When was the last time someone checked whether your cybersecurity controls actually work? Not whether you have a security policy on paper, but whether your firewalls are configured correctly, your backups actually restore, your employees can spot a phishing email, and your incident response plan has been tested.
A cybersecurity audit answers these questions systematically. It examines your technical controls, policies, processes, and compliance posture to identify gaps before attackers do. For Indian businesses navigating the DPDP Act, CERT-In requirements, and industry-specific regulations, regular cybersecurity audits are no longer optional — they are a business necessity.
This checklist covers 30 critical audit points organized across six domains. Use it as a self-assessment tool or as a framework for engaging a professional audit firm.
Domain 1: Governance and Policy (Points 1–5)
1. Cybersecurity Policy — Documented and Board-Approved
Do you have a formal cybersecurity policy that has been reviewed and approved by senior management or the Board within the last 12 months? The policy should cover acceptable use, data classification, incident response, access control, and vendor management. For RBI and SEBI-regulated entities, Board-level approval is mandatory.
Audit check: Policy exists, dated within 12 months, signed by authorized authority, distributed to all employees.
2. Roles and Responsibilities — CISO or Equivalent Designated
Is there a designated person responsible for cybersecurity? For larger organizations, this should be a CISO reporting to the Board. For SMBs, a Virtual CISO or a designated IT manager with security responsibilities is acceptable. The key is accountability — someone must own cybersecurity.
Audit check: Named individual with documented cybersecurity responsibilities, regular reporting to management.
3. Risk Assessment — Conducted Within Last 12 Months
Has a formal cybersecurity risk assessment been conducted? This should identify critical assets, threats, vulnerabilities, and the potential business impact of security incidents. Risk assessments should be updated annually and after significant changes to systems or business operations.
Audit check: Risk assessment document exists, dated within 12 months, covers all critical systems and data.
4. Compliance Mapping — Applicable Regulations Identified
Have you identified all cybersecurity and data protection regulations applicable to your business? This includes CERT-In Directions (mandatory for all), DPDP Act 2023, and industry-specific frameworks from RBI, SEBI, or IRDAI.
Audit check: Compliance matrix documenting all applicable regulations, current compliance status, and gap remediation plan.
5. Security Awareness Program — Regular Training Conducted
Are all employees receiving cybersecurity awareness training? Training should cover phishing recognition, password security, data handling, physical security, and incident reporting. It should be conducted at onboarding and refreshed at least annually, with simulated phishing exercises quarterly.
Audit check: Training records for all employees, phishing simulation results, training completion rates above 90%.
Domain 2: Access Control and Identity Management (Points 6–10)
6. Multi-Factor Authentication (MFA) — Enforced on All Critical Systems
Is MFA enabled on email, VPN, cloud applications, administrative consoles, and financial systems? SMS-based OTP is acceptable but authenticator apps or hardware tokens are preferred. MFA is the single most effective control against credential-based attacks.
Audit check: MFA configuration verified on all critical systems, no exceptions without documented risk acceptance.
7. Privileged Access Management — Admin Accounts Controlled
Are administrative and privileged accounts inventoried, minimized, and monitored? No one should use admin accounts for daily work. Privileged access should require additional approval, be time-limited where possible, and generate alerts for unusual activity.
Audit check: Inventory of all admin accounts, justification for each, evidence of monitoring, separation of admin and user accounts.
8. Password Policy — Strong and Enforced
Is a strong password policy enforced technically, not just documented? Minimum 12 characters, complexity requirements, no password reuse. Better yet — implement a password manager organization-wide and use passkeys or hardware tokens where supported.
Audit check: Technical enforcement of password policy (Active Directory GPO, cloud identity provider settings), password manager deployment records.
9. Access Reviews — Conducted Quarterly
Are user access rights reviewed regularly? When employees change roles, their previous access should be revoked. When employees leave, all access should be terminated immediately. Access creep — accumulating permissions over time without revoking old ones — is a common audit finding.
Audit check: Evidence of quarterly access reviews, offboarding checklist with access revocation steps, no orphaned accounts.
10. Remote Access — Secured with VPN and MFA
Is all remote access to corporate resources secured through a VPN or Zero Trust solution with MFA? No direct RDP exposure to the internet. Remote desktop, SSH, and administrative consoles should never be accessible directly from the internet without VPN protection.
Audit check: No internet-exposed RDP/SSH (verified by external scan), VPN configuration review, MFA on VPN.
Domain 3: Network and Infrastructure Security (Points 11–16)
11. Firewall Configuration — Rules Reviewed and Hardened
Are firewall rules reviewed at least annually? Rules should follow deny-by-default — only explicitly required traffic is allowed. Common finding: accumulated “temporary” rules that were never removed, allowing unnecessary access paths.
Audit check: Firewall rule review documentation, no rules allowing “any-any” access, unused rules identified and removed.
12. Network Segmentation — Critical Systems Isolated
Are critical systems (databases, financial systems, customer data) on separate network segments from general user networks and guest WiFi? A flat network allows lateral movement — an attacker compromising one system can easily reach everything else.
