Speak to an Expert

Government & Public Sector

STQC and CERT-In Audits: What Your Platform Must Pass

STQC and CERT-In audits are the gates for government and regulated digital services. Here's what they evaluate, how to prepare, and what to fix before they arrive.

Niranjana
Jul 1, 2026 · 8 min read
STQC and CERT-In Audits: What Your Platform Must Pass

STQC and CERT-In Audits: What Your Platform Must Pass

If your platform serves government bodies or operates in regulated sectors, you'll encounter STQC and CERT-In audits. Both have specific requirements, both can take months, both can fail in ways that delay your launch. Here's what to know.

Key takeaways

  • STQC (Standardisation Testing and Quality Certification, MeitY) certifies software quality, accessibility, performance.
  • CERT-In (Indian Computer Emergency Response Team) certifies cybersecurity posture, particularly for critical sectors.
  • Audits typically take 6-12 weeks; remediation can add 4-8 weeks.
  • The expensive surprises: accessibility, vulnerability remediation, documentation depth.

Why this matters

For PSUs, government departments, and regulated sectors (BFSI especially), STQC and CERT-In certifications are procurement gates. Without them, your platform can't go live for certain customers.

STQC

What STQC audits

  • Software quality (testing coverage, defect density, documentation)
  • Accessibility (GIGW + WCAG)
  • Performance (load testing, scalability evidence)
  • Security baseline (often subset of CERT-In requirements)
  • Usability

Preparation

  • Full testing documentation (test plans, test cases, bug reports, fix evidence)
  • Accessibility audit (third-party report)
  • Performance test results at expected and 2x expected load
  • Security baseline review

Common findings

  • Accessibility issues (most common)
  • Incomplete documentation
  • Missing user manuals
  • Performance under load

CERT-In

What CERT-In audits

  • Vulnerability assessment (VAPT)
  • Cryptography and data protection
  • Network security
  • Application security (OWASP Top 10)
  • Logging and monitoring
  • Incident response readiness

Preparation

  • Pentest (third-party, in CERT-In empanelled auditor list)
  • Encryption documentation
  • Logging architecture
  • Incident response plan with runbooks
  • Vulnerability remediation evidence

Common findings

  • Unpatched dependencies
  • Missing security headers
  • Weak password policies
  • Insufficient audit logging
  • Insecure file upload handling

How to prepare

3 months out

Hire empanelled auditor for pre-audit assessment. Get a gap report.

2 months out

Remediate critical and high findings. Document everything.

1 month out

Re-test. Pre-audit dry run.

Audit window

Auditor visits or reviews remotely. Findings shared. Remediation cycle if any.

Post-audit

Certification valid 12 months (CERT-In) or per project (STQC). Plan re-certification ahead.

What we recommend

Don't start either audit cold. Pre-audit with an empanelled firm. Budget 4-8 weeks for remediation. Document obsessively, both audits weigh documentation heavily.

Common pitfalls

Last-minute audit. Compressed timelines = failed audits.

No remediation budget. Findings require engineering time you didn't plan for.

Selecting non-empanelled auditor. Their reports don't count.

Documentation gap. "We have the controls but no documentation" still fails.

FAQs

STQC vs CERT-In, which first? Both are needed; STQC often first because it covers broader quality.

Costs? STQC certification ₹3-15 lakh depending on scope. CERT-In audit ₹2-10 lakh.

Can we get both from one auditor? Some empanelled firms do both.


Talk to Techpuvi about audit-readiness engineering.

#STQC#CERT-In#Security#Compliance#India
Niranjana

Niranjana serves as a Senior Architect at Techpuvi. She brings more than 15 years of experience in software development, having built several products from the ground up. Choosing to specialize as a full-stack engineer, she maintains a strong commitment to continuous learning.