Cybersecurity Incident Response Plan (India)
CYBERSECURITY INCIDENT RESPONSE PLAN
Company: [Company Name]
Registered Address: [Company Address]
Effective Date: [Effective Date]
Last Test: [Last Test Date] | Next Scheduled Test: [Next Test Date]
This Cybersecurity Incident Response Plan ("CIRP") is adopted by [Company Name] ("Company") pursuant to the Information Technology Act 2000 (IT Act), the CERT-In (Indian Computer Emergency Response Team) Directions 2022 issued under Section 70B(6) of the IT Act, and the Digital Personal Data Protection Act 2023 (DPDPA 2023). All service providers, intermediaries, data centres, and body corporates are required to comply with the CERT-In Directions 2022.
1. COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
1.1 CERT-In Liaison Officer / CISO: [CISO Name]. The CERT-In Liaison Officer is the primary point of contact for all communications with CERT-In, including submission of the mandatory six-hour incident notification under the CERT-In Directions 2022. The Liaison Officer must be contactable 24/7 during an active incident.
1.2 Incident Commander: [Incident Commander]. Responsible for overall coordination of the incident response, maintaining the incident log, and chairing CSIRT meetings during an active incident.
1.3 Legal Counsel: [Legal Counsel Contact]. Responsible for advising on regulatory reporting obligations (CERT-In, DPDPA Data Protection Board, sector regulator: [Sector Regulator]), evidence preservation requirements under Section 65B of the Indian Evidence Act 1872, and potential litigation.
1.4 Supporting CSIRT members include: Security Analysts (detection, triage, containment); IT Systems Administrators (recovery); Network Administrators (isolation); Forensic Investigator (evidence preservation); Communications Lead (internal/external communications); and CFO (financial exposure, cyber insurance). Contact details for all CSIRT members are maintained in the CSIRT Contact Directory, reviewed and updated quarterly.
2. INCIDENT CLASSIFICATION
Category 1 (Low Severity): [Category 1 Definition]. Response: IT team investigation; no regulatory notification required unless CERT-In reportable category is triggered.
Category 2 (Medium Severity): [Category 2 Definition]. Response: CSIRT activated; CERT-In notification assessed within six hours; DPDPA breach assessment conducted.
Category 3 (Critical Severity): [Category 3 Definition]. Response: Full CSIRT activation; CERT-In six-hour notification submitted; Executive Steering Committee and Board notified; external forensics and legal counsel engaged.
3. INCIDENT RESPONSE LIFE CYCLE
3.1 DETECTION AND ANALYSIS: Upon detection of a potential security incident (by monitoring tools, employee report, or external notification), the IT security team conducts initial triage to confirm whether a genuine incident has occurred and to classify severity. ICT system logs must be maintained for 180 days within Indian jurisdiction as required by the CERT-In Directions 2022, and NTP synchronisation must be maintained with the NIC or NPL NTP server.
3.2 CERT-In SIX-HOUR NOTIFICATION: Upon detection and initial confirmation of a reportable incident (any of the 20 categories specified in the CERT-In Directions 2022, including data breaches, ransomware attacks, unauthorised access, defacement, and DDoS attacks), the CERT-In Liaison Officer ([CISO Name]) must submit the incident notification through the CERT-In portal (www.cert-in.org.in) within SIX HOURS. Failure to report is a criminal offence under Section 70B(7) of the IT Act 2000, punishable by up to one year imprisonment and/or ₹1 lakh fine.
3.3 SECTOR REGULATOR NOTIFICATION: For the Company's primary sector regulator ([Sector Regulator]), notify within the applicable regulatory timeline (RBI: 2–6 hours for major incidents; SEBI: material event within 24 hours; IRDAI: as per applicable guidelines).
3.4 CONTAINMENT: Isolate affected systems from the network to prevent lateral movement. Preserve volatile memory (RAM) before shutdown to enable forensic investigation. Revoke compromised credentials.
3.5 EVIDENCE PRESERVATION: Create forensic images of affected systems before remediation, following chain-of-custody procedures consistent with Section 65B of the Indian Evidence Act 1872 for admissibility in court or regulatory proceedings.