Audit check: Network diagram showing segmentation, firewall rules between segments, verified isolation of critical systems.
13. Wireless Security — WPA3 or WPA2-Enterprise
Is your WiFi network secured with WPA2-Enterprise (RADIUS authentication) or WPA3? Guest WiFi should be completely isolated from the corporate network. No open or WEP-encrypted networks. WiFi access points should be inventoried and rogue access points detected.
Audit check: WiFi configuration review, guest network isolation verified, rogue AP detection in place.
14. Patch Management — Critical Patches Applied Within 72 Hours
Is there a documented patch management process? Critical security patches should be applied within 72 hours for internet-facing systems and within 30 days for internal systems. Automated patching should be enabled for operating systems and standard applications.
Audit check: Patch management policy, evidence of timely patching (scan results showing no critical unpatched vulnerabilities), exception documentation for systems that cannot be patched immediately.
15. Endpoint Protection — EDR Deployed on All Endpoints
Are all laptops, desktops, and servers running Endpoint Detection and Response (EDR) software? Traditional antivirus is insufficient against modern threats. EDR provides behavioral analysis, automated response, and forensic capability.
Audit check: EDR deployment coverage report (should be 100%), EDR configuration review, alert monitoring process.
16. DNS and Web Filtering — Malicious Sites Blocked
Is DNS filtering or web proxy filtering in place to block access to known malicious domains, phishing sites, and inappropriate content categories? This is a simple, high-impact control that blocks many threat vectors at the network level.
Audit check: DNS filtering or web proxy configuration, category blocking policies, logging enabled.
Domain 4: Data Protection (Points 17–22)
17. Data Classification — Policy Defined and Implemented
Is data classified by sensitivity level (public, internal, confidential, restricted)? Do employees know how to handle each classification? Data classification is the foundation of the DPDP Act compliance — you cannot protect data appropriately if you do not know what data you have and how sensitive it is.
Audit check: Data classification policy, evidence of classification applied to systems and data stores, employee awareness of classification levels.
18. Encryption — At Rest and In Transit
Is sensitive data encrypted at rest (AES-256 for databases, file storage, backup media) and in transit (TLS 1.2+ for all web communications, encrypted email for sensitive content)? Encryption is a technical control that mitigates the impact of both external breaches and insider access.
Audit check: TLS configuration on all web services (no TLS 1.0/1.1), database encryption settings, backup encryption verification, email encryption for sensitive communications.
19. Backup and Recovery — 3-2-1 Rule Implemented and Tested
Do you maintain three copies of critical data, on two different media types, with one copy offsite or in the cloud? More critically — have you tested restoring from backups within the last 90 days? Untested backups provide false confidence.
Audit check: Backup configuration documentation, backup success/failure logs, restoration test records (within last 90 days), recovery time verified against business requirements.
20. DPDP Act Readiness — Consent, Rights, and Breach Notification
Are you compliant with the DPDP Act 2023? This includes lawful consent collection, data minimization, purpose limitation, data subject rights (access, correction, erasure), and breach notification procedures.
Audit check: Consent management implementation, privacy notice on all data collection points, data subject request handling process, breach notification procedure documented.
21. Data Loss Prevention — Controls Against Unauthorized Data Transfer
Are there controls preventing unauthorized transfer of sensitive data outside the organization? This includes email DLP (blocking sensitive data patterns in outbound emails), USB device restrictions, cloud storage controls, and screen capture restrictions for sensitive applications.
Audit check: DLP policy configuration, USB restriction settings, cloud sharing controls, incident reports from DLP tools.
22. Data Retention and Disposal — Defined Schedules
Do you have a data retention policy that defines how long different types of data are kept and how they are securely disposed of? Keeping data longer than necessary increases both breach risk and compliance exposure. CERT-In requires 180-day log retention — but many organizations retain other data indefinitely without justification.
Audit check: Data retention schedule, evidence of secure disposal (certificate of destruction for hardware, secure deletion logs for digital data), retention aligned with regulatory requirements.
Domain 5: Security Monitoring and Incident Response (Points 23–27)
23. Log Collection and Monitoring — Centralized and Reviewed
Are security-relevant logs collected centrally and reviewed? This includes firewall logs, authentication logs, application logs, endpoint detection alerts, and email security logs. CERT-In requires 180-day log retention within Indian jurisdiction.
Audit check: Centralized log management system, 180-day retention verified, log review process documented, alert rules configured for security events.
24. Security Monitoring — SOC or Managed Detection
Is there continuous (24/7) security monitoring? This can be an in-house SOC, a managed SOC (SOC-as-a-Service), or at minimum, automated alerting with defined escalation procedures. Collecting logs without monitoring them provides no security value.
Audit check: SOC service agreement or in-house SOC documentation, monitoring coverage hours, alert handling procedures, sample incident investigation records.
