Cybersecurity & Compliance Services in India
ISO 27001, PCI DSS, DPDP Act, CERT-In & RBI Compliance Consulting for Indian Businesses
eShield delivers certified cybersecurity consulting and compliance services across India. From ISO 27001 implementation in Mumbai and Bangalore to DPDP Act readiness, CERT-In incident reporting, and RBI cybersecurity framework compliance – we help Indian businesses build robust security postures aligned to national and international standards.
Mumbai • Bangalore • Delhi • Hyderabad • Chennai • Pan-India Remote
India Cybersecurity Regulatory Landscape
India’s regulatory environment for cybersecurity and data protection has evolved rapidly. Businesses must navigate multiple frameworks across MEITY, RBI, SEBI, IRDAI, and CERT-In mandates.
DPDP Act 2023
India Digital Personal Data Protection Act. Mandatory for all data fiduciaries processing personal data of Indian residents. Consent management, data principal rights, breach notification within 72 hours, and significant data fiduciary obligations.
Regulator: MEITY | Effective: 2025
CERT-In Directions 2022
Mandatory 6-hour incident reporting for 20 categories of cyber incidents. ICT system logs retained for 180 days. KYC for VPN, cloud, and crypto service providers. Mandatory for all companies operating in India.
Regulator: CERT-In | Effective: June 2022
RBI Cybersecurity Framework
Comprehensive cybersecurity framework for banks and NBFCs. SOC requirements, vulnerability assessment, penetration testing mandates, patch management, and cyber crisis management plans (CCMP). Annual RBI audits.
Regulator: RBI | Mandatory for Banks/NBFCs
SEBI Cybersecurity Framework
SEBI CSCRF 2024 mandates cybersecurity controls for stock exchanges, depositories, brokers, and MIIs. Classified entities (MII, Qualified, Mid, Small) have tiered requirements. Annual VAPT, SOC monitoring, and incident response plans mandatory.
Regulator: SEBI | Effective: January 2025
ISO 27001:2022
International standard for Information Security Management Systems. Widely adopted by Indian IT, fintech, healthcare, and SaaS companies. Required by enterprise customers globally. 93 controls across 4 themes. eShield provides end-to-end implementation and certification support.
International Standard | Globally Recognised
PCI DSS v4.0
Mandatory for Indian payment processors, banks, e-commerce, and fintech handling card data. RBI additionally mandates PCI DSS for payment aggregators and gateways. v4.0 adds MFA, anti-phishing, and targeted risk analysis requirements.
Regulator: PCI SSC + RBI | Mandatory for Payments
Our India Cybersecurity Services
ISO 27001 Implementation India
End-to-end ISMS implementation and ISO 27001:2022 certification support for Indian IT, SaaS, fintech, and healthcare companies. Gap assessment, policy framework, risk treatment, and certification audit coordination.
VAPT & Penetration Testing India
CERT-In compliant vulnerability assessment and penetration testing for Indian organisations. Network, web application, mobile, and API security testing. Reports aligned to CERT-In, RBI, and SEBI audit requirements.
DPDP Act Compliance
Full DPDP Act 2023 readiness assessment and implementation. Data mapping, consent mechanism design, privacy policy review, data principal rights workflows, and breach notification procedures. Significant Data Fiduciary support.
RBI Cybersecurity Framework
Compliance consulting for RBI cybersecurity framework for banks and NBFCs. Cyber Crisis Management Plan (CCMP) development, SOC setup advisory, vulnerability management programme, and RBI audit preparation.
SEBI CSCRF Compliance
SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) 2024 compliance for brokers, AMCs, depositories, and market infrastructure institutions. Entity classification, gap assessment, and control implementation.
CERT-In Incident Response
CERT-In compliant incident response capability setup. 6-hour mandatory reporting workflows, log retention (180 days), incident classification, and coordination with CERT-In for notifiable events.
Cities We Serve Across India
Frequently Asked Questions
What cybersecurity compliance is mandatory in India?
Key mandatory frameworks in India include: CERT-In Directions 2022 (6-hour incident reporting, log retention – all companies), DPDP Act 2023 (data protection – all data fiduciaries), RBI Cybersecurity Framework (banks and NBFCs), SEBI CSCRF 2024 (capital market entities), and PCI DSS (payment processors). ISO 27001 is widely adopted but voluntary unless required by clients or contracts.
What is the DPDP Act and who does it apply to?
The Digital Personal Data Protection Act 2023 applies to all organisations (data fiduciaries) that process personal data of individuals in India, whether collected digitally or offline. It requires consent management, data principal rights (access, correction, erasure), breach notification within 72 hours, and appointment of a Data Protection Officer for Significant Data Fiduciaries.
What are CERT-In mandatory reporting requirements?
CERT-In Directions 2022 require mandatory reporting of 20 categories of cyber incidents within 6 hours of detection. These include data breaches, ransomware, unauthorised access, and denial of service attacks. Organisations must also maintain ICT system logs for 180 days and implement a point of contact for CERT-In communications.
How long does ISO 27001 certification take in India?
ISO 27001 certification in India typically takes 4-9 months depending on organisation size and current security maturity. Small organisations (50-200 employees) typically achieve certification in 4-6 months. Large enterprises may take 8-12 months. eShield delivers gap assessment in week 1-2, implementation in months 1-5, internal audit in month 5-6, and certification audit in month 6-9.
Does CERT-In mandate penetration testing?
CERT-In itself does not mandate frequency of penetration testing, but the RBI Cybersecurity Framework mandates annual VAPT for banks and NBFCs. SEBI CSCRF 2024 requires annual penetration testing for classified entities. PCI DSS v4.0 requires quarterly external scans and annual penetration testing. Most Indian enterprises follow annual VAPT as best practice.
Can eShield deliver services remotely across India?
Yes. eShield delivers all compliance consulting, documentation, gap assessments, policy development, and advisory services remotely across India. Penetration testing is delivered remotely for external assessments and via secure VPN access for internal network assessments. Onsite visits to Mumbai, Bangalore, Delhi, and Hyderabad are available for critical engagements.
Ready to Protect Your Business?
Speak to a certified consultant today. Free initial consultation – response within 24 hours.
Call/WhatsApp: +971 585 778 145