RiskPedia
India Hub/CERT-In/6-Hour Reporting SOP
Layer 2 · Incident commanders · SOC — execution

CERT-In 6-Hour Reporting SOP

Clock-aware standard operating procedure — detection to CERT-In submission in under 4 hours.

Last verified: 2026-06-17

T+0:00 — Detection & clock start

The 6-hour clock starts when the incident is *noticed* — by your SOC, an employee, a customer or a third party. Log the detection timestamp immediately; it anchors every subsequent regulator notification.

  • Record: detection time, detection source, affected systems
  • Open an incident ticket with a unique ID
  • Notify the incident commander and CISO

T+0:30 — Triage & classification

Map the event to one (or more) of the 26 CERT-In reportable categories. If it plausibly matches, treat it as reportable — preliminary reports are acceptable and expected.

  • Classify against the 26-type table
  • Estimate impact: systems, data categories, user counts
  • Decide parallel notifications: RBI CSITE / SEBI Cybercell / IRDAI (6 hrs), DPB (72 hrs, once enforceable)

T+1:30 — Containment in parallel

Containment and reporting run in parallel — never delay the report to finish containment.

  • Isolate affected hosts / revoke credentials
  • Preserve logs and forensic evidence (180-day retention applies)
  • Engage legal counsel and crisis communications

T+3:00 — Draft the CERT-In report

Email incident@cert-in.org.in using the format prescribed in the Directions. A preliminary report within 6 hours with follow-ups is explicitly acceptable.

  • Include: incident type, date/time noticed, affected systems, symptoms, impact estimate, initial remediation steps
  • Use the subject-line format specified in the CERT-In Directions
  • Keep proof of submission (sent timestamp) for inspections

T+4:00 — Submit & fan out

Target internal submission by T+4:00 to keep a 2-hour safety margin. Then complete the parallel regulator notifications on the same evidence pack.

  • Submit to CERT-In; record acknowledgement
  • File RBI CSITE / SEBI / IRDAI reports as applicable (same 6-hr window)
  • Brief CEO and Board

T+21 days — Root cause analysis

Sector regulators (RBI, SEBI, IRDAI) require a root-cause analysis within 21 days. Reuse the CERT-In evidence pack and update it as forensics conclude.

  • RCA: cause, timeline, impact, corrective and preventive actions
  • Update the multi-regulator breach log
  • Feed lessons into the next tabletop exercise
Back to Indian Computer Emergency Response Team

Made with Emergent