Cybersecurity Audit Checklist Template for Indian Businesses (Free 2026)
Cyberattacks on Indian businesses increased by 278% in 2024, with SMBs accounting for over 60% of all breaches. This free checklist covers 8 critical security domains — endpoint protection, network security, identity management, data loss prevention, application security, compliance, incident response, and vendor risk — customized for Indian regulatory requirements including CERT-In 2022 directives and DPDP Act 2023.
Domain 1: Endpoint Security Audit: Inventory all endpoints (laptops, desktops, mobile devices, IoT). Verify antivirus/EDR deployment coverage (100% target). Check patch management — all OS and applications within 30 days of release. Confirm disk encryption on all portable devices. Review removable media (USB) policy enforcement. Audit mobile device management (MDM) enrollment for BYOD devices. Recommended tools: Trend Micro Apex One, ESET Endpoint Security.
Domain 2: Network Security Audit: Review firewall rules — remove all "any to any" rules. Audit VPN usage and enforce MFA for all remote access. Check network segmentation (IT vs OT vs guest networks). Verify intrusion detection/prevention system (IDS/IPS) is active. Review DNS filtering for web category controls. Check SD-WAN security policies if applicable. Audit wireless network — WPA3 required, guest network isolated. Review log retention policy (90-day minimum per CERT-In directive).
Domain 3: Identity & Access Management (IAM) Audit: Audit user accounts — disable all accounts inactive for 90+ days. Review privileged access — apply least privilege principle. Verify MFA enforcement for all admin accounts and cloud services. Check password policy: minimum 12 characters, complexity enforced. Review service accounts and API keys — rotate every 90 days. Audit Active Directory or cloud directory (JumpCloud, Azure AD) for orphaned accounts. Verify offboarding process — access revoked within 24 hours of exit.
Domain 4: Data Protection & DLP Audit: Classify all data: Public, Internal, Confidential, Restricted. Verify data encryption at rest and in transit (TLS 1.2+). Audit backup frequency, testing, and offsite/cloud copies. Check Data Loss Prevention (DLP) policies for email, web, and endpoints. Review cloud storage access permissions (no public S3 buckets). Verify DPDP Act 2023 compliance: data collection consent, retention periods, deletion workflows.
Domain 5: CERT-In 2022 Compliance: ICT infrastructure reporting within 6 hours of incidents. Log retention for 180 days. Maintain accurate system clocks (NTP synchronization). VPN/cloud providers must share subscriber information on demand. ISO 27001: 114 controls mapped, 13 domains covered. Last internal audit date. Corrective action register updated. Industry-Specific: BFSI — RBI cybersecurity framework. Healthcare — patient data encryption per MoH guidelines.
Frequently Asked Questions
How often should Indian businesses conduct a cybersecurity audit?
Minimum once per year, with quarterly reviews of high-risk domains like access management and patch compliance. BFSI and healthcare sectors should conduct bi-annual audits to align with RBI and MoH regulatory expectations.
What is the CERT-In 2022 directive and who does it apply to?
The Indian Computer Emergency Response Team (CERT-In) issued a directive in April 2022 requiring all organizations to report cybersecurity incidents within 6 hours, maintain logs for 180 days, and synchronize ICT system clocks with NTP servers. It applies to all businesses operating in India.
Is VAPT mandatory for Indian businesses?
VAPT is mandatory for BFSI (per RBI guidelines), government systems, and organizations seeking ISO 27001 certification. For other industries it is strongly recommended annually.
Identify cybersecurity gaps in your organization. Book a free security assessment with itforsme.in solution experts.