STQC and CERT-In Audits: What Your Platform Must Pass
If your platform serves government bodies or operates in regulated sectors, you'll encounter STQC and CERT-In audits. Both have specific requirements, both can take months, both can fail in ways that delay your launch. Here's what to know.
Key takeaways
- STQC (Standardisation Testing and Quality Certification, MeitY) certifies software quality, accessibility, performance.
- CERT-In (Indian Computer Emergency Response Team) certifies cybersecurity posture, particularly for critical sectors.
- Audits typically take 6-12 weeks; remediation can add 4-8 weeks.
- The expensive surprises: accessibility, vulnerability remediation, documentation depth.
Why this matters
For PSUs, government departments, and regulated sectors (BFSI especially), STQC and CERT-In certifications are procurement gates. Without them, your platform can't go live for certain customers.
STQC
What STQC audits
- Software quality (testing coverage, defect density, documentation)
- Accessibility (GIGW + WCAG)
- Performance (load testing, scalability evidence)
- Security baseline (often subset of CERT-In requirements)
- Usability
Preparation
- Full testing documentation (test plans, test cases, bug reports, fix evidence)
- Accessibility audit (third-party report)
- Performance test results at expected and 2x expected load
- Security baseline review
Common findings
- Accessibility issues (most common)
- Incomplete documentation
- Missing user manuals
- Performance under load
CERT-In
What CERT-In audits
- Vulnerability assessment (VAPT)
- Cryptography and data protection
- Network security
- Application security (OWASP Top 10)
- Logging and monitoring
- Incident response readiness
Preparation
- Pentest (third-party, in CERT-In empanelled auditor list)
- Encryption documentation
- Logging architecture
- Incident response plan with runbooks
- Vulnerability remediation evidence
Common findings
- Unpatched dependencies
- Missing security headers
- Weak password policies
- Insufficient audit logging
- Insecure file upload handling
How to prepare
3 months out
Hire empanelled auditor for pre-audit assessment. Get a gap report.
2 months out
Remediate critical and high findings. Document everything.
1 month out
Re-test. Pre-audit dry run.
Audit window
Auditor visits or reviews remotely. Findings shared. Remediation cycle if any.
Post-audit
Certification valid 12 months (CERT-In) or per project (STQC). Plan re-certification ahead.
What we recommend
Don't start either audit cold. Pre-audit with an empanelled firm. Budget 4-8 weeks for remediation. Document obsessively, both audits weigh documentation heavily.
Common pitfalls
Last-minute audit. Compressed timelines = failed audits.
No remediation budget. Findings require engineering time you didn't plan for.
Selecting non-empanelled auditor. Their reports don't count.
Documentation gap. "We have the controls but no documentation" still fails.
FAQs
STQC vs CERT-In, which first? Both are needed; STQC often first because it covers broader quality.
Costs? STQC certification ₹3-15 lakh depending on scope. CERT-In audit ₹2-10 lakh.
Can we get both from one auditor? Some empanelled firms do both.