25. Incident Response Plan — Documented and Tested
Is there a documented incident response plan that has been tested through tabletop exercises within the last 12 months? The plan should cover detection, containment, eradication, recovery, and post-incident activities, with specific procedures for common incident types.
Audit check: IR plan document (dated within 12 months), tabletop exercise records, CERT-In reporting procedure included, escalation matrix with current contact information.
26. CERT-In Reporting Readiness — 6-Hour Capability
Can your organization detect, assess, and report a cybersecurity incident to CERT-In within 6 hours? This requires detection capability (monitoring), assessment capability (skilled personnel), and reporting procedures (CERT-In incident report format, designated point of contact).
Audit check: CERT-In POC designated and registered, incident reporting procedure documented, incident reporting template ready, detection-to-reporting timeline tested.
27. Business Continuity Plan — Cyber Scenario Included
Does your business continuity plan include cybersecurity scenarios — ransomware, major data breach, sustained DDoS attack? Many BCP plans cover natural disasters and power failures but not cyber incidents, which are now the most likely cause of business disruption.
Audit check: BCP document with cyber scenarios, recovery time objectives defined for critical systems, BCP tested within last 12 months.
Domain 6: Vulnerability Management and Testing (Points 28–30)
28. Vulnerability Scanning — Monthly Automated Scans
Are automated vulnerability scans conducted at least monthly for all internet-facing systems and quarterly for internal systems? Scans should cover network infrastructure, web applications, and endpoints. Critical vulnerabilities should trigger immediate remediation.
Audit check: Vulnerability scanning tool in place, scan schedules and results, remediation tracking for identified vulnerabilities, trending data showing improvement.
29. Penetration Testing — Annual by CERT-In Empanelled Firm
Has a comprehensive penetration test been conducted within the last 12 months by a CERT-In empanelled cybersecurity firm? The test should cover web applications, network infrastructure, mobile applications (if applicable), and APIs. For RBI and SEBI regulated entities, CERT-In empanelment is mandatory for the testing firm.
Audit check: Pentest report from CERT-In empanelled firm (dated within 12 months), remediation status of findings, retest results confirming fixes, scope covering all critical assets.
30. Secure Development Practices — SDLC Security Integrated
If your organization develops software (web applications, mobile apps, APIs), are security practices integrated into the development lifecycle? This includes threat modeling, secure coding guidelines, code review, SAST/DAST in CI/CD pipelines, and pre-deployment security testing.
Audit check: Secure SDLC documentation, SAST/DAST tools integrated in CI/CD, developer security training records, security review sign-off before production deployment.
How to Use This Checklist
Self-Assessment
Score each point: Fully Implemented (2 points), Partially Implemented (1 point), Not Implemented (0 points). Maximum score: 60.
- 50–60: Strong security posture — focus on continuous improvement
- 35–49: Moderate — address gaps in critical areas first
- 20–34: Significant gaps — prioritize foundational controls immediately
- Below 20: Critical risk — engage a cybersecurity firm for a professional assessment urgently
Professional Audit
For a comprehensive assessment, engage a CERT-In empanelled cybersecurity firm. A professional audit provides expert evaluation, evidence-based findings, and actionable remediation roadmaps. At MDIT Services, our cybersecurity audit process covers all 30 points plus industry-specific requirements, delivering a prioritized remediation plan that aligns with your budget and risk tolerance.
Frequently Asked Questions
How often should a cybersecurity audit be conducted?
Comprehensive audits should be conducted annually at minimum. RBI-regulated entities require annual cyber audits. SEBI mandates annual cybersecurity audits under CSCRF. Beyond regulatory requirements, audits should be triggered by major infrastructure changes, business acquisitions, or security incidents.
What is the difference between a cybersecurity audit and a VAPT?
A VAPT tests your technical defenses by simulating attacks — it answers “can an attacker get in?” A cybersecurity audit is broader — it examines policies, processes, compliance, governance, and technical controls holistically. It answers “is our overall security posture adequate?” Both are necessary and complementary.
How much does a professional cybersecurity audit cost in India?
For Indian SMBs, a professional cybersecurity audit typically costs INR 2–8 lakhs depending on scope and organization size. For larger enterprises or regulated entities requiring comprehensive audits, costs range from INR 8–25 lakhs. This investment is minimal compared to the cost of a breach or regulatory penalty.
Can this checklist be used for ISO 27001 preparation?
This checklist covers many ISO 27001 control areas but is not a substitute for the full ISO 27001 standard which has 93 controls across four categories. However, scoring well on this checklist indicates strong readiness for ISO 27001 certification. It is an excellent starting point before engaging an ISO consultant.
What if we score below 20 on the self-assessment?
Do not panic, but do act urgently. Focus on four immediate priorities: enable MFA on all email and cloud accounts (Point 6), deploy endpoint protection (Point 15), implement backups with offline copies (Point 19), and document an incident response plan with CERT-In reporting procedures (Points 25–26). These four controls address the most common and damaging attack scenarios. Then plan a phased approach for the remaining points.
