15 Elemental Cyber Defense Controls for Indian MSMEs

Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India

15 Elemental Cyber Defense Controls for Micro, Small, and Medium Enterprises (MSMEs) Version 1.0 Dated 01.09.2025

Contents

1. Introduction .................................................................................................................................................. 3
2. Utilization of this document ......................................................................................................................... 4
3. Disclaimer ..................................................................................................................................................... 5
4. Cyber Defense Controls and Security Baseline Recommendations for Implementation............................. 6

5. Acknowledgement ...................................................................................................................................... 11
   Version 1.0 Dated 01.09.2025 Page | 2

6. Introduction
   To safeguard Cyber Infrastructure, confidential data, adhere to legal requirements, reduce financial risk, maintain customer confidence, guarantee operational continuity, gain a competitive advantage, support digital projects, and sustain business growth in an increasingly digital environment, cybersecurity is essential for Micro, Small, and Medium Enterprises (MSMEs) in India. This document containing 15 Elemental Controls of Cyber Defense has been issued for MSMEs by Indian Computer Emergency Response Team (CERT-In). This document is applicable to Micro, Small & Medium Enterprises (MSMEs) which are covered as per the criteria for classification of micro, small and medium enterprises, notified by Ministry of Micro, Small & Medium Enterprises, Government of India vide notification no. 2020 S.O. 1702(E) dated 1st June 2020 in exercise of the powers conferred by sub-section (1) read with sub-section (9) of section 7 of the 'Micro, Small and Medium Enterprises Development Act, 2006 Organizations may protect themselves from the most prevalent type of cyberattacks from the Internet by implementing the mentioned Cyber Defense Controls. These are the cyber security baseline criteria that give organizations the chance to benchmark against a minimal set of cyber security controls and assist them in choosing where to start when developing a cyber-security program. Organizations can begin their road towards adopting a comprehensive cyber security framework by utilizing a minimum set of cyber security measures.

'15' '45' Cyber Defense Recommendations Controls for implementation

Version 1.0 Dated 01.09.2025 Page | 3

1. Utilization of this document
2. For MSMEs:

3. MSMEs may use the 45 security baseline recommendations mapped to the 15
   Elemental Cyber Defense Controls to strengthen their cybersecurity posture and conduct self-assessments to gauge their current level of preparedness.

4. MSMEs may conduct Baseline Audits through CERT-In Empaneled Auditing
   Organizations for these elemental controls at least once in a year.

5. This document, outlining Elemental cyber defense controls, can be integrated into
   the organization's cybersecurity policy to enhance security measures and ensure comprehensive protection.

6. For CERT-In Empaneled Auditing organizations:

7. The auditing organizations may utilize this document to evaluate the auditee
   organizations based on evidences against this cyber security baseline criterion. Auditing Organizations should clearly mention and educate that this is minimum requirements against which audit was performed.

Version 1.0 Dated 01.09.2025 Page | 4

1. Disclaimer This Cybersecurity Baseline Document provides a minimum set of security controls recommended for Micro, Small and Medium Enterprises (MSMEs) to establish a foundational level of cybersecurity. It serves as a starting point to help MSMEs implement essential security measures and move toward a more robust security posture. However, cybersecurity threats are constantly evolving, and each organization faces unique risks based on its industry, size, infrastructure, and data sensitivity. Therefore, MSMEs must go beyond these baseline controls and implement additional security measures based on their specific risk assessments and operational needs. MSMEs should regularly review, update, and strengthen their cybersecurity practices in alignment with emerging threats, industry standards, and regulatory requirements. Seeking professional cybersecurity guidance is encouraged for a more tailored and comprehensive security strategy. By using this document, MSMEs acknowledge that cybersecurity is an ongoing process, and they are responsible for assessing and implementing appropriate security measures beyond this baseline.

Version 1.0 Dated 01.09.2025 Page | 5

1. Cyber Defense Controls and Security Baseline

Recommendations for Implementation

To safeguard networks and email systems Network and against unauthorized To safeguard end-user 2 Email Security access, data breaches, devices by enforcing Establish and maintain Ensure secure wireless connectivity by and cyber threats (NES) security policies and Endpoint & an efficient asset configuring Wi-Fi networks with WPA2/WPA3 through secure practices that ensure Mobile management 3 encryption, strong passwords, and hidden communication. secure access, data Security Effective Asset framework and Establish and maintain a centralized, SSIDs; avoid factory-default credentials and Install antivirus or endpoint protection software (EMS) protection, and 1 enhance ability to track, continuously updated inventory of all hardware, NES.2 segregate guest networks from internal on all devices, using only licensed versions to Avoid pirated or unauthorized software to Version 1.0 Dated 01.09.2025 Page | 6 resilience against monitor, and optimize (EAM) Elemental Track the full asset lifecycle- from acquisition systems. Additionally, prevent endpoints from software, and information assets, with proper ensure vendor support and regular updates. Do reduce legal and security risks, and restrict threats. the utilization of both EAM.1 EMS.1 S. Cyber identification, labeling, and classification of through deployment, use, and secure disposal-Deploy firewalls at the network perimeter and auto-connecting to open or public Wi-Fi and Implement VPNs with encryption and MFA to Protect email and messaging systems from not disable built-in operating system security EMS.2 software installation to authorized personnel physical and digital Objective EAM.2 No Defense sensitive assets to ensure appropriate handling updating records for any change in location, NES.1 enable Host-based firewall. Ensure firewalls enforce secure wireless configurations across NES.4 phishing and spoofing using SPF, DKIM, features (e.g., Windows Defender, Windows NES.3 secure remote access and protect remote work only. Onboard with CERT-In's Cyber Swachhta assets. EMS.3 Controls DMARC. and access control. status, or condition. are properly configured. all devices. environments. Firewall). Kendra (CSK) (Botnet Cleaning and Malware

To ensure timely detection, reporting, 4 Implement and manage Secure response, and recovery Configurations secure configuration of Incident from cybersecurity hardware and software (SC) 6 Adhere to Directions under sub-section (6) of incidents through a installed within the (IM) To reduce security section 70B of the Information Technology Act, structured and network. Implement vulnerabilities by 2000 relating to information security practices, coordinated incident strict configuration rules systematically procedure, prevention, response and reporting management process. Patch and change identifying, testing, and SC.1 Implement and maintain baseline security Monitor vendor notifications and security IM.3 of cyber incidents for Safe & Trusted Internet Version 1.0 Dated 01.09.2025 Page | 7 5 control/approval applying patches and Elemental Conduct regular testing of the Incident advisories, CERT-In advisories and other which are published on CERT-In's website. configurations for Server & Endpoint operating Develop and document a formal Incident (PM) process. updates to software, S. Cyber PM.2 relevant sources to remain informed about the Regularly apply security patches and updates Restrict or control USB and removable media systems, network devices, browsers, and and SC.2 Disable unnecessary features, ports, services, SC.3 Remove unused software and system Response Plan (IRP) covering reporting, Response Plan (IRP) to ensure its Including Report cybersecurity incidents to Objective IM.2 IM.1 systems, and devices in No Defense Analysis Centre) to receive alert & advisory on EMS.4 usage, and consider disabling autorun features protocols, and default applications to reduce functions, and change all default passwords latest patches and vulnerabilities affecting your containment, investigation, recovery, and effectiveness and readiness during actual CERT-In within 6 hours of detection or Enable comprehensive logging on all key ICT Implementing PM.1 to operating systems, applications, and commercial off-the-shelf (COTS) software, LM.1 a timely manner. Controls the attack surface. IT environment. notification. systems to ensure traceability and continuous logging and Malware & Botnet infection. to prevent malware spread. based on configurations approved by the entity. and settings before deployment. firmware. communication procedures. incidents.

To ensure the To enhance confidentiality, integrity, cybersecurity posture monitoring of systems, and availability of data by educating personnel networks, and user by implementing robust Data Awareness on security policies, activities, ensuring Conduct basic cybersecurity awareness protection measures, Protection, 8 and Training risks, and best timely alerts and training at least twice a year for all employees Logging and 10 maintaining regular and Backup and To protect organization practices through (AT) auditability. Third Party and contractors, covering key topics such as Actively participate in cybersecurity awareness secure backups, and Monitoring Recovery from potential regular awareness Risk workshops, capacity-building programs, and Hold all third-party providers to the same phishing, password hygiene, social Version 1.0 Dated 01.09.2025 Page | 8 (LM) establishing effective (DPBP) 9 vulnerabilities programs and role-AT.1 Elemental engineering, BYOD risks, safe internet usage, security standards applied internally (at Establish a regular backup schedule (e.g., daily Develop and maintain a minimum Business national-level cybersecurity exercises and drills recovery mechanisms introduced by external based training. AT.2 (TPRM) S. Cyber It is recommended to deploy monitoring Conduct thorough due diligence for each accountability, and retain system and Continuously monitor network activity and acceptable use policies, handling of conducted by CERT-In to enhance TPRM.2 minimum, as per this baseline), ensuring DPBP.1 or weekly) and store encrypted backup copies Test backup restoration procedures Continuity Plan (BCP) for identified critical to restore data and service providers. Objective LM.2 DPBP.3 No Defense privileged user actions to detect suspicious LM.3 security solutions to enhance log analysis, sensitive/classified information, and TPRM.1 vendor or third party based on potential consistency and resilience across the entire in secure, other network sites--combining DPBP.2 periodically to ensure data recoverability and applications to ensure timely recovery and application logs for a minimum of 180 days with preparedness and strengthen organizational services in the event of Controls threat detection, and response. responsible email practices. business impact or likelihood of compromise. supply chain. offsite, and offline (e.g., USB or tape). secure storage within Indian jurisdiction. behavior and unauthorized access attempts. response capabilities. system resilience. continuity of operations.

To ensure accountability and compliance with Strengthen passwords Robust Governance To ensure that only cybersecurity policies, to protect sensitive data Password Access Control authorized users and and 12 Enforce the use of strong, unique passwords 11 from unauthorized regulations, and Policy Compliance and Identity systems can access across all systems, requiring a minimum of 8 to 13 standards through (RPP) access. resources based on (GC) 12 characters with a mix of uppercase and defined responsibilities, defined roles and (ACIM) Establish and formally approve an Information lowercase letters, numbers, and special Version 1.0 Dated 01.09.2025 Page | 9 oversight, and regular RPP.1 privileges Elemental Assign a security incharge/Single POC to characters. Set password expiry intervals and Review and update user access privileges reviews. Security Policy tailored to the organization's S. Cyber Periodically review and update security policies Assign unique user IDs to all individuals to periodically at least quarterly or immediately oversee all information security activities and Ensure secure disposal of both physical and GC.2 scale and operations, covering data protection, restrict password reuse; educate users against Enable Multi-Factor Authentication (MFA) for all Implement role-based access controls aligned loss, corruption, or Objective ACIM.3 GC.1 No Defense serve as the primary point of contact for CERT-Use secure encryption and hashing algorithms GC.3 to reflect major business, technological, or Adhere to guidelines and directions issued by sharing credentials. Temporarily lock accounts after 3 to 5 failed ACIM.1 avoid shared accounts and ensure full ACIM.2 with defined job responsibilities, following the upon role changes, transfers, or employee Grant administrative privileges only when DPBP.4 digital media using proper sanitization or access control, incident response, password RPP.3 critical systems, administrative accounts, and cyber incidents. GC.4 RPP.2 RPP.4 ACIM.4 Controls regulatory changes. CERT-In and regulators. traceability of system activity. exits, using a formal offboarding checklist. essential, and enforce segregation of duties destruction methods. In and regulators. policies, third-party management, and audits. login attempts to prevent brute force attacks. remote access tools. to store passwords safely. principle of least privilege.

To evaluate an To prevent unauthorized physical Vulnerability Physical organization's security posture, policies, and Ensure that independent third-party Implement robust physical access controls for Audits and 14 Security access to critical 15 practices to ensure they critical infrastructure and systems. Use security vulnerability assessments of business-critical Version 1.0 Dated 01.09.2025 Page | 10 Assessments infrastructure, systems, (PS) Elemental effectively protect assets and applications are conducted at least guards, electronic badges, and biometric Maintain a comprehensive asset-return (VAA) and data PS.1 VAA.1 S. against threats and Cyber once a year, and establish effective access for server rooms, network equipment, checklist (ID cards, laptops, USB drives, and Perform periodic risk assessments to identify Objective PS.2 No Defense vulnerabilities. across administrative, financial, and data other equipment) for every employee exit to remediation strategies to address identified VAA.2 organization-specific threats and guide and other sensitive areas. Monitor entry and Controls vulnerabilities in a timely manner. functions. exit using CCTV. prevent data loss and asset leakage. mitigation strategies.

1. Acknowledgement
   Micro, Small, and Medium Enterprises (MSMEs) form the backbone of the Indian economy, contributing significantly to employment, innovation, and GDP. As key enablers in national and global supply chains, MSMEs increasingly rely on digital infrastructure -- making them critical targets for cyber threats. Strengthening their cybersecurity posture is essential for ensuring resilient and secure digital ecosystems across sectors. With this vital context, The Indian Computer Emergency Response Team (CERT-In) acknowledges the valuable contributions and insights provided by the following experts during the review and development of the document on Cyber Defense Controls and Recommendations for Micro, Small, and Medium Enterprises (MSMEs).

2. Dr. Shekhar Pawar, SecureClaw and Inventor of "Business Domain Specific
   Least Cybersecurity Controls Implementation (BDSLCCI)" Framework

3. Mr. Salil Kapoor, Netrika Consulting

4. Mr. Santosh Desai, Allied Boston

5. Mr. Vikram Taneja, CyberSRC Consultancy

6. Mr. Apurva Krishna Malviya, Panacea Infosec Pvt. Ltd

7. Mr. Sheltan T T, Xiotz Private Limited
   Version 1.0 Dated 01.09.2025 Page | 11