CERT-In’s 15 Elemental Cyber Defense Controls: A Practical Guide for Indian MSMEs

|

CERT-In — GRC RADAR

Published: 6 June 2026 · 18 min read · Category: CERT-In

Somewhere this quarter, a client is going to send your company a security questionnaire. Or an insurer is going to ask whether you comply with CERT-In directions. Or a new enterprise customer is going to want an audit trail produced within a week.

If you are the person on the other end of that email — and you did not ask to be — this guide is for you.

In September 2025, India’s Computer Emergency Response Team did something it had never done before: it published a cybersecurity baseline written explicitly for small businesses. The document is called the “15 Elemental Cyber Defense Controls for Micro, Small, and Medium Enterprises (MSMEs),” Version 1.0, dated 1 September 2025, and it is the most actionable starting point CERT-In has published for MSMEs. It names 15 controls, maps 45 concrete recommendations onto them, and tells you exactly how to get audited against them.

This guide walks through all 15, explains what each one looks like inside a real 50-person Indian company, and gives you a 12-month roadmap you can start on Monday. If you need to comply with CERT-In directions without hiring a big-four consultancy — or you just want it explained in plain language — start here.

What CERT-In is, and why MSMEs now have their own baseline

The Indian Computer Emergency Response Team (CERT-In) sits inside the Ministry of Electronics and Information Technology (MeitY). It was established under Section 70B of the Information Technology Act, 2000, and it is the national nodal agency for cybersecurity incidents in India. When CERT-In issues a direction, it carries the force of law.

For years, that statutory weight landed mainly on banks, large enterprises, and service providers. MSMEs were technically in scope of CERT-In’s 2022 incident-reporting directions but had no baseline written for their reality — limited staff, limited budget, no security team. The September 2025 document changes that. It is the first CERT-In cybersecurity framework MSME owners can actually pick up and run themselves.

It is scoped to a precise legal definition. The controls apply to enterprises that meet the MSME classification notified by the Ministry of Micro, Small & Medium Enterprises vide Notification No. 2020 S.O. 1702(E) dated 1 June 2020 under the MSMED Act, 2006. This matters: plenty of Indian businesses that casually call themselves “SMEs” sit above the MSME investment-and-turnover thresholds and carry heavier obligations. Check where you actually fall before assuming the baseline is your ceiling. CERT-In is explicit that these 15 controls are a minimum — a floor to benchmark against, not a complete security programme.

The legal foundation: Section 70B and the April 2022 Directions

The 15 Elemental Controls sit on top of an existing statutory layer you should understand first.

On 28 April 2022, CERT-In issued its Directions under Section 70B(6) of the IT Act — reference No. 20(3)/2022-CERT-In — relating to information security practices and the reporting of cyber incidents for a “Safe & Trusted Internet.” These became effective 60 days later. They are the origin of the obligations everyone quotes: synchronise system clocks to NIC or NPL time servers, report listed incidents within six hours, and retain logs for 180 days within Indian jurisdiction.

Two months later, on 27 June 2022, CERT-In issued an extension circular granting MSMEs additional time to implement those directions, and mandating a subscriber-validation mechanism for data centres, VPS providers, cloud service providers, and VPN providers. If your business is an MSME, that extension circular is part of your compliance-timeline story.

What about teeth? Non-compliance with the Directions “may invite punitive action under sub-section (7) of Section 70B of the IT Act, 2000.” That is where the penalty exposure sits. The exact quantum has been the subject of discussion under DPDP-era and successor IT legislation, so treat any specific rupee figure as something to confirm against the current statute rather than memorise — but understand that the exposure is real and statutory, not advisory.

The 15 Elemental Controls fold this layer in: Control IM.3 simply says to adhere to the 28 April 2022 Directions, including the six-hour reporting rule. So the 2022 obligations are not separate homework — they live inside the baseline.

