits to be performed by these empanelled firms. TCSA is a compliance consultancy, not itself a CERT-In empanelled auditor — security testing in our engagements is delivered with CERT-In empanelled partners, and we prepare clients for empanelled-firm audits. Any vendor claiming empanelment should appear on CERT-In's published list — verify there.
Do the directions apply to foreign companies serving Indian users?
The directions apply to service providers, intermediaries, data centres, body corporates, and government organizations in the matter of cyber incidents — and CERT-In's FAQs extend expectations to entities serving users in India, which is why global SaaS and infrastructure providers stood up India-specific logging and reporting flows. If India is a market, treat the 6-hour and 180-day duties as applying to your India-relevant systems and get counsel's view on your specific footprint.
Related: the India regulatory map, RBI mapping, SEBI CSCRF, IRDAI 2026, and testing with CERT-In empanelled partners.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours