A CERT-In Empanelled Auditing Organization
Insights

The SICHERTEN blog

Practical guidance on cybersecurity, audits and India’s evolving compliance landscape — from the team that does the work.

DPDPA

Do you need a Data Protection Officer under the DPDPA?

Some organisations must appoint a DPO under the DPDPA; many others benefit from one. Who needs it, what the role does, and how to resource it.

3 min read
VAPT

Mobile application penetration testing: what to test and why

Mobile apps run on devices you do not control - which changes everything. What mobile pen-testing covers, and why web testing alone misses it.

4 min read
DPDPA

DPDP Rules 2025 are here: your countdown to 13 May 2027

The Rules that operationalise the DPDP Act are notified and the clock is ticking to 13 May 2027. Here is the phased timeline - and what to do in 2026.

6 min read
Regulatory Updates

GDPR for Indian companies serving EU customers

The GDPR reaches beyond Europe. When it applies to Indian companies, what it requires, and how it overlaps with your DPDPA work.

3 min read
AI Governance

Writing an AI acceptable-use policy for your organisation

The simplest, highest-impact AI governance step: a clear acceptable-use policy. What to put in it, and how to make it stick.

3 min read
DPDPA

DPDPA 2023: what Indian businesses must do now

Who the Act applies to, the obligations that matter, the penalties at stake, and a practical six-step plan to get ready.

5 min read
ISO & Audits

ISO 27701: extending your ISMS to privacy

ISO 27701 turns your security management system into a privacy one too. What it adds, who it suits, and how it maps to GDPR and DPDPA.

3 min read
DPDPA

Consent Managers under the DPDPA: what they are and how to prepare

The DPDP framework introduces a new intermediary - the Consent Manager. Here is what it is, who can be one, and how to get your systems ready.

4 min read
VAPT

Cloud penetration testing: securing AWS, Azure and GCP workloads

Cloud breaks differently from on-prem - usually through configuration, not code. What cloud pen-testing examines, and where the real risk sits.

4 min read
VAPT

The OWASP Top 10, explained for busy teams

The industry reference for web application risk, in plain English - what each category means and why it still catches teams out.

4 min read
Regulatory Updates

CCPA and CPRA: what US-facing businesses must know

California privacy law gives consumers real rights and businesses real duties. Who is covered, what it grants, and what compliance takes.

3 min read
VAPT

VAPT, penetration testing and vulnerability scanning: what’s the difference?

These three terms get used interchangeably, but they solve different problems. Here is how to tell them apart and choose the right one.

4 min read
DPDPA

Data mapping and records of processing: the first step to compliance

Every privacy programme starts here: knowing what personal data you hold and where it flows. How to build a data map and records of processing.

3 min read
VAPT

API security: why your APIs are now the biggest attack surface

APIs quietly became the backbone of modern apps - and a favourite target. Why they need dedicated testing, and the flaws we see most.

4 min read
VAPT

Red teaming vs penetration testing: which does your organisation need?

Both simulate attackers, but they answer different questions. How red teaming differs from pen-testing - and which one you actually need.

3 min read
ISO & Audits

SOC 2 or ISO 27001: which does your business actually need?

Both prove you take security seriously - but they work differently and suit different buyers. A practical guide to choosing, or doing both efficiently.

4 min read
AI Governance

AI risk assessment: identifying and managing the risks in your AI

AI carries risks a standard assessment misses - bias, drift, explainability, new security exposure. How to assess and manage them.

3 min read
Regulatory Updates

RBI, SEBI and IRDAI: keeping pace with India’s financial-sector cyber rules

The financial regulators have raised the bar on cyber resilience. A high-level map of what RBI, SEBI and IRDAI expect - and how to stay current.

4 min read
Regulatory Updates

RBI IT governance: a primer for NBFCs

The RBI has raised the bar on IT governance for NBFCs. A high-level primer on the expectations - and how to meet them without drowning in circulars.

3 min read
ISO & Audits

Your first ISO 27001 audit: a practical readiness checklist

Heading into your first ISO 27001 certification audit? A plain-English readiness checklist covering the ISMS, evidence and what auditors look for.

4 min read
ISO & Audits

Understanding the Statement of Applicability (SoA)

The SoA is the document that ties your whole ISMS together - and the one auditors scrutinise. What it must contain, and how to get it right.

3 min read
Regulatory Updates

CERT-In’s six-hour incident reporting: what Indian organisations must do

CERT-In requires certain cyber incidents to be reported within six hours of detection. What that means in practice - and how to be ready.

4 min read
DPDPA

DPDPA and employee data: privacy obligations for HR

Privacy law does not stop at customers - your employees are Data Principals too. What the DPDPA means for HR and the data it holds.

3 min read
ISO & Audits

SOC 2 Type I vs Type II: which report does your customer want?

SOC 2 comes in two flavours, and buyers care which one you have. A short, practical guide to Type I vs Type II - and how to choose.

4 min read
VAPT

How often should you run a penetration test?

Once a year? After every release? The honest answer is it depends - here are the factors that set the right cadence for your organisation.

3 min read
Regulatory Updates

PCI DSS v4.0.1 in 2026: every requirement is now mandatory

The grace period is over - since March 2025 every PCI DSS v4.x requirement is enforceable. What changed, and what card-handling businesses must do now.

3 min read
Regulatory Updates

HIPAA for Indian IT and healthcare service providers

Serve US healthcare clients? You may be a HIPAA business associate. What that means, the safeguards required, and how to prove them.

3 min read
AI Governance

Shadow AI: the governance risk hiding in your organisation

Your staff are already using AI tools you may not know about. What shadow AI is, the risks it creates, and how to bring it into the light.

3 min read
AI Governance

Governing generative AI: a practical checklist for leaders

Generative AI brings its own risks - hallucination, leakage, IP, prompt injection. A practical governance checklist for leaders rolling it out.

3 min read
AI Governance

The EU AI Act, explained for organisations outside Europe

The EU AI Act can reach organisations well beyond Europe. What it is, why it might apply to you, and how its phased, risk-based rules work.

4 min read
AI Governance

ISO/IEC 42001: putting governance around your use of AI

The first management-system standard for AI has arrived. What an AIMS is, who needs one, and how organisations that use AI can begin.

4 min read
DPDPA

Building a data breach response plan for the DPDPA

The DPDPA requires you to report breaches - to the Board and to affected people. What a response plan needs so you can act in time.

3 min read
ISO & Audits

ISO 22301: business continuity that actually works

Ransomware and outages make continuity a board issue. What ISO 22301 covers, and how to build a continuity plan that works when it is needed.

3 min read