The 15 Elemental Controls at a glance

Here is the full map. Keep it open in a tab while you read the rest. Each control carries an identifier and a set of numbered Security Baseline Recommendations (45 in total).

  1. Effective Asset Management (EAM) — know every hardware, software, and information asset you own, and track it through its whole life. (EAM.1–.2)
  2. Network and Email Security (NES) — firewalls, secure Wi-Fi, encrypted VPN access, and anti-spoofing email controls. (NES.1–.4)
  3. Endpoint & Mobile Security (EMS) — licensed antivirus, no pirated software, CSK onboarding, removable-media control. (EMS.1–.4)
  4. Secure Configurations (SC) — harden devices to an approved baseline; strip out defaults and unused services. (SC.1–.3)
  5. Patch Management (PM) — patch promptly and track vendor and CERT-In advisories. (PM.1–.2)
  6. Incident Management (IM) — a documented incident response plan, tested, plus six-hour reporting to CERT-In. (IM.1–.3)
  7. Logging and Monitoring (LM) — comprehensive logs kept 180 days in India, actively monitored. (LM.1–.3)
  8. Awareness and Training (AT) — train every employee at least twice a year; join CERT-In drills. (AT.1–.2)
  9. Third Party Risk Management (TPRM) — vet vendors and hold them to your security standard. (TPRM.1–.2)
  10. Data Protection, Backup and Recovery (DPBP) — encrypted, tested, offline backups and a business continuity plan. (DPBP.1–.4)
  11. Governance and Compliance (GC) — a named security point of contact and an approved information security policy. (GC.1–.4)
  12. Robust Password Policy (RPP) — strong passwords, lockouts, MFA, and secure password storage. (RPP.1–.4)
  13. Access Control and Identity Management (ACIM) — unique IDs, least privilege, periodic access reviews, admin segregation. (ACIM.1–.4)
  14. Physical Security (PS) — physical access controls for critical systems and an asset-return checklist for leavers. (PS.1–.2)
  15. Vulnerability Audits and Assessments (VAA) — an independent annual vulnerability assessment and periodic risk assessment. (VAA.1–.2)

When MSMEs score themselves honestly against this list, most can claim solid coverage on four or five controls, partial coverage on another five, and near-zero on the rest. That is normal. The next three sections move the middle cluster up and get you off zero on the rest. Treat the list as your working checklist.

Deep dive: Controls 1–5 (asset, network, endpoint, configuration, patch)

This is the foundation layer. If you only have budget for one quarter, start here.

Effective Asset Management (EAM.1–.2). You cannot protect what you cannot see. EAM.1 asks for a centralised, continuously updated inventory of all hardware, software, and information assets, with sensitive assets identified and classified. EAM.2 extends this across the full lifecycle — acquisition, deployment, use, and secure disposal. For most MSMEs a well-maintained spreadsheet, reviewed monthly, satisfies both. The discipline, not the tool, is the control.

Network and Email Security (NES.1–.4). Deploy and properly configure firewalls at the perimeter and host level (NES.1). Secure Wi-Fi with WPA2/WPA3, strong passwords, no factory defaults, and a guest network kept separate from internal systems (NES.2). Use VPNs with encryption and MFA for remote access (NES.3). And protect email against phishing and spoofing with SPF, DKIM, and DMARC (NES.4) — three DNS records that, once set, quietly stop a large share of impersonation attempts.

Endpoint & Mobile Security (EMS.1–.4). Licensed antivirus on every device, with built-in OS protections left enabled (EMS.1). No pirated software, and installation restricted to authorised personnel (EMS.2). Onboard with CERT-In’s Cyber Swachhta Kendra (CSK), the Botnet Cleaning and Malware Analysis Centre (reachable at csk.gov.in), to receive infection alerts (EMS.3). And control USB and removable media, disabling autorun (EMS.4). EMS.3 is a five-minute task most MSMEs have never done.