3.6 ERADICATION AND RECOVERY: Remove malware, patch exploited vulnerabilities, restore systems from clean, verified backups. Validate system integrity before returning to production. The Company maintains backups consistent with the 3-2-1 rule (three copies, two media types, one offsite/offline).
4. PERSONAL DATA BREACH NOTIFICATION (DPDPA 2023)
4.1 If the cybersecurity incident involves a personal data breach (unauthorised access to, disclosure of, or loss of personal data), the DPDPA 2023 (Section 8(6)) requires notification to: (a) the Data Protection Board; and (b) affected data principals, in the prescribed form and within the prescribed timeline (to be specified in DPDPA rules).
4.2 The Legal Counsel ([Legal Counsel Contact]) will assess whether a DPDPA breach notification is required and will prepare the notification with the CISO. The DPDPA notification will be coordinated with the CERT-In notification to ensure consistency.
5. POST-INCIDENT REVIEW AND TESTING
5.1 A formal post-incident review (lessons-learned meeting) shall be conducted within 2–4 weeks of incident resolution, producing a root cause analysis, assessment of response effectiveness, and specific remediation recommendations.
5.2 Post-incident review findings shall be reported to the Board or Audit Committee and used to update this CIRP.
5.3 This CIRP shall be tested at least annually through a tabletop exercise or full simulation, and immediately after any material incident. The next scheduled test is [Next Test Date].
5.4 This CIRP is governed by the laws of India and the laws of the State of [Governing State]. This CIRP shall be reviewed and updated at least annually.
CIO / CISO
________________
Signature
Managing Director / CEO
________________
Signature
What Is a Cybersecurity Incident Response Plan (India)?
A Cybersecurity Incident Response Plan in India sets out the rights and obligations of the parties on the matter it concerns and records the terms they have agreed.
The CERT-In Directions 2022 — issued by the Ministry of Electronics and Information Technology (MeitY) under Section 70B(6) of the IT Act 2000 — introduced India's most stringent cybersecurity obligations to date. All service providers, intermediaries, data centres, body corporates, and government organisations are required to report 20 categories of cybersecurity incidents to CERT-In within six hours of detection. The Directions also impose obligations on log retention (180 days within India), ICT system time synchronisation, and VPN subscriber records. A CIRP provides the operational framework for meeting these obligations under time pressure.
The DPDPA 2023 adds a data protection dimension to cybersecurity incident response. Data fiduciaries (organisations that process personal data) must notify the Data Protection Board and affected data principals of personal data breaches in the prescribed form and within the prescribed timeline. A CIRP that integrates CERT-In technical notification requirements with DPDPA personal data breach notification requirements confirms that organisations can respond coherently to incidents that involve both technical compromise and personal data exposure.
A CIRP covers the incident classification framework, the Computer Security Incident Response Team (CSIRT) structure, the incident life cycle (preparation, detection, notification, containment, eradication, recovery, post-incident review), regulatory reporting templates, and communication protocols for internal and external parties.
The legal framework governing the Cybersecurity Incident Response Plan (India) in India draws on several key statutes and regulatory bodies. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Parties executing a Cybersecurity Incident Response Plan (India) in India should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Indian Contract Act, 1872 sets the foundational requirements.
When Do You Need a Cybersecurity Incident Response Plan (India)?
A Cybersecurity Incident Response Plan is required for all organisations covered by the CERT-In Directions 2022 — which covers virtually every Indian company with an IT infrastructure. It is particularly critical for certain categories of organisations.
Organisations processing personal data under the DPDPA 2023 need a CIRP that integrates technical incident response with personal data breach notification obligations. The combination of CERT-In's six-hour technical notification and DPDPA's breach notification requirements creates a demanding response timeline that requires pre-planned procedures and designated responsible persons.
Critical information infrastructure operators — power, water, telecommunications, banking, financial services — face heightened cybersecurity risks and regulatory scrutiny. Sectoral regulators (RBI, SEBI, TRAI, Ministry of Power) have all issued cybersecurity guidelines that require incident response capabilities.
SMEs and startups that process payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires a documented incident response plan as part of Requirement 12.10.
Companies that have experienced a cybersecurity incident — even a minor one — should immediately formalise their CIRP to prevent recurrence and to demonstrate to regulators, customers, and insurers that they have taken the incident seriously and implemented improved controls.
Organisations seeking cyber insurance coverage are increasingly required by insurers to demonstrate a documented CIRP as a condition of coverage and to qualify for lower premiums — cyber insurance is rapidly growing in India, driven by increasing attack frequency and DPDPA liability exposure.
Parties in India should prepare a Cybersecurity Incident Response Plan (India) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Cybersecurity Incident Response Plan (India)
A thorough Cybersecurity Incident Response Plan for an Indian company should contain the following essential elements.
Incident Classification Framework: A severity-based classification of incidents (e.g., Category 1 — low severity, no data breach; Category 2 — medium severity, limited data breach; Category 3 — critical, major data breach or system compromise) with corresponding response protocols.
CSIRT Structure: Defined roles and responsibilities for the Computer Security Incident Response Team, including CSIRT Lead, Security Analysts, Forensic Investigator, IT Administrator, and Network Administrator — with current contact details and 24/7 availability requirements.
CERT-In Notification Procedure: A step-by-step procedure for preparing and submitting the six-hour CERT-In notification for reportable incidents, including the designated CERT-In Liaison Officer and the notification template.
Incident Response Life Cycle: Documented procedures for each phase — detection, notification, containment, eradication, recovery, and post-incident review — with timelines and decision criteria.
DPDPA Breach Notification: Procedure for assessing whether a personal data breach has occurred and triggering DPDPA notification to the Data Protection Board and affected data principals.
Evidence Preservation: Chain-of-custody procedures for preserving forensic evidence consistent with Section 65B of the Indian Evidence Act 1872 for admissibility in court.
Communication Templates: Pre-approved templates for CERT-In notification, data principal notification, regulatory notifications (RBI, SEBI, IRDAI where applicable), customer communications, and press statements.
External Resources: Contact list for cybersecurity forensics firm, external legal counsel, cyber insurer, and law enforcement.
Testing and Review: Annual tabletop exercise or full simulation test, with post-exercise review and CIRP updates.
Additional compliance elements for a Cybersecurity Incident Response Plan (India) used in India include: Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Forms-legal.com provides this template as a starting point for India-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cybersecurity Incident Response Plan (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/policies/cybersecurity-incident-response-plan-india
"Cybersecurity Incident Response Plan (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/policies/cybersecurity-incident-response-plan-india.
@misc{formslegal-cybersecurity-incident-response-plan-india,
author = {{Forms Legal}},
title = {Cybersecurity Incident Response Plan (India) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/business/policies/cybersecurity-incident-response-plan-india}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}Also available for these jurisdictions:
Frequently Asked Questions
India has some of the world's most stringent mandatory cybersecurity incident reporting requirements, established by the CERT-In (Indian Computer Emergency Response Team) Directions issued under Section 70B(6) of the Information Technology Act 2000 in April 2022. The CERT-In Directions 2022 require all 'service providers, intermediaries, data centres, body corporates, and government organisations' to report specified cybersecurity incidents to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents. The six-hour window is among the shortest mandatory reporting timelines globally — for comparison, the EU Network and Information Security (NIS2) Directive requires a 24-hour initial notification, and the US SEC cyber disclosure rules require a four-business-day disclosure period.
A well-designed Cybersecurity Incident Response Plan (CIRP) for an Indian organisation follows a structured life cycle of six phases, adapted to India's specific regulatory reporting obligations (particularly the CERT-In Directions 2022 and DPDPA 2023) and the threat landscape facing Indian organisations. Phase 1 — Preparation: Establishing the incident response framework before any incident occurs. This includes: constituting the Computer Security Incident Response Team (CSIRT) or Security Incident Response Team (SIRT) with defined roles and responsibilities; documenting contact information for CERT-In, law enforcement (CBI Cybercrime Division, state Cyber Crime cells), legal counsel, and public relations; maintaining a current inventory of critical assets and data flows; maintaining verified, tested backups of critical systems; and conducting tabletop exercises and simulations at least annually. Phase 2 — Detection and Analysis: Identifying and confirming a potential security incident. Monitoring tools (SIEM, IDS/IPS, DLP, endpoint detection) generate alerts; the security team investigates to determine whether an alert constitutes a genuine security incident. Key activities include: log analysis, threat intelligence correlation, and scope assessment (which systems and data are affected?). The CERT-In Directions 2022 require ICT logs to be maintained for 180 days within Indian jurisdiction — these logs are critical for detection and forensic investigation.
The CERT-In (Indian Computer Emergency Response Team) Directions 2022, issued by the Ministry of Electronics and Information Technology (MeitY) under Section 70B(6) of the Information Technology Act 2000 in April 2022, represent the most significant development in India's cybersecurity regulatory landscape in recent years. The Directions impose the following key obligations on all 'service providers, intermediaries, data centres, body corporates, and government organisations' in India:
Six-Hour Incident Reporting: The most discussed obligation — all covered entities must report 20 specified categories of cybersecurity incidents to CERT-In within six hours of detection. This applies 24/7, including weekends and public holidays. The required notification format and reporting portal (https://www.cert-in.org.in) are specified in the Directions. Time Synchronisation: All ICT systems must synchronise their system clocks with the National Information Centre (NIC) Network Time Protocol (NTP) server or the National Physical Laboratory (NPL) NTP server — or with traceable sources to these. This requirement ensures that timestamps in system logs are accurate and consistent, which is critical for forensic investigation and incident correlation. Log Retention: All ICT logs must be maintained securely within Indian jurisdiction for 180 days.
Ransomware attacks — in which malicious software encrypts the victim's data and demands payment (usually in cryptocurrency) for the decryption key — have become the most prevalent and damaging type of cybersecurity incident facing Indian organisations. India consistently ranks among the top five countries globally by number of ransomware attacks, according to data from CERT-In's annual reports and cybersecurity research firms. An Indian company that falls victim to a ransomware attack should take the following steps, consistent with CERT-In guidance, DPDPA 2023 obligations, and international best practice. Immediate Containment: Isolate affected systems immediately — disconnect them from the network (including company LAN, internet, and cloud systems) to prevent lateral movement of the ransomware to additional systems. Do not shut down affected systems immediately — preserving the system's volatile memory (RAM) may allow forensic investigators to capture encryption keys or malware artefacts. Notify the IT security team and activate the CSIRT. CERT-In Notification (Six Hours): Ransomware is explicitly listed as a 'malicious code attack' under the CERT-In Directions 2022, triggering the mandatory six-hour notification requirement. The company must notify CERT-In through the reporting portal at www.cert-in.org.in within six hours of detecting the attack. Failure to report is a criminal offence under Section 70B(7) of the IT Act 2000.
A Cybersecurity Incident Response Plan for an Indian company should establish a clear, tiered incident response team structure with defined roles, responsibilities, escalation paths, and communication protocols. The following team structure reflects CERT-In guidance, the NIST Cybersecurity Framework, and the practical requirements of Indian organisations. Computer Security Incident Response Team (CSIRT) — Core Technical Team: The CSIRT is the first responder to detected security incidents. It typically includes: (a) CSIRT Lead/Incident Commander — responsible for overall coordination of the incident response; (b) Security Analyst(s) — conducting detection, triage, containment, and eradication; (c) Forensic Investigator — preserving and analysing forensic evidence; (d) IT Systems Administrator(s) — implementing technical containment and recovery actions; and (e) Network Administrator — managing network isolation and traffic analysis.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
BYOD Policy (India)
A Bring Your Own Device (BYOD) Policy for Indian businesses compliant with the Information Technology Act 2000, Digital Personal Data Protection Act 2023, and IT (Amendment) Rules 2022. Governs personal device use for work, data protection, device management, and acceptable use requirements.
Business Continuity Plan (India)
A comprehensive Business Continuity Plan (BCP) and Disaster Recovery framework for Indian companies under the Companies Act 2013, RBI guidelines, and sector-specific regulations. Covers business impact analysis, recovery time objectives, crisis management team, and testing procedures.
AI Acceptable Use Policy (India)
An AI Acceptable Use Policy for Indian businesses compliant with the IT Act 2000, Digital Personal Data Protection Act 2023, and MEITY AI governance guidelines. Governs employee use of generative AI tools, data handling obligations, IP considerations, and prohibited use cases.