Cybersecurity is now one of the most important, if not the most important, success factors for a digitally-enabled organisation as lack of adequate cybersecurity can result in brand impairment, impact profitability, and even result in cessation of business operations. Cybersecurity is also critical from a compliance perspective as severe penalties can be imposed for non-compliance with regulations.

Businesses can avoid these adverse consequences by conducting an Information Security Audit to identify and close gaps in cyber defences. Choosing a cybersecurity auditor, however, may prove challenging as the organisation may lack in-house cybersecurity expertise to assess the qualifications and capabilities of firms that offer information security auditing services. Rather than taking a chance on a vendor that may or may not have the requisite credentials, businesses can choose from CERT-In’s list of empanelled information security auditing organisations.

What Is CERT-In?

CERT-In is the Computer Emergency Response Team of India. It is a part of the Ministry of Electronics and Information Technology (MeitY), and serves as the national nodal agency for securing Indian cyberspace. CERT-In performs various functions, including issuing security guidelines and advisories, acting as a national repository for cyber intrusions, and providing training. As part of its functions, CERT-In empanels select cybersecurity organisations that provide information security auditing services.

Detailed information on empanellment of information security auditing organisations is available at the CERT-In website.

Does My Business Require An Information Security Audit?

Information security audits in various forms may be mandated by regulators specific to your industry:

• RBI, SEBI, and IRDAI require such audits to be performed
• CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines requires information security audits to be performed at least once a year
• CERT-In’s 15 Elemental Cyber Defense Controls for Micro, Small, and Medium Enterprises (MSMEs) also recommends conducting audits for the specified controls at least once a year through CERT-In empanelled auditing organisations
• The National Informatics Centre (NIC) provides Website Security Guidelines which stipulate that websites should be security audited and have an audit clearance certificate from a CERT-In empanelled vendor before hosting in a production environment
• If an organisation’s service/website is hosted by a 3^rd party, the organisation should ensure the hosting infrastructure is audited by a CERT-In empanelled organisation

Other standards that are created by industry bodies, rather than government regulators, such as PCI DSS, also require audits. From MSME to large enterprise, and whether private or public sector, your organisation is likely to require a cybersecurity audit if your operations are digitally enabled, handle sensitive information, form part of critical infrastructure, or provide services to the government.

Advantages of Choosing Auditors That Are Empanelled With CERT-In

CERT-In’s list of empanelled information security auditing organisations is more than just a directory of firms that offer cybersecurity auditing services. Choosing a vendor from this list has many advantages:

1. Verified Capability – To be empanelled by CERT-In, the cybersecurity organisation will be assessed by a Technical Evaluation Committee and must satisfy multiple requirements, including
   1. Extensive experience in performing information security audits, assessed by number of audits conducted, duration over which such audits have been conducted, and types of audits performed
   2. Audit methodologies that demonstrate ability to perform comprehensive and robust audits
   3. Work performed by in-house team (against relying on external security experts to perform audits on the vendor’s behalf)
   4. Technical qualifications of the team, including technical qualifications of individual members. The technical team should have a minimum of 5 personnel with at least two members possessing Lead Assessor certification or other information security qualifications
   5. Background verification of the organisation and team members
   6. Adherence to CERT-In’s Code of Conduct
   7. Achieving 90% of more within two attempts in the Offline Practical Skill Test conducted by CERT-In
   8. Achieving 90% of more within two attempts in the online Vulnerability Assessment/Penetration Testing Practical Skill Test with real-time challenges conducted by CERT-In
   9. Personal interaction with Technical Competence Verification conducted by CERT-in at CERT-In/IISC facilities
   10. Provision of bi-monthly reports on projects completed/in progress
2. Compliance – We have seen above that some organisations must have their cybersecurity audited by a CERT-In empanelled auditor. Organisations that wish to be compliant with such guidelines, or be eligible for bidding for certain projects, must choose a CERT-In empanelled information security auditing organisation
   1. Regulations/standards/tenders that require an information security audit may not stipulate that it must be performed only by a CERT-In empanelled organisation. In such cases, being audited by a CERT-In empanelled organisation gives greater weight to the audit certificate
3. Credibility – Organisations that are not required to have a CERT-In empanelled auditor perform their information security audit will still benefit from being audited by a CERT-In empanelled firm as the empanellment criteria, discussed above, ensures the quality of audits performed and adds credibility to the organisation’s claims of having an audited cybersecurity posture or complying with regulations/standards
4. Brand Building – Having information security audits performed by CERT-In empanelled auditors presents your business as a digital security- and privacy- focused enterprise, which reassures other businesses and individuals that your enterprise is a reliable partner/vendor
5. Superior Talent – CERT-In requires the empanelled organisation’s team members to have technical qualifications and competency in security technologies, processes, controls, and trends; fact collection; and reporting. Some team members must have Lead Assessor certifications, and background verification is performed for all team members. A maker-checker system should be followed where a verification team (checker) should review the work of the audit team (maker). The auditing organisation is prohibited from performing audits using freelancers, interns, freshers, moonlighters, third party consultants, or employees serving their notice period. This ensures that your organisation’s cybersecurity audit is conducted by experts with real-world expertise
6. Confidentiality – CERT-In empanelled auditors have to adhere to CERT-In’s Policy Guidelines for Handling Audit related Data and team members must have signed a Non-Disclosure Agreement (NDA) with the auditing organisation, which ensure that access to your organisation’s sensitive data by the auditors does not result in data leakage or violation of data sovereignty requirements
7. Audit Baseline – The Cybersecurity Audit Baseline Requirements, published by CERT-In, provide a minimum-security assurance baseline for high-, medium-, and low-risk profiles, from which the audited organisations and their auditors can build their audits. These baseline requirements are mandatory for all owners and regulators of Critical Information Infrastructure
8. Superior Assessment – CERT-In’s audit guidelines discourage solely software-based audits and relying on limited vulnerability lists (such as Top 10 lists) and instead require audits to include discovery of all known vulnerabilities including those present in non-automated/manual components of IT infrastructure. These guidelines ensure that the organisation’s IT ecosystem undergoes comprehensive assessment and analysis, and all cybersecurity gaps are identified
9. Auditor De-empanellment – CERT-In ensures quality of audits are maintained by following a system of graded actions against the auditing firm that includes warnings, suspension, and even debarment and de-empanellment due to adverse reports, guideline violations, and poor quality of audits. This system ensures that businesses can choose an empanelled auditing firm with the confidence that their work will be performed at a very high standard
10. Avoiding Penalties – Regulators may impose fines on businesses for non-compliance even if the non-compliance does not result in a data breach. The comprehensive assessment performed by CERT-In empanelled auditors ensures compliance is maintained and penalties are avoided.

CERT-In only provides a list of empanelled information security auditors and does not assign auditors to organisations. The organisation is free to choose any auditor from the list.

K7 is empanelled by CERT-In for providing Information Security Auditing Services. Contact Us to learn more about how we can help your enterprise improve your cybersecurity posture and compliance with our expert consulting services.

FAQs

1. Does my business require an information security audit?

Yes, if it is mandated by any regulations or standards that apply to your business. Even if not mandated, an information security audit is highly recommended if you need to access or manage sensitive information or if your business depends on digital technology to function.

2. How often should I conduct an information security audit for my business?

CERT-In’s guidelines require information security audits to be performed at least once a year. Other industry-specific guidelines may require more frequent audits e.g., SEBI requires mutual funds to conduct comprehensive cyber audits at least twice in a financial year. CERT-In also requires audits to be performed after every major change in critical infrastructure and applications.

3. I run an MSME. Should my business be audited by a CERT-In empanelled auditor?

CERT-In has specified cyber defence controls for MSMEs, and recommends having the controls audited by a CERT-In empanelled auditor at least once a year.

4. When I choose an auditor, what does the auditor being empanelled by CERT-In mean for me?

It means the auditing organisation has been evaluated based on a rigorous process that considers their technical competency, methodologies, and track record, and the organisation and team have had their backgrounds verified. Such auditors can be considered a safe choice. Being audited by a CERT-In empanelled auditor also indicates your business has a professional approach to, and prioritises, cybersecurity.

5. Can I choose any auditing organisation from the list of empanelled auditors?

Yes. You are free to choose any organisation from the list of empanelled auditors that match your requirements.