NCIIPC Critical Information Infrastructure Audit
Audit your Critical Information Infrastructure the way NCIIPC inspectors do.
Macksofy delivers NCIIPC-aligned audits for entities operating Critical Information Infrastructure (CII) — Government, PSU, banking, power, telecom, transport and strategic-public-enterprise assets notified under IT Act §70. CERT-In empanelled, NCIIPC-framework mapped, inspection-evidence ready.
- NCIIPC Guidelines for Protection of CII (current revision)
- IT Act 2000 §70 + Rules 2013
- MeitY Information Security Policy
- CERT-In Empanelled Auditor Scope of Work
- ISO 27001:2022 (Annex A crosswalk)
- NIST SP 800-53 (control-family crosswalk)
- RBI CSF (banking-sector CII overlap)
- TRAI / DoT Security Conditions (telecom CII overlap)
Compliance is leverage, not paperwork.
If your organisation operates assets that have been notified as Critical Information Infrastructure under IT Act §70, you are subject to NCIIPC oversight. The National Critical Information Infrastructure Protection Centre publishes baseline-security guidelines, mandates incident reporting timelines, and conducts inspections. A non-compliant CII finding can result in operational restrictions, public-record sanction or — for designated essential services — Cabinet-level attention. Most operators have never been audited in the NCIIPC format specifically; an ISO 27001 or RBI CSF audit does not substitute. Macksofy walks an estate that has only ever been audited in another format through the gap-closure required to clear an NCIIPC inspection without rework.
- Government IT systems notified as CII under IT Act §70
- Public-sector banks (notified CII assets)
- Power & energy sector — generation, transmission, distribution (notified CII)
- Telecom & internet infrastructure operators (notified CII)
- Transport — railways, airports, ports (notified CII)
- Strategic & public enterprise IT systems (notified CII)
- Health-sector CII (notified state / central facilities)
- Defence-public-sector undertakings (notified CII)
Aligned to the regulations that matter.
How we run a NCIIPC CII Audit engagement.
Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.
1 · CII scoping confirmation
- Confirm notified CII assets with the designated Authority (CISO / CIO)
- Map notified assets to operational systems + data flows
- Identify dependency-chain CII (upstream / downstream)
- Cross-reference NCIIPC sectoral guidance if sector-specific notification exists
Everything you need to satisfy auditors.
- NCIIPC-format inspection-readiness evidence pack
- Gap-closure register with risk-ranked actions and target dates
- Designated-Authority briefing pack (board / CISO level)
- Sectoral CERT reporting playbook with NCIIPC timelines
- Macksofy CERT-In empanelment confirmation letter
- Quarterly drift-audit reports (retainer)
First-time NCIIPC inspection-readiness audit + RBI CSF crosswalk
Outcome: Cleared NCIIPC inspection with zero major non-conformance; RBI CSF evidence re-used 70% of artefacts.
NCIIPC + CEA crosswalk for transmission OT/IT estate
Outcome: Boundary clarified between IT (CII) and OT (sectoral); audit cycle compressed from 16 to 9 weeks.
Notified-application inventory + NCIIPC baseline gap closure
Outcome: 20-application portfolio cleared in 12 weeks; sectoral-CERT reporting workflow operational.
The shape of a NCIIPC CII Audit engagement.
Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.
What we actually examine.
Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.
- NCIIPC baseline-control adherence10 pts
- Inspection readiness8 pts
- Sectoral overlap5 pts
The control families NCIIPC inspectors actually check.
- Information security policy + governance
- Asset management + CII boundary
- Access control + privileged access
- Cryptographic controls
- Physical & environmental security
- Communications security + network segmentation
- System acquisition / development / maintenance security
- Supplier / third-party security (sectoral relevance)
- Incident management + sectoral-CERT reporting
- BCP / DR aligned to CII service-restoration RTO
What an NCIIPC inspector asks for, in the order they ask.
- Designated-Officer + ISC composition + meeting records
- Updated CII inventory + dependency map
- Risk-assessment & risk-treatment plan
- Pentest / VAPT reports for notified CII assets
- Incident register with sectoral-CERT timelines met
- DR / BCP exercise records (annual minimum)
- Training & awareness records for CII personnel
- Third-party / supplier-security evidence
Where NCIIPC meets RBI / SEBI / TRAI / DoT / health-regulatory.
- Public-sector bank: NCIIPC + RBI CSF crosswalk
- Power utility: NCIIPC + CEA Cyber Security in Power Sector
- Telecom: NCIIPC + DoT licence security conditions
- Government IT system: NCIIPC + CERT-In + DPDP §16
- Health-CII: NCIIPC + DPDP + IT Act §43A overlap
From kick-off to regulator-ready report.
The horizontal flow below shows the typical week-by-week shape of a NCIIPC CII Audit engagement. Click any station for detail in the methodology section above.
Rated 4.9 ★ from 612 client reviews.
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
Things compliance leads ask before signing.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements