Pillar guide · 18 min

Indian Cybersecurity Compliance — The Practitioner's Guide (2026)

Three regulatory regimes now apply to almost every mid-market Indian business: CERT-In (6-hour incident reporting since 2022), the DPDP Act 2023 (the new personal data law), and — for anyone selling to enterprises, regulated industries, or international customers — ISO 27001. None of them is a check-the-box exercise. This guide is the practical playbook we use with our own clients: what each rule actually demands, what tooling you need, and what the audit will check.

Last updated: 2026-05-01

The three regimes — what each one actually requires

CERT-In (Cyber-Security Incident Reporting Rules, 2022): any reportable incident must be reported to CERT-In within 6 hours of becoming aware of it. "Reportable" is broad: ransomware, unauthorised access, data leak, account compromise, malware in critical systems.

DPDP Act 2023: Indian personal-data law. Consent, purpose limitation, data principal rights, breach notification, Data Protection Officer appointment (for significant data fiduciaries), and meaningful penalties (up to ₹250 crore).

ISO 27001:2022: international information-security management standard. Required by most BFSI / government / international enterprise contracts in India. Annex A has 93 controls in 4 themes.

CERT-In 6-hour reporting runbook

Step 1 (0–30 min): Confirm the incident. Isolate affected systems but preserve forensic state — DO NOT wipe.

Step 2 (30–90 min): Activate incident response. Document timeline, IOCs, scope. Engage your VAPT / SOC partner.

Step 3 (90–240 min): Submit initial report via the CERT-In portal (incident.cert-in.org.in). The form takes ~90 minutes to fill correctly the first time.

Step 4 (4–6 hr): Containment. Block the attack vector, rotate credentials, enable additional logging.

Step 5 (24–72 hr): Final report with full timeline, IOCs, remediation plan. Notify affected customers (DPDP requirement separately).

DPDP Act — 90-day compliance plan

Days 1–30 (Discover): Data inventory. Map every place you store personal data — HR system, CRM, marketing tool, vendor portals. Classify by sensitivity (regular vs. sensitive).

Days 31–60 (Document): Consent flows, retention schedule, privacy notice, DPA templates with vendors, breach response plan, internal training.

Days 61–90 (Deploy): Tech controls. Encryption at rest, access logging, MFA on all admin consoles, DPO designation, complaint redressal mechanism live on website.

Most Indian SMBs underestimate Days 31–60. Documentation is what an audit checks first.

ISO 27001 readiness — 6-month sprint

Month 1: Gap assessment against 93 Annex A controls. Score each: compliant, partial, gap.

Month 2: Risk treatment plan. Document mitigations for each gap. Most common gaps: HR security (joiners-leavers), supplier security, physical access controls, cryptographic key management.

Month 3: ISMS documentation. Information Security Policy, Statement of Applicability (SoA), Risk Register.

Month 4: Internal audit. Engage an independent auditor (we work with CERT-In empanelled VAPT firms).

Month 5: Management review + corrective actions.

Month 6: Stage 1 + Stage 2 external audit. Certification issued.

Total cost: ₹4–8 lakh for the 6-month sprint depending on scope.

The cybersecurity tool stack we recommend

Email security: Microsoft Defender (M365) or Sophos PhishThreat for phishing simulation.

Endpoint: Sophos Intercept X or Trend Micro Apex One with EDR. Replace standalone antivirus.

MDR: 24×7 monitoring — Sophos MDR, Indusface MDR, or your SOC partner.

Identity: Microsoft Entra ID / Zoho Directory + MFA enforced everywhere.

Backup: Druva cloud backup with 30-day retention and immutable storage.

VAPT (annual): Indusface Web Application Penetration Test + Network VAPT.

Security awareness training: Quarterly phishing simulation + 30-min training module.

What this actually costs (INR, mid-2026)

Endpoint EDR: ₹240 / seat / month

MDR (managed detection): ₹480 / seat / month

DPDP readiness sprint (90 days): ₹2–5 lakh fixed-fee

ISO 27001 readiness sprint (6 months): ₹4–8 lakh

Annual VAPT: ₹1.5–3 lakh per scope

Phishing simulation: ₹150–250 / user / year

Rule of thumb: a "well-secured" 100-employee Indian SMB spends ₹8–15 lakh / year on cybersecurity in 2026. Less than that and you have gaps; more usually means duplication.

FAQs

Is CERT-In reporting mandatory for SMBs too?

Yes. The 2022 rules apply to all "body corporates" — there is no SMB exemption. Even a 20-employee company that suffers a ransomware incident must report within 6 hours.

Do we need a Data Protection Officer (DPO) under DPDP?

A DPO is mandatory only for "Significant Data Fiduciaries" — large or high-risk processors notified by the government. For most SMBs, designating a senior person as the data-protection lead with documented responsibilities is sufficient. Talk to your legal counsel.

Can we get ISO 27001 in less than 6 months?

Technically yes, but rushed audits frequently produce non-conformities that cost more to fix afterwards. We recommend 6 months for a clean Stage 2 pass.

Will cyber-insurance cover ransomware payouts in India?

Most Indian cyber-insurance policies in 2026 cover incident response and forensics, but ransomware payout is increasingly excluded or limited. RBI and the Indian government discourage paying ransoms. Plan for restore-from-backup, not pay.