KPMG shortlisted for India’s nationwide cybersecurity audit of critical IT infrastructure
KPMG’s shortlist spot in India’s cyber audit race points to a bigger demand signal: the government is finalizing one of its largest checks of critical IT systems.
KPMG is among seven firms shortlisted for India’s nationwide cybersecurity audit of critical government IT infrastructure, a process now in its final stages with financial evaluation underway. The government is expected to announce the rollout in the coming days, turning a procurement process that began with a tender floated in December 2025 into a large-scale assignment with direct implications for cyber assurance staffing, delivery capacity and public-sector account work.
The exercise is being framed as one of India’s biggest cyber health checks. It will cover critical IT infrastructure across central ministries, state departments and the government’s network of National and State Data Centres. For firms with audit, risk and technology practices, that scope points to far more than a one-off headline win. It suggests sustained demand for teams that can handle sensitive infrastructure reviews, evidence collection, remediation tracking and the coordination work that comes with multiple government owners and legacy systems.

The regulatory backdrop matters just as much. CERT-In issued its Comprehensive Cyber Security Audit Policy Guidelines on July 25, 2025, setting out a structured process meant to help both auditees and auditing organisations prepare for and conduct cybersecurity audits. The guidance sits inside a broader critical-infrastructure security framework built around CERT-In and the National Critical Information Infrastructure Protection Centre, or NCIIPC, which was created under Section 70A of the Information Technology Act, 2000, through a gazette notification on January 16, 2014, and is based in New Delhi.
The scale of the market is already visible in the numbers. In July 2025, the government said CERT-In and NCIIPC had completed 9,798 security audits across sectors including power, energy and BFSI, and that CERT-In had empanelled 200 cybersecurity organisations for audit work. Later official material put the 2025 empanelment count at 231 cybersecurity audit organisations, underscoring how much capacity is being built around this work and how competitive the pool has become for firms chasing federal and regulated-sector mandates.
That matters inside KPMG because large public-sector audits are not just client logos; they are labor-intensive assignments that pull on scarce cyber specialists, control testers and engagement managers. As more government and regulated entities issue 2026 RFPs for CERT-In-empanelled external auditors, the shortlist suggests a market where delivery teams, not just partners, will be under pressure to scale fast and prove they can handle high-stakes assurance work at national level.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?