Secure Configurations (SC.1–.3). Maintain approved baseline configurations for servers, endpoints, network devices, browsers, and off-the-shelf software (SC.1). Disable unnecessary ports, services, and default apps to shrink the attack surface (SC.2). Remove unused software and change every default password before deployment (SC.3).

Patch Management (PM.1–.2). Apply security patches to operating systems, applications, and firmware on a defined timeline (PM.1), and actively monitor vendor notifications and CERT-In advisories so you hear about critical vulnerabilities early (PM.2). A defensible MSME cadence: critical patches within days, the rest on a monthly cycle, tracked against your EAM inventory.

Deep dive: Controls 6–10 (incident, logging, awareness, third-party, data)

This layer is where MSMEs usually discover their processes are weaker than their tools.

Incident Management (IM.1–.3). Write a formal Incident Response Plan covering reporting, containment, investigation, recovery, and communication (IM.1). Test it regularly (IM.2) — a three-page plan you actually rehearse beats a thirty-page one nobody has read. IM.3 ties you back to the 28 April 2022 Directions: report cybersecurity incidents to CERT-In within 6 hours of detection or notification. This is the rule — and six hours is short. You need a pre-written template and a clear internal rule about who makes the “is this reportable?” call before the clock starts. The reportable categories are the 20 listed in Annexure I of the Directions (unauthorised access, data breach, ransomware, phishing, attacks on cloud and IoT systems, and more); incidents go to incident@cert-in.org.in or the published reporting channels.

Logging and Monitoring (LM.1–.3). LM.1 is the well-known one: enable comprehensive logging on all key ICT systems and retain logs for a minimum of 180 days with secure storage within Indian jurisdiction. Beyond retention, LM.2 asks you to continuously monitor network activity and privileged-user actions, and LM.3 recommends a monitoring solution to help with log analysis and threat detection. Practically: generate the logs, ship them off-host so an attacker cannot delete the evidence, and store them in an Indian region.

Awareness and Training (AT.1–.2). Run basic cybersecurity awareness training at least twice a year for all staff and contractors — phishing, password hygiene, social engineering, safe internet use (AT.1) — and take part in CERT-In’s awareness workshops and national drills (AT.2). Your people are the control that fails first; this is the cheapest high-leverage line item on the list.

Third Party Risk Management (TPRM.1–.2). Conduct due diligence on each vendor proportionate to the risk they carry (TPRM.1), and hold third parties to at least the same baseline you apply internally (TPRM.2). You remain responsible for what your cloud provider, CRM, and accountants do with your data.

Data Protection, Backup and Recovery (DPBP.1–.4). Keep a regular backup schedule with encrypted copies stored offsite and offline (DPBP.1); test restoration periodically so you know the backups actually work (DPBP.2); maintain a minimum Business Continuity Plan for critical applications (DPBP.3); and dispose of physical and digital media securely (DPBP.4). The control that saves you in a ransomware event is DPBP.2 — the restore test almost nobody runs until it is too late.

Deep dive: Controls 11–15 (governance, passwords, access, physical, vulnerability)

This layer turns scattered good habits into something an auditor can sign off.

Governance and Compliance (GC.1–.4). Name a security in-charge or single point of contact who owns information security and interfaces with CERT-In and regulators (GC.1). Formally approve an Information Security Policy sized to your operations, covering data protection, access control, incident response, passwords, third-party management, and audits (GC.2). Review it when the business, technology, or regulation changes (GC.3), and adhere to CERT-In and regulator directions (GC.4). GC.2 is exactly where a good information security policy template earns its keep — it turns repeated decisions into a documented lookup.

Robust Password Policy (RPP.1–.4). Enforce strong, unique passwords of 8–12+ characters with expiry and no reuse (RPP.1); lock accounts after 3–5 failed attempts (RPP.2); enable MFA on all critical systems, administrative accounts, and remote access (RPP.3); and store passwords using secure hashing (RPP.4).

