// INDIAN REGULATORY COMPLIANCE

CICRA / CII Security Audit

Compliance audit for Critical Information Infrastructure providers under NCIIPC and CERT-In obligations.

IT ActSection 70
NCIIPCGuidelines
CERT-InEmpanelled
6CII Sectors
Overview

Critical Information Infrastructure (CII) Security Audit

Section 70 of the Information Technology Act 2000 empowers the Central Government to designate computer resources as Critical Information Infrastructure (CII) — systems whose disruption or destruction would have a debilitating impact on national security, economy, public health, or safety. The National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency for CII protection, overseeing sectors including energy, finance, transport, telecommunications, government, and strategic enterprises.

Organisations designated as CII providers face the most demanding cybersecurity obligations in India — mandatory incident reporting to both CERT-In and NCIIPC, compliance with NCIIPC sector-specific guidelines, and alignment with the National Cyber Security Policy. Intelliroot's CII security audit addresses the full obligation landscape, combining our CERT-In empanelment with deep knowledge of NCIIPC guidelines and the classified CII threat landscape to deliver an audit that satisfies both regulatory requirements and national security-grade cybersecurity expectations.

IT Act Section 70 NCIIPC Guidelines CERT-In Directions National Cyber Security Policy
Why This Matters

Why CII Security Demands the Highest Standard

National Security Implications

CII designation means your systems are considered nationally critical. A successful cyberattack on CII can trigger national security responses, Parliamentary scrutiny, and significant reputational damage — the stakes are categorically higher than standard enterprise cybersecurity.

Nation-State Threat Actors

CII operators are explicitly targeted by nation-state actors and advanced persistent threat groups. NCIIPC's threat intelligence covers adversary capabilities and tactics specifically directed at Indian CII sectors — your audit must reflect this elevated threat landscape.

Dual Incident Reporting Obligations

CII organisations must report cybersecurity incidents to both CERT-In (within 6 hours per the 2022 Directions) and NCIIPC. Maintaining the operational capability to meet both obligations simultaneously requires specific processes and investment that our audit directly evaluates.

Sector-Specific Requirements

NCIIPC issues sector-specific guidelines for each CII sector (energy, finance, transport, telecom) that go beyond general cybersecurity requirements. Compliance requires an auditor with knowledge of both the general NCIIPC framework and your sector's specific obligations.

Scope

What the CII Security Audit Covers

CII Governance & Policy

  • CII protection policy and governance framework
  • NCIIPC reporting relationship and liaison process
  • National Cyber Security Policy alignment
  • Senior management accountability for CII obligations

Technical Protection Controls

  • Network segmentation and air-gap assessment
  • Vulnerability assessment of CII systems
  • Industrial control system (ICS/OT) security where applicable
  • Supply chain security for CII components

Threat Intelligence & Monitoring

  • Threat intelligence integration from NCIIPC/CERT-In
  • Nation-state threat actor coverage in security monitoring
  • Anomaly detection for CII-specific attack patterns
  • Sector-specific threat landscape review

Incident Response & Reporting

  • CERT-In 6-hour reporting capability assessment
  • NCIIPC incident notification process review
  • Cyber crisis management plan assessment
  • Sector regulator coordination procedures
Methodology

Our CII Audit Approach

01

CII Designation Review & Regulatory Mapping

Review the scope of the CII designation notice, identify all systems and assets covered by Section 70 obligations, and map applicable NCIIPC sector guidelines and CERT-In Directions to the entity's specific profile.

02

Governance & Policy Assessment

Evaluate the CII protection governance framework, NCIIPC liaison arrangements, senior management accountability structures, and alignment of the IS policy with National Cyber Security Policy requirements and NCIIPC guidelines.

03

Technical Security Assessment

Conduct VAPT of CII systems, review network segmentation and access controls, assess OT/ICS security where applicable, and evaluate supply chain security for hardware and software components in CII systems.

04

Threat Intelligence & Incident Response Review

Assess threat intelligence integration from NCIIPC and CERT-In feeds, review incident detection capability against CII-relevant threat actor TTPs, and evaluate the dual CERT-In/NCIIPC incident reporting process through tabletop exercise.

05

Report & Classified Findings Handling

Issue the CII security audit report with appropriate handling classification for sensitive findings. Deliver a prioritised remediation roadmap that addresses the highest-risk non-compliances while respecting the classification requirements for CII vulnerability information.

Regulatory Coverage
CII Designation IT Act Section 70 NCIIPC Guidelines Energy Sector Finance Sector Telecom Sector CERT-In Directions Nation-State Threats ICS / OT Security CERT-In Empanelled
FAQ

Frequently Asked Questions

CII designation is made by the Central Government under Section 70 of the IT Act 2000, on the recommendation of NCIIPC. Designated entities are formally notified. If you operate critical infrastructure in energy, finance, transport, telecommunications, government, or strategic enterprises sectors and have not confirmed your CII designation status, we recommend contacting NCIIPC to verify — some entities are unaware of their designation status.
NCIIPC (National Critical Information Infrastructure Protection Centre) is a unit of the National Technical Research Organisation (NTRO) and functions as the nodal agency for CII protection. CERT-In is the national CERT responsible for broader cybersecurity incident response across all sectors. CII operators must report to both: CERT-In under its 2022 Directions, and NCIIPC under its sector-specific guidelines. The two agencies co-ordinate but have distinct reporting channels and requirements.
Yes, where applicable. CII in sectors like energy, transport, and utilities typically involves significant OT and ICS components — SCADA systems, PLCs, and industrial networks. NCIIPC guidelines specifically address OT security. Intelliroot's CII audit scope includes OT/ICS security assessment, with our team experienced in assessing both IT and OT environments without disrupting operational processes.
CII vulnerability information is sensitive for national security reasons. We apply appropriate classification controls to CII audit reports — restricting distribution to named recipients, using secure channels for report delivery, and following NCIIPC guidance on vulnerability disclosure handling. We do not publish or share CII vulnerability details outside the client organisation without explicit authorisation.

Deliverables

CII Security Audit Report

Comprehensive security audit report signed by CERT-In empanelled auditor, with findings mapped to NCIIPC guidelines, IT Act Section 70, and applicable sector-specific requirements — handled with appropriate classification controls.

NCIIPC Control Gap Assessment

Detailed gap assessment against sector-specific NCIIPC guidelines, with risk ratings, evidence references, and remediation recommendations prioritised by national security impact.

Incident Reporting Readiness Review

Assessment of the dual CERT-In and NCIIPC incident reporting capability, including process documentation, escalation chains, notification templates, and tabletop exercise outcomes.

Threat Landscape Briefing

Sector-specific threat intelligence briefing covering nation-state actor TTPs, known CII-targeted campaigns, and recommended defensive priorities based on the current CII threat environment.

Remediation Roadmap

Prioritised remediation plan addressing the highest-severity CII security gaps, with effort estimates, implementation guidance, and alignment to NCIIPC and CERT-In compliance obligations.

Related Services in Indian Regulatory Compliance

CERT-In Empanelled Audit RBI Information Security Audit SEBI CSCRF Audit IRDAI Information Security Audit
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.