EXECUTIVE BRIEF FOR INDIAN ENTERPRISES
The India CISO Incident Response Playbook
CERT-In And DPDP Ready In The First Six Hours
|
Your CERT-In clock starts the moment you know. Not when you’re ready. If your first six hours are not operationally engineered - with named owners, a tested severity matrix, centralised logs, and a pre-built report template - your compliance posture rests on luck, not process. |
Why This Matters Now
India’s regulatory environment has tightened sharply. CERT-In’s Directions require reporting of specified cyber incidents within six hours of detection or awareness. The Digital Personal Data Protection Act, 2023, adds structured breach assessment and notification obligations wherever personal data is involved.
The cost of a data breach in India averaged INR 220 million in 2025, up 13% from 2024 (IBM Cost of a Data Breach Report). That figure compounds with every hour of detection delay. A 10–15% escalation in breach cost linked to delayed containment translates to INR 22–33 million in avoidable additional impact.
Regulators expect speed, documented decision-making, and a defensible evidence chain. The question is not whether you have an incident response policy. The question is whether your first six hours have been engineered and tested.
What Failure Looks Like
Consider a mid-sized NBFC in Mumbai. On a Friday evening, a privileged account authenticates from an unfamiliar geography. The SIEM fires an alert - one of several hundred that shift.
|
How the next six hours unfold without readiness: 08:40 PM Alert triggers. Analyst flags it for review. 09:55 PM True positive confirmed — but MFA logs are not centralised. Retrieval stalls. 10:40 PM Legal is called. Debate begins on whether this is a CERT-In reportable incident. 11:20 PM Customer data repository access confirmed. 12:15 AM CISO is reached. Reporting ownership still being established. 02:30 AM Initial report drafted. The six-hour window has closed. The breach itself was contained. The regulatory exposure was not. It arose from delay, ambiguity, and log retrieval gaps — not from the severity of the incident. |
Three Failure Patterns. One Structural Cause.
Across BFSI, IT/ITeS, and manufacturing, the same three failures recur:
| Failure |
What It Costs You |
|---|---|
| Detection Delay |
Identity misuse goes undetected for hours. Alerts fragment across tools. By the time the SOC validates, the window is half gone. |
| Classification Delay |
No pre-agreed severity matrix. Teams debate reportability. Legal arrives late. The clock does not pause for internal alignment. |
| Escalation Delay |
No named reporting officer. No out-of-hours rotation. Weekend incidents go unreported because no one has the authority to act. |
These are not technology failures. They are process and governance failures - and they are entirely preventable before an incident occurs.
|
Download The Full Playbook Get the severity matrix, DPDP checklist, role-based runbooks, and 90-day roadmap — everything you need to pass the six-hour test. [ Request Access → ] For CISOs, Legal Counsel, CROs, and SOC Leaders accountable for CERT-In and DPDP compliance |
Where Does Your Organisation Sit?
Use the snapshot below to self-locate. Most Indian enterprises arriving at this page sit at Level 2. The gap between Level 2 and Level 3 is not a technology investment - it is a process and rehearsal investment. The full playbook provides the tools to close it.
| Capability | Level 1 Reactive |
Level 2 Tool- Driven |
Level 3 Operationalised |
Level 4 Board-Tested |
|---|---|---|---|---|
|
Detection Speed |
Manual discovery.Hours pass before validation. |
Alert-driven but fragmented across consoles. |
Correlated multi-domain telemetry. Alert-to- validation under 60 min. |
Tested under simulation. Benchmark achieved consistently. |
|
Log Readiness |
Siloed. Retrieval requires manual effort. |
Central storage but limited correlation. |
Unified timeline. Critical logs retrieved within 30 minutes. |
Retrieval tested under pressure. Results documented for board. |
|
Reporting Ownership |
Unclear. No named officer for after-hours. |
Named but untested. No rotation schedule. |
Defined, rehearsed, and on an out-of-hours rotation. |
Executive-approved. Deputy named. Tested quarterly. |
|
Escalation Workflow |
Ad hoc. Weekend escalation frequently breaks down. |
Documented but not time-bound. |
Time-bound and measured. Escalation under 60 min of classification. |
Simulated quarterly. CISO and Legal participate. Results minuted. |
|
If you cannot confidently place your organisation at Level 3 across all four capabilities, your six-hour window is at risk. The full playbook is designed to take you from wherever you are today to Level 3 within 90 days - with documented, board-presentable evidence that you got there. |
What The Full Playbook Gives You
The gated version is an operational toolkit. Each asset below solves a specific part of the six-hour problem:
| Asset |
What It Enables You To Do |
|---|---|
|
CERT-In Reportability Decision Tool |
Give your SOC a one-page flow they can run at 2am to determine reportability without escalating to Legal. |
|
Severity Matrix (CERT-In Aligned) |
Classify incidents against CERT-In’s specified categories in under 15 minutes, without debate. |
|
DPDP Breach AssessmentChecklist |
Confirm personal data scope, assess harm likelihood, and document your rationale in a single structured form. |
|
Role-Based Runbooks (CISO, SOC, Legal) |
Eliminate ambiguity about who does what, in what order, within what timeframe. |
|
Executive Incident Brief Template |
Deliver a structured, decision-ready brief to your CISO and board within 60 minutes of classification. |
| Evidence Capture Protocol |
Preserve chain of custody from alert to report - so your timeline is factual, not reconstructed. |
|
90-Day Readiness Roadmap |
A phased implementation plan with named owners, measurable benchmarks, and board-presentable outputs. |
| Tabletop Exercise Script |
Run a realistic six-hour simulation with your CISO, Legal, and SOC - with a scoring model to measure the gap. |
This is an operational document, not commentary. Every asset is designed to be used on the day of an incident, not read in preparation for one.
What You Should Be Able To Prove In 90 Days
These are the measurable outcomes the playbook is designed to deliver. Use them as your acceptance criteria.
- Detection-to-escalation under two hours, tested under simulation
- Named reporting officer with documented deputy and out-of-hours rotation
- Critical log retrieval under 30 minutes, verified by rehearsal
- Severity matrix applied without Legal debate in tabletop exercise
- CERT-In initial submission template pre-populated and approved
- Simulation results documented and presented to Audit Committee
If you cannot demonstrate these six outcomes, readiness remains assumed, not confirmed.
About Proactive
Proactive Data Systems works with Indian enterprises to operationalise the first six hours. As a Cisco Preferred Security Partner, Proactive designs and deploys integrated identity, access, segmentation, and detection architectures — and then tests them under realistic incident conditions.
Every engagement delivers a scored maturity assessment, a quantified gap report, a 90-day remediation plan, and a simulated six-hour drill with documented results.
|
Architecture capabilities Proactive deploys:
|
|
Download The Full Playbook Get the severity matrix, DPDP checklist, role-based runbooks, and 90-day roadmap - everything you need to pass the six-hour test. [ Request Access → ] For CISOs, Legal Counsel, CROs, and SOC Leaders accountable for CERT-In and DPDP compliance |
Six hours. Engineered, not improvised.