Access Control and Identity Management (ACIM.1–.4). Assign unique user IDs — no shared logins (ACIM.1). Apply role-based access on the principle of least privilege (ACIM.2). Review access at least quarterly and immediately on role change, transfer, or exit, using a formal offboarding checklist (ACIM.3). And grant admin rights only when essential, enforcing segregation of duties across administrative, financial, and data functions (ACIM.4). The single biggest preventable failure in Indian MSMEs is the ghost account of someone who left a year ago; ACIM.3 is its cure.

Physical Security (PS.1–.2). Control physical access to critical infrastructure — guards, badges, biometrics, and CCTV for server rooms and network equipment (PS.1) — and run an asset-return checklist (ID cards, laptops, USB drives) for every employee exit (PS.2).

Vulnerability Audits and Assessments (VAA.1–.2). Have independent third-party vulnerability assessments of business-critical assets and applications conducted at least once a year, with timely remediation (VAA.1), and perform periodic risk assessments to identify threats specific to your organisation (VAA.2). VAA.1 is the natural bridge to the annual baseline audit described below.

A 12-month roadmap for a 50-person Indian MSME

You cannot do all 15 controls at once. Here is a realistic phased rollout a typical MSME can complete without a dedicated security team. Adjust the order to your own risk profile and to whatever your customers ask for first.

Phase 1 (Months 1–3) — Access and identity quick wins. Enforce MFA on admin and remote access (RPP.3, NES.3). Move to unique IDs and least privilege; run your first quarterly access review and build the offboarding checklist (ACIM.1–.3). Publish a one-page access policy. Outcome: ACIM and RPP substantially in place.

Phase 2 (Months 4–6) — Process maturity. Harden configurations and start patching against your asset inventory (SC, PM, EAM.1). Turn on logging shipped off-host to a 180-day Indian store and begin monitoring (LM.1–.2). Write and first-test the incident response plan, including the six-hour reporting template (IM.1–.3). Run the first awareness training (AT.1). Outcome: SC, PM, IM, LM, AT begun or substantially in place.

Phase 3 (Months 7–9) — Protection and resilience. Firm up firewalls, Wi-Fi, and email anti-spoofing (NES.1–.4); deploy endpoint protection and onboard CSK (EMS.1–.4); stand up encrypted offline backups, test restores, and a minimum BCP (DPBP.1–.4); complete the asset lifecycle records (EAM.2). Outcome: NES, EMS, DPBP in place.

Phase 4 (Months 10–12) — Governance and assurance. Approve the information security policy and confirm the security POC (GC.1–.2). Formalise vendor management (TPRM) and physical controls (PS). Commission the independent annual vulnerability assessment (VAA.1) and run an internal pre-audit against all 45 recommendations. Outcome: GC, TPRM, PS, VAA in place; audit-ready.

By month 12, a well-run programme leaves you audit-ready across all 15 controls. “Audit-ready” is not “audit-perfect” — you will still have gaps, but they will be known, documented, and on a plan.

How to prepare for a CERT-In baseline audit

The September 2025 document does not just list controls; it tells MSMEs how to get assured against them. Under its “Utilization” section, CERT-In recommends MSMEs conduct Baseline Audits through CERT-In Empaneled Auditing Organizations for these elemental controls at least once a year. That is the regulator-aligned version of a CERT-In annual cybersecurity audit, and it is the cadence to plan around.

Before you pay for an external pass, run an honest internal pre-audit — the kind of internal pre-audit a 50-person company can do in-house in about two days:

  • Score yourself 0 (nothing) to 3 (mature and documented) against each of the 45 Security Baseline Recommendations, not just the 15 headline controls.
  • For everything at 0 or 1, write a one-line remediation and a target date.
  • Gather the evidence an auditor will ask for: the asset inventory, access-review records, change and patch logs, the incident response plan and reporting template, the vendor register, backup-restore test results, and the approved security policy.
  • Watch for the usual red flags: any control where the answer is “our MSP handles that” but no document proves it; any shared admin account; any vendor with production access and no agreement; any system unpatched for a year.

When you are ready for the external pass, choose an auditor from the CERT-In empanelled auditor list (CERT-In’s own documents spell it “Empaneled”). The empanelment is not just a label — empanelled firms audit against this exact baseline and will state plainly that it represents minimum requirements. Doing the pre-audit first makes the external engagement faster and cheaper.

Beyond the 15 Elemental Controls: CERT-In’s expanding guidance

The 15 controls are the baseline, but CERT-In’s output has accelerated, and a few issuances are worth knowing even where they do not yet bind an MSME. CERT-In’s output through 2025 included a notable run of them:

  • Technical Guidelines on BOM v2.0 (9 July 2025). Expands the Bill of Materials guidance to five types — SBOM (software), QBOM (quantum), CBOM (cryptographic), AIBOM (AI), and HBOM (hardware). If you sell software to a public-sector buyer, you will be asked for an SBOM; build the capability before the questionnaire arrives.
  • Deepfake / Synthetic Media Advisory CIAD-2024-0060 (27 November 2024, High severity). Prompted by AI-generated voice and video used for fraud. The practical response is staff awareness and out-of-band verification of high-risk requests like wire transfers and credential resets.
  • Blueprint for Defending against AI-Assisted Vulnerabilities Exploitation (Version 1.0, 25 May 2026). CERT-In’s newest publication — a 38-page blueprint on reducing exposure to AI-assisted attacks across governance, technical controls, monitoring, and incident response. Not an MSME mandate, but a clear signal of where “current good practice” is heading.
  • Sectoral frameworks. CERT-In has also issued Cyber Security Guidelines for Smart City Infrastructure and a Cyber Security Framework for Space (including satellite communication) — relevant if your MSME serves urban-tech, PSU, or space-adjacent contracts.

For most MSMEs the 15 Elemental Controls remain the priority. But an enterprise customer’s 2026 security questionnaire increasingly asks about SBOM capability and AI-threat readiness alongside the baseline, and an empanelled auditor will reference this expanding guidance as part of good practice even where it is not strictly mandatory for your category.

Key takeaways and next steps

Three things to carry away.

First, CERT-In compliance for SMEs is no longer a grey area. With the September 2025 baseline, the regulator has told MSMEs exactly which 15 controls and 45 recommendations represent the floor. Enterprise customers, insurers, and auditors now assume you have them.

Second, you can get there in 12 months with one competent IT lead, a modest budget, and a phased plan. Nobody starts with all 15 controls in place; everybody who finishes does it in stages.

Third, the failures that cost MSMEs the most are not exotic — they are shared logins nobody revoked, access reviews that never happened, backups that were never restore-tested, and incidents never reported because the six-hour window closed while the team worked out who to call. Fix the process and the technology follows.

Start this week. Pick three Phase 1 items, name an owner for each, set a date, and put them on your next team meeting. That is the beginning of the CERT-In 15 controls checklist that carries you to your first baseline audit.

Download the free CERT-In 15 Controls MSME Compliance Checklist to track all 45 recommendations as you work through the roadmap. An incident response plan template and a six-hour reporting template are in the works — bookmark the GRC RADAR hub to find them when they are ready. If you have a specific question about how one control applies to your MSME, ask on the Contact page; real questions shape our next cluster posts.

GRC RADAR is India’s GRC and cybersecurity knowledge hub for MSMEs — practical compliance content, no fluff, no jargon. This pillar is accompanied by cluster posts on six-hour incident reporting, 180-day log retention, and SBOM/BOM 2.0 adoption.

This content is general educational information only and does not constitute legal, compliance, or professional advice. Regulatory requirements vary by entity type and change over time — verify against current official sources before acting.