Tsaaro Consulting
Introduction
The Indian Computer Emergency Response Team, CERT-In, under the aegis of the Ministry of Electronics and Information Technology (MeitY), has issued guidelines titled the “Comprehensive Cyber Security Audit Policy Guidelines.” This aligns with India’s fast paced digital infrastructure growth and the parallel rise in cyber threats. The guidelines, released alongside expanded directions under the Information Technology Act, 2000, represent a leap toward institutionalising cybersecurity audit practices across government and private sectors.
Context and Legislative Mandate
CERT-In’s authority to issue cybersecurity directions and audit policies stems from its powers under sub-section (6) of section 70B of the Information Technology Act, 2000. This framework has become increasingly relevant given the ever-growing threats to India’s cyber space and the increased attack. The new guidelines are intended to strengthen accountability and preparedness through mandated audit practices that identify, assess, and mitigate cyber risks across organisations and digital service providers.
In April 2022, CERT-In issued a directive requiring entities to report cybersecurity incidents within six hours, maintain secure logs for 180 days, and ensure time synchronization of ICT infrastructure. These requirements set the stage for a compliance framework, which has now made its way through the release of the Comprehensive Cyber Security Audit Policy Guidelines.
These guidelines are primarily targeted at CERT-In empanelled Information Security Auditing Organisations and the organisations they audit, referred to as auditee organisations. These include a entities such as ministries, departments, public sector undertakings, statutory and autonomous bodies, as well as private companies operating critical information systems. In particular, entities falling under the purview of previous CERT-In directions or those engaging in significant public-facing digital services are expected to align with these audit expectations. This also extends to organisations voluntarily seeking assessment or those seeking to improve their cybersecurity posture through formal evaluations.
Objective and Purpose of the Guidelines
At their core, the guidelines play a major role in supplementing India’s cybersecurity audit ecosystem through a standardised, structured, and certifiable framework. The objective of these guidelines is to establish a standard framework for Cyber Security Audit, which will improve the overall Cyber Security posture of organisations and promote trust in digital services, business continuity, and protection of critical and non-critical information systems. CERT-In aims to improve the maturity level of cybersecurity postures within both government and private organisations by laying down definitive requirements for auditing methods, qualified personnel, frequency, and reporting.
One of the underlying motivations is to promote preparedness against increasingly sophisticated cyber threats while ensuring adherence to security best practices. The guidelines also seek to support India’s vision of being a global technology hub by ensuring that its cybersecurity audit processes are on par with international norms.
Applicability and Scope
The Guidelines apply to two main categories of entities:
- CERT-In Empanelled Auditing Organisations- These are information security auditing firms empanelled by CERT-In to perform security audits including vulnerability assessment and penetration testing for government agencies and other sectors. Empanelled auditors operate under CERT-In’s program and must abide by empanelment terms and the new Guidelines when delivering audit services.
- Auditee Organisations- These include all organisations public or private sector that own or operate the systems, networks, applications, and processes being audited by the empanelled auditors. In practice, any organisation that is required or volunteers to evaluate its cybersecurity posture, identify vulnerabilities, assess risks, or ensure compliance with security standards may fall under the purview of these audits. Notably, the Guidelines are intended to cover government bodies, critical infrastructure providers, essential service organisations, as well as private companies that handle sensitive data or are part of the country’s digital ecosystem.
The Guidelines are binding on CERT-In empanelled auditing organisations and the auditee entities that fall under the relevant provisions of Section 70B of the IT Act. CERT-In is empowered by law to issue such directions, and failure to comply with them can attract penalties as outlined under Section 70B(7)
Structure of the Audit Policy Framework
- Audit Types: CERT-In has categorized cybersecurity audits into three principal types Internal, External, and Third-Party. Internal audits are conducted by the organisation’s in-house teams; external audits involve independent assessors; and third-party audits refer to assessments carried out by entities not affiliated in any way with the auditee. Each audit type has distinct implications for objectivity, depth of review, and cost.
- Audit Frequency: Organisations are expected to conduct cybersecurity audits periodically based on risk assessments and criticality of their systems. Though no strict timeline has been mandated, it is suggested that audits be performed annually, particularly for critical systems. Entities undergoing significant system changes or those experiencing security incidents may be required to conduct unscheduled audits.
- Qualified Personnel and Empanelment: Only CERT-In empanelled auditors or audit organisations are eligible to conduct recognized cybersecurity audits under these guidelines. Auditors must meet strict qualification criteria, including professional certifications and demonstrated experience. The empanelment process is subject to periodic review, thereby ensuring quality assurance in the audit ecosystem.
- Audit Methodology: The policy prescribes a well-defined audit lifecycle that includes planning, execution, reporting, and follow-up. The planning phase entails risk profiling and scope definition. Execution covers system reviews, vulnerability scanning, penetration testing, and control validation. Reporting must be factual, actionable, and submitted in a prescribed format. Follow-ups require corrective actions and revalidation of controls.
- Documentation and Reporting: The guidelines mandate detailed documentation throughout the audit lifecycle. Reports must include risk assessments, mitigation recommendations, control validation summaries, and evidence-based findings. Organizations must retain these reports securely and furnish them to CERT-In upon request. Confidentiality of audit results is emphasized, with limited dissemination permitted on a “need to know” basis.
Review of Bills of Materials
As part of emphasis on supply chain transparency and vulnerability management, the CERT-In Guidelines mandate a structured review of Bills of Materials (BoMs) during cybersecurity audits. Clause 6(xxvi) of the Guidelines requires empanelled auditors to verify the presence, accuracy, and integrity of the Software Bill of Materials (SBOM), Hardware Bill of Materials (HBOM), Firmware Bill of Materials (FBOM), and AI/ML Model Bill of Materials (AI/ML BoM) associated with the systems under audit. These BoMs serve as inventories of system components such as software libraries, physical hardware, embedded firmware, and deployed AI/ML models including their datasets and dependencies. The review supports component traceability, identification of vulnerabilities, and transparency across critical and non-critical digital infrastructure.
Read Original Article Here > How CERT-In’s Latest Guidelines Will Shape Cyber Audits in India
CDC Computers GBP
Md Asif